Add to User guide: How to ignore sonar issues?

[ckunki]

Proposed text

In case of sonar findings, you cannot fix or there is an agreement to ignore these findings, you can add a comment to ignore a particular finding.

For an implementation like

return subprocess.run(args)

... Sonar could for example report

subprocess call - check for execution of untrusted input.

In the Sonar UI you can find the error code.

• Clicking "Why is this an issue?"
• You may find "B603: Test for use of subprocess with shell equals true external_bandit:B603"
• And "See description of Bandit rule B603 at the Bandit website."
• So your error code is B603

You can accept / ignore the finding

• either via Sonar UI
• or via source code comments

Accept / ignore a Finding Via Sonar UI

Accept / ignore a Finding Via Source Code Comments

By appending a comment to the relevant source code implementation:

return subprocess.run(args)  # nosec: B603 - risk of untrusted input is accepted

See also

• stackoverflow - ignore sonarqube
• stackoverflow - ignore bandit
• bandit