I'm trying to create a custom SonarQube rule in VisualStudio 2015, using the Roslyn SDK Generator.
The generator works fine and I'm able to publish the .jar file to SonarQube server and use my custom rule in daily builds. Now I would like to categorize the rule as "Vulnerabilty", but it always appear as "Code Smell".
I tried a couple of approaches:
Changed the "Category" of the DiagnosticDescriptor class to "Security"
private const string Category = "Security";
private static DiagnosticDescriptor Rule = new DiagnosticDescriptor(DiagnosticId, Title, MessageFormat, Category, DiagnosticSeverity.Warning, isEnabledByDefault: true, description: Description);
public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get { return ImmutableArray.Create(Rule); } }
Changed the xml template provided by the generator and regenerated the plugin using the new xml (I tried "SECURITY" and "SECURITY_COMPLIANCE" in place of the generated "MAINTENABILITY_COMPLIANCE")
<sqale xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<chc>
<key>SECURITY</key>
<chc>
<rule-key>MyRule</rule-key>
<prop>
<key>remediationFunction</key>
<txt>CONSTANT_ISSUE</txt>
</prop>
<prop>
<key>offset</key>
<txt />
<val>15min</val>
</prop>
</chc>
</chc>
</sqale>
Nothing worked so far.
I'm using the following configuration:
Unfortunately seems that ability to explicitly set category is not yet implemented - see https://jira.sonarsource.com/browse/SFSRAP-48
As a workaround you can add tag security to a rule and rule will be categorized as Vulnerabilty thanks to automatic conversion of tag into category in SonarQube. However it seems that SonarQube.Plugins.Roslyn.RuleGenerator is not considering the CustomTags property when building the SonarQube rule, but addition of newRule.Tags = diagnostic.CustomTags?.ToArray(); to the method SonarQube.Plugins.Roslyn.RuleGenerator.GetAnalyzerRules and rebuild of sonarqube-roslyn-sdk will do the job.