How to configure ignoring security hotspots

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Developer EditionVersion 8.2 (build 32929)

  • what are you trying to achieve
    I’d like to configure SonarQube to ignore some files when identifying Security Hotspots.

  • what have you tried so far to achieve this
    I set the analysis scope like this:

I also tried configuring the following in sonar-project.properties, based on this and this.

sonar.issue.ignore.multicriteria=e1,e2

# Ignore "Hard-coded credentials are security-sensitive"
sonar.issue.ignore.multicriteria.e1.ruleKey=squid:S2068
sonar.issue.ignore.multicriteria.e1.resourceKey=acceptance/**/*

# Ignore "Using regular expressions is security-sensitive"
sonar.issue.ignore.multicriteria.e2.ruleKey=squid:S4784
sonar.issue.ignore.multicriteria.e2.resourceKey=acceptance/**/*,assets/**/*

But the scan keeps finding these security hotspots in these files.

Hello,

Java rule keys recently changed and no longer use the “squid” prefix. Can you check on the Rules pages if the rule S2068 still have the “squid” prefix on your SQ DE 8.2?

I’ve got this on my side “java:S2068”:

In all cases, I suggest you upgrade your Java analyzer to the v6.3 which has better performance. That won’t resolve your ignore security hotspots problem but at least your installation will run better.

Thanks

Dumb mistake on my part: I had just copied “squid” from the example. It should have been “javascript”, but I’m still getting the security hotspot reports for these files.

Now I’ve got the analysis scope configured like this:

Here’s an example security hotspot report:

And here’s the corresponding rule (showing the rule key):