How to configure ignoring security hotspots

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Developer EditionVersion 8.2 (build 32929)

  • what are you trying to achieve
    I’d like to configure SonarQube to ignore some files when identifying Security Hotspots.

  • what have you tried so far to achieve this
    I set the analysis scope like this:

I also tried configuring the following in sonar-project.properties, based on this and this.

sonar.issue.ignore.multicriteria=e1,e2

# Ignore "Hard-coded credentials are security-sensitive"
sonar.issue.ignore.multicriteria.e1.ruleKey=squid:S2068
sonar.issue.ignore.multicriteria.e1.resourceKey=acceptance/**/*

# Ignore "Using regular expressions is security-sensitive"
sonar.issue.ignore.multicriteria.e2.ruleKey=squid:S4784
sonar.issue.ignore.multicriteria.e2.resourceKey=acceptance/**/*,assets/**/*

But the scan keeps finding these security hotspots in these files.

Hello,

Java rule keys recently changed and no longer use the “squid” prefix. Can you check on the Rules pages if the rule S2068 still have the “squid” prefix on your SQ DE 8.2?

I’ve got this on my side “java:S2068”:

In all cases, I suggest you upgrade your Java analyzer to the v6.3 which has better performance. That won’t resolve your ignore security hotspots problem but at least your installation will run better.

Thanks

Dumb mistake on my part: I had just copied “squid” from the example. It should have been “javascript”, but I’m still getting the security hotspot reports for these files.

Now I’ve got the analysis scope configured like this:

Here’s an example security hotspot report:

And here’s the corresponding rule (showing the rule key):

Hi Dean,

Were you able to find out the solution? I have been trying to do the same for javascript (node specifically) but unable to get any proper result. The hotspots are still showing up in Sonar

Hello,

I would like to understand why do you want to remove hotspots for JavaScript? You don’t like the results?
Which rules exactly do you want to remove?

Thanks
Alex

As I noted above, I’d like to ignore the rule regarding hard-coded credentials in the regression tests.

The rule S2068 is not supposed to run on test files. I believe the scan is not properly configured. Test files should be identified using the property sonar.tests and main files using sonar.sources.
Here is an extract from the documentation:

When you do that, only rules dedicated to tests will be executed on test files and the rule S2068 will be only executed on main files … and as a consequence you will have nothing to ignore.

@Alexandre_Gigleux

I’m having the same issue - I don’t think that the rule not supposed to be being run on tests is an acceptable solution, there are other scenarios where this is required for example Sonarcloud is showing a false positive for rule https://sonarcloud.io/organizations/workivate/rules?languages=js&open=javascript%3AS5332&q=http on my SVG components because of the xmlns="http://www.w3.org/2000/svg" xml namespace.

I have added:

sonar.issue.ignore.multicriteria.e1.ruleKey=javascript:S5332
sonar.issue.ignore.multicriteria.e1.resourceKey=**/icon/components/**

to my .sonarcloud.properties file but this does not remove the hotspots.

I also added the same rule manually within the sonarcloud UI and this did not work either - when do these settings take effect, is it during the next scan? It would be good if after changing the scope a new analysis was triggered so I could actually see if my changes are having an effect.