- SonarQube Enterprise Edition
- Version 8.6.1 (build 40680)
We are working to resolve overall code security hotspots to improve our security review grade rating. The security review rating is based upon the percentage of hotspots reviewed (marked as fixed or safe).
One of the challenges we have encountered is that marking a security hotspot as fixed/safe on one branch doesn’t mark it fixed/safe on other branches. We end up having to indicate that in multiple places.
As a solution to that, if we review code and see that it is safe, we instead use the Suppresswarning directive along with squid:rule# to suppress it everywhere, for just that one rule. However, that has the effect of just taking it out of the count of the number of security hotspots and there is no increase in the count of the number reviewed. Thus, we have addressed over 50% of our issues in this way, but it has had no effect on our Security Review rating. We are still at “E” because Sonarqube doesn’t count these as reviewed.
Is there a different flow we should be using?
Is there a different way we should be using Supprewarning such that the change is counted as reviewed?