On SonarQube 8.2/8.3 I cannot figure out how to filter my security hotspots. Back when they were first introduced as the 4th issue type I could filter them on language, directory, etc, the same as the other issue types. At some point when they diverged from the smells/bugs/vulns and we got the new UI (which is otherwise beautiful) did we lose the ability to use the other filtering?
I even tried being sneaky and adding the url params like /security_hotspots?id=si-qradar&languages=flex# but to no avail.
Just looking for a way to section out my 5000+ hotspots in my large, multilingual monolith
Not being able to filter by file was a choice we made while working on the UI dedicated to Security Hotspots.
Did you notice Security Hotspots are sorted for you by default? The ones on the top of the list are the hotspots you should review first to maximize the impact of your review.
Talking about the review process, we expect developers to follow the Clean as You Code process so to focus on Security Hotspots raised on Pull Requests or raised on New Code and to perform the security review of the code they changed. My recommendation is to first try to use these filters:
Thanks Alex, yes them being sorted by severity and category is great, especially for the ones in the new code period. The 5k I’m talking about are the pre-existing ones we’re going back to review. Assigned to me doesn’t work for this use case as many of the owners of our old code are no longer in development issues, and our product security team is reviewing all the historical hotspots.
The lack of filtering is not a show stopper by any means, being able to set assigned all of a particular language or area to an individual would have made this a little easier to distribute the work, but we’ll get through it either way.
There is some inconsistency around this in the code viewer section.
When I click bug, vuln, or smell, I get the expected filtered view of just those few issues. When clicking the hotspot link I get the generic overall hotspot view (presumably as this is not supported any more)
Like @Brad, we are also missing this filter, although we are at the opposite spectrum, with 1000+ projects (and repos) in SonarQube. Our projects are based on various starter-kits/templates, so the same problem may be propagated all over. ( … Maybe I should ask this as a separate question …? )
We previously found the ability to filter Global Issues on Hotspots ( {{sq_url}}/issues?resolved=false&types=SECURITY_HOTSPOT ) very helpful as it allowed us to see in the UI at a glance the Rules, and their concentration across projects so we could most effectively address. For example, we could assign a SQL expert to review the “Formatting SQL queries/ SQL Injection” or a SecDev for “Hard-coded credentials” and address globally if a common structure.
Security Hotpots is no longer in the Global Issues and there’s no visible equivalent for “Security Issues”. Further, the Project Summary ( {{sq_url//projects?security_review=5&sort=security_review}} ) only shows “Security Review” as a percentage/letter grade. Having one project with one unreviewed Hotspot scores the same rating as one with 73 unreviewed Hotspots (19 High, 54 Low).
I would prefer to see the actual ratio ( 0/1, 0/73, etc. ) reviewed instead of the percentage in the Project Summary. The app can do the math and show the corresponding letter grade.
It also seems the order is absolute %age, then alphabetic, not sub by Qty or Sev. How is a team / Enterprise to know where to focus the resources? It would seem there should be a weighting given to the category of Hotspots open in calculating the Review a la Technical Debt weighting, in addition to displaying the numerical values.
I’m happy to raise the above as separate Help or Bug report if replying was not in order.
