Bulk change assignee on security hotspots review

Hello,

I’m using a SonarQube 8.9.1 LTS (upgrade to 8.9.4 in progress).

I can’t find a way to bulk change assignee in the security hotspots review tab. I can only do it one by one. Do you kown if there is a (rather simple) way to do a bulk change of every assignee in Security Hotspots?

Thank you.
Florent

Hi Florent,

I’ve moved this to the ‘Suggest new features’ category since the functionality doesn’t already exist.

BTW, would you mind explaining your use case?

 
Thx,
Ann

I’m using SonarQube 8.9.4, and it would be great to have similar Bulk options for Security Hotspots as you do for handling normal issues.

We have a process whereby Security Hotspots are raised by developers for review and or mitigation by a Code Quality team. Often, there are multiple similar false positives which could be quickly bulk commented and mitigated. For instance if you have some XmlProcessing code, quite often you’ll have multiple “Using http protocol is insecure. Use https instead.” on the namespace attributes". The process would be much neater and easier to handle if one comment/decision could apply to multiple similar false positives.

+1 on allowing bulk changes

At the moment I’m updating 100s of almost-identical hotspots, and it’s paintakingly slow, which could be helped by

• having keyboard shortcuts for every step of the process ( change status → safe , which should move keyboard focus to the comment → change status ), removing the animation around the ‘Security Hotspot was successfully changed to Safe’ popup → continue reviewing.
• the UI shouldn’t be designed in way such that when the change status is clicked, the dropdown panel obscures the code that you’re reviewing

But if we could bulk update hotspots that would be a much better solution

( Community Edition, v 9.6.1 )

@DaveMercer I believe we fixed most of the FPs related to “namespace attributes” + “use of http”. If you still see a problem with SQ 9.7, don’t hesitate to create a dedicated thread here.

@knoxg If you have 100s of Hotspots to review on a single project very often, it probably means that we are raising too much. Can you share in a dedicated thread examples of Hotspots that are noisy and force you to review 100s of them?

Note: I shared your feedback about the missing shortcuts, popups, etc… with our UX Team.

Alex

Hi Alex

Thanks for passing that on to the UX team. Have raised a separate issue for the noisy hotspot warnings here: Hotspot suggestions (polynomial runtime regex)

Cheers,
gk

+1 for bulk changes. We have many hotspots raised protected by private, gated, endpoints and resolving each individually is painful

Hi Sean,
Thanks for sharing this issue. It’s not on our roadmap at the moment, but we are keeping a record of all requests for bulk fixes to design the right solution. I’ll update this thread if any update.

+1 for bulk updating security hotspots

+1 for bulk updating security hotspots