Skip to content

Commit ae1740f

Browse files
authored
#585: Added instructions how to ignore sonar issues to the User Guide (#685)
1 parent a6a859e commit ae1740f

File tree

6 files changed

+62
-0
lines changed

6 files changed

+62
-0
lines changed

doc/changes/unreleased.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
11
# Unreleased
22

33
## Summary
4+
5+
## Documentation
6+
7+
* #585: Added instructions how to ignore sonar issues to the User Guide
135 KB
Loading

doc/user_guide/features/metrics/collecting_metrics.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ regarding Coverage, Security, and Static Code Analysis.
1010

1111
project_report
1212
sonar
13+
ignore_findings
1314

1415
.. _generated_metrics:
1516

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
.. _ignore_findings:
2+
3+
Ignoring Sonar Findings
4+
=======================
5+
6+
In rare cases, Sonar might report a finding, you cannot fix or on which you
7+
can agree with your reviewers to accept or ignore it. Please only choose this
8+
approach as a last resort.
9+
10+
As Sonar reports only findings generated by other tools there are often
11+
multiple IDs you can use for referring to a particular issue. E.g. security
12+
findings can be reported by ``bandit`` and hence for such a finding there is a
13+
bandit ID as well as a Sonar ID.
14+
15+
Example
16+
-------
17+
18+
For ``subprocess.run(args)``, Sonar could for example report *subprocess
19+
call - check for execution of untrusted input*. In the Sonar UI, when clicking
20+
on "Why is this an issue?", you will find references like
21+
22+
* *B603: Test for use of subprocess with shell equals true
23+
external_bandit:B603*
24+
* *See description of Bandit rule B603 at the*
25+
`Bandit <https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html>`__
26+
*website*.
27+
28+
In this case, the bandit error code is ``B603``, which you can ignore via a
29+
comment in the source code or, alternatively, accept in the Sonar UI.
30+
31+
32+
Ignoring a Finding Via a Source Code Comment
33+
--------------------------------------------
34+
35+
The recommended way of ignoring such a finding is to append a comment to the
36+
relevant line of code:
37+
38+
.. code-block:: python
39+
40+
subprocess.run(args) # nosec: B603 - risk of untrusted input is accepted
41+
42+
43+
Alternatively, you could also accept a finding in the Sonar UI:
44+
45+
.. image:: accept_finding_in_sonar_ui.png
46+
:width: 400px
47+
:alt: Accepting a Finding Via Sonar UI

doc/user_guide/troubleshooting.rst

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
.. _ptb_troubleshooting:
2+
3+
Troubleshooting
4+
===============
5+
6+
.. toctree::
7+
:maxdepth: 1
8+
9+
features/metrics/ignore_findings

doc/user_guide/user_guide.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,6 @@
1010
getting_started
1111
configuration
1212
features/index
13+
troubleshooting
1314
customization
1415
migrating

0 commit comments

Comments
 (0)