Using SonarCloud, paid plan.
As the reporting in the web app is… sparse… I’ve started investigating what can be seen through the API.
I pulled in data from /api/hotspots/search for each project and put this data into Elasticsearch.
I can see that there is hotspot data from 2019 through to late 2022, then it stops.
There is one hotspot update in January 2023. After that, there is nothing at all.
I do see plenty of data in /api/project_pull_requests/list right up to the present day, so SonarCloud is certainly doing… something
I need to know whether this is because of some breakdown in SonarCloud and is because of a fault or error condition.
Or if this is because the code quality has improved so much that there are no hotspots any more…
(I’d also like to know where a paid plan actually gets paid support from Sonarsource rather than just the community forums, if at all?)
They are using the default Quality Profiles for the languages involved.
Theres also one default Quality Gate, which can’t be edited or changed.
If all of the security hotspots were marked as safe, but new ones were added, that would show up wouldn’t it?
Also, most of these projects are listed as
“Quality Gate: Not Computed. We can’t display your Quality Gate without a New Code definition”
but when I go into the New Code Definition, it appears to be set to ‘Previous Version’ already.
I’m not sure if I should change it to a number of days or not.
Most of these projects have a strange conflict in how the analysis is displayed;
theres a date at the top of the project which shows something like:
Last analysis Mar 16, 2023 29k Lines of Code
but down the page there will be something like:
NEW ANALYSIS[develop]
Passed September 18 at 2:24 PM
so I’m confused about the analysis dates as well. Not sure if these issues are related. Some of the projects have, at the top, a Last analysis date of last year some time, but we know work has been done recently. If we look in the pipelines, we can see SonarCloud doing… something…
That’s a lot of questions. We try to keep it to one topic per thread. Otherwise it can get messy, fast. Let’s keep this thread focused on Security Hotspots & can you open a new thread for the Quality Gate question? (Screenshots will help get that one off the ground quickly.)
Regarding Security Hotspots,
Yes.
I take it from this:
That your project isn’t analyzed on a terribly regular basis. Are you confident that you’ve added new Security Hotspots? Can you check the Safe tab on the Hotspots page and see what, if anything, shows up there?
Thanks for your help so far, this is fairly sensitive as its a customers paid and private repo and SonarCloud account, so any screen shots I submit here would have to be carefully edited.
It would be more helpful if I could find a way to access SonarCloud support directly, but through the SonarCloud web UI, so far I haven’t been able to find anything. Again, the customer pays for this, about 150EUR per month, and we’re hoping that gets them some level of official support outside of the public forums?
We had a developer insert some dummy code which should show as a hotspot, and it did. So it is detecting new hotspots.
The problem we have now is that there was no notification or anything that the hotspot had been created. Nothing in ADO, no notifications anywhere, just the hotspot showing in the web UI.
What is the intended way in which developers are supposed to know that there is a hotspot to review?
I don’t understand how your new thread asks a different question than this.
You’re asking how to know there are new Security Hotspots. We don’t send email notifications for that. Security Hotspots are a different type of beast than issues, and we only send emails for issues.
So how you find out there are new Security Hotspots is
Look at the Security Review rating for your PR / branch / project
Add Security Hotspots to your Quality Gate and then pay attention when your QG fails.
I was asking a different question to the one that I started this topic with and realised that the rules should require a new topic.
The default quality gate is being used, which requires hotspots to be 100% reviewed.
When we artificially created a hotspot, this was not reported in the comments which SonarCloud created in ADO.
Are you saying that, as developers are working, they need to periodically visit the web UI, check the projects that they are working on in there one by one?
Theres no overall view of any statistics, like hotspots is there? You can’t go to a page, get a list of all hotspots that exist in the org, click the link, go to that hotspot. etc.
Okay, I see your point. We don’t add comments for Security Hotspots because they’re not something that’s definitely wrong. Security Hotspots are raised for things that may be a problem; they may not. Human intelligence is required to tell the difference. So we deliberately kept them out of the PR.
I’m not. I’m saying you should report your Quality Gate status into your PRs. When it fails, then you know to go check. And this is the same for coverage and duplications.
But, on the other hand, they need to be manually reviewed, so it needs to be brought to someones attention that they exist so that someone can have a look at them and review them…
We did look deeper, and found that there was a note on the PR under “extensions” which does have a link to the SonarCloud info on its findings. We’d like to just get this kind of thing raised somewhere more obvious. Are looking at the webhooks and seeing if we can send this to a Slack channel, since we already have Snyk sending notifications of new findings to a channel.
We try to keep it to one topic per thread. Otherwise it can get messy, fast. Let’s keep this thread focused on Security Hotspots & can you open a new thread for the Quality Gate question? (Screenshots will help get that one off the ground quickly.)