How to configure ignoring security hotspots

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  SonarQube Developer EditionVersion 8.2 (build 32929)

• what are you trying to achieve
  I’d like to configure SonarQube to ignore some files when identifying Security Hotspots.

• what have you tried so far to achieve this
  I set the analysis scope like this:
  

  

  image1040×291 28.2 KB

I also tried configuring the following in sonar-project.properties, based on this and this.

sonar.issue.ignore.multicriteria=e1,e2

# Ignore "Hard-coded credentials are security-sensitive"
sonar.issue.ignore.multicriteria.e1.ruleKey=squid:S2068
sonar.issue.ignore.multicriteria.e1.resourceKey=acceptance/**/*

# Ignore "Using regular expressions is security-sensitive"
sonar.issue.ignore.multicriteria.e2.ruleKey=squid:S4784
sonar.issue.ignore.multicriteria.e2.resourceKey=acceptance/**/*,assets/**/*

But the scan keeps finding these security hotspots in these files.

Hello,

Java rule keys recently changed and no longer use the “squid” prefix. Can you check on the Rules pages if the rule S2068 still have the “squid” prefix on your SQ DE 8.2?

I’ve got this on my side “java:S2068”:

image1526×321 40.7 KB

In all cases, I suggest you upgrade your Java analyzer to the v6.3 which has better performance. That won’t resolve your ignore security hotspots problem but at least your installation will run better.

Thanks

Dumb mistake on my part: I had just copied “squid” from the example. It should have been “javascript”, but I’m still getting the security hotspot reports for these files.

Now I’ve got the analysis scope configured like this:

image1048×235 14.9 KB

Here’s an example security hotspot report:

image946×493 50 KB

And here’s the corresponding rule (showing the rule key):

image1023×499 61.9 KB