which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
what are you trying to achieve
what have you tried so far to achieve this
I’m using Sonarqube 8.9.0, and I’m trying to automatically assign security hotspots.
I checked the documentation page that there is Automatic Issue Assignment for Bugs, Vulnerabilities, and Code Smells. However, it seems that there isn’t such feature for security hotspots. I’m wondering if it is possible to automatically assign security hotspots to the last committer on the security hotspot line just like how the issues are automatically assigned.
Hi @Michael_Tan, welcome to the SonarSource Community!
Security Hotspots should auto-assign just like issues do. Can you confirm that if you browse the code where a hotspot is found (browse via the Code tab in the project) that there is commit history in the margin to the left of the code? Further, confirm if the identity of the commit user shown there matches someone who has an account in your SonarQube instance. The identity (email) needs to line up for the assignment to work.
The author collected from the SCM is matched with accounts’ login and email to find a SonarQube user for the auto assignment.
It looks like your SCM collected ‘Michael Tan’ as the author. I guess you’re not using git, because with git it’s generally the email that is considered to be the author.
In any case, your name is not matching the email or login. I suggest you add your name as a ‘SCM Account’ in your SonarQube’s user settings. See button ‘Add’ in the screenshot. I think it needs to be done by a SonarQube admin.
We are in fact using git and I did some trouble shooting on my end.
We enabled SAML with google sso just a few days ago, and I had two account associated with my email mtan@… One being the google account and one being the original account created directly in sonarqube. Sonarqube wasn’t able to automatically assign the security hotspot when I had both account activated. (However it was able to automatically assign a vulnerability)
After I deactivated one of my account and have only one account associated with my email, Sonarqube was able to automatically assign the security hotspot after the next scan.
I’m unsure if this is a bug or an expected behaviour as I am getting different results regarding automatic assignment of vulnerabilities and security hotspots under the same conditions.
Just another quick question, it is possible to get email notifications when a security hotspot gets automatically assigned to me?
Right now, it seems that I am only getting notifications when someone else manually assigns a hotspot to me and no notification when sonarqube automatically assigns to me.
