We’ve just added a new blog post about how Security Hotspots play out in a C++ context:
A lot of people associate Static Application Security Testing (SAST) with false positives, but it doesn’t have to be that way. The fact is that there are really three classes of SAST issues: true positives, false positives, and what we call Security Hotspots. Security Hotspots are security-sensitive pieces of code that need human review because whether or not there’s a Vulnerability depends on the context. At SonarSource, we make it our mission to stamp-out false positives. For the rest, we believe the answer is to clearly segregate true positives (Vulnerabilities) from the ones that need review (Security Hotspots) and give you the tools to evaluate and triage them.