Inconsistent meaning for Security Hostpot non-vulnerability

ianw · June 10, 2020, 4:51am

SonarQube LTS 7.9.3

Users are confused by the state transition for the type “Security Hotspots”.
From the Docs,

The action is described as:

Resolve as Reviewed - There is no vulnerability in the code.

The target status is described as:

Reviewed – the Security Hotspot has been checked and no security issue was found.

Yet, the state is the UI displays:

Reviewed (Fixed)

If there was “no security issue”, then there was nothing to be “fixed”. It would seem the more appropriate wording should be “Reviewed (Closed)” or “Reviewed (not an issue)”. The latter is probably preferred as what was not an issue today might become one in the future.

May be related to MMF-1251: Issue states should be coherent and understandable

eric.therond · June 10, 2020, 7:26am

Hi @ianw

SonarQube 8.2 introduced a new security-hotspots UI and the documentation has been updated too.

Now the statuses for security-hotspots are:

to review
resolved as fixed
resolved as safe

Eric

ianw · June 10, 2020, 9:35pm

I’m going to guess these states will not be packported to 7.93 LTS at all, will it?

eric.therond · June 11, 2020, 6:47am

Indeed, it’s a completely new UI/workflow, you need to upgrade SonarQube

Eric