Hotspots are both reviewed and not reviewed at the same time?

SonarQube 8.6.0 Community

I marked a bunch of SQL injection hotspots safe, but two ended up in an inconsistent state.

If I go to the project on the web portal and go to the Security Hotspots tab, these two are listed, while all the others I marked are gone.

If I use the web API to look for the ones that are still TO_REVIEW, I use the URI “…/api/hotspots/search?statuses=TO_REVIEW&status=TO_REVIEW&ps=100&p=1&projectKey=…” and get in return an object whose main array contains two hotspots. The first is

key : AXfxh2ZWL4bd72AKP4h8

project : us.or.state.pers:OR_CLT_9_7_1
securityCategory : sql-injection
vulnerabilityProbability : HIGH
status : REVIEWED
resolution : SAFE

And when I use hotspots/show to view the details, it also shows the status/resolution as REVIEWED/SAFE and also shows the comment I added explaining why the code is safe.

I deleted my comments from those two, then tried using the hotspots/change_status endpoint to change them directly to REVIEWED/SAFE (while reapplying my comment). This didn’t work. They were still in this inconsistent state where they showed up on the web portal but were still reported as TO_REVIEW. Also, my comment was not on either one. Apparently, the change_status endpoint believed that the status was already REVIEWED, and therefore didn’t attempt to change it or add my comment.

I had to change each of them back to TO_REVIEW status, and then change them back to REVIEWED/SAFE, and now they appear to be in a correct and consistent state.

OK, here is another example of a hotspot marked safe using the web_api, and yet…

I was able to fix this by using the web_api function hotspots/change_status twice, first to change its status to TO_REVIEWED, and then change it back to REVIEWED with resolution SAFE. Now it’s gone from the hotspot tab, as expected:

You should add a sanity check to the web server to check for illogical output like the first screenshot.


Are you still on 8.6? We did a lot of hardening in 8.9. Can you upgrade and check again?