Enterprise edition 10.7:
This issue has been around since at least the summer of 2022. When a hotspot is “Acknowledged” it does not translate to anything related to security. In fact it gets removed from “Security Hotspots” and just hangs out in the Acknowledged tab.
How do I get the Acknowledged Security Hotspots to show up as vulnerabilities on the security report?
Hi,
We make a deliberate distinction between Vulnerabilities and Security Hotspots, so you’ll never get them to show up as Vulnerabilities, anywhere.
And the fact that they disappear when they’re acknowledged is a fair point, which I’ll raise internally. At the same time, the intent behind that status is (from the docs):
- Acknowledged: A developer has reviewed the Security Hotspot and a resolution to the highlighted risk is pending. This covers cases where a fix is in progress or where time is needed to determine the next step.
So sitting in acknowledged is supposed to be a short-term thing. But there is that “where time is needed” part in there, and everyone needs a reminder now and then. So as I said, I’ll raise this internally.
Ann
Hello Ann,
I appreciate the quick reply.
From a cost/risk management perspective, not being able to status unfixed “Acknowledged” Hotspots limits the utility of the SonarQube security function as a source of truth.
Eg., When a Hotspot is “Acknowledged”, it is a vulnerability/weakness.
In most environments vulnerabilities/weakness are prioritized based on specific variable(s), usually cost and severity. Some may never get fixed because of functionality. You end up carrying some vulnerabilities/weaknesses for extended periods of time, perhaps the entire lifecycle. Normally they would be recorded in some kind of plan of action and milestones (POAM).
During an audit, the Auditor will ask to see the static code analyzer and/or a report from whatever static code analyzer that is being used, SonarQube in this case. Being transparent I would have to create a separate report with the unfixed “Acknowledged” vulnerabilities and explain why they don’t show up in SonarQube as vulnerabilities or anything else for that matter.
Basically, I have to defend the tool. In the compliance world that is not good. If the Auditor doesn’t have faith in the “source of truth”, a 2 day audit can easily run over time, and no one wants a Auditor on deck any longer than necessary…
R/Jeremiah