Inconsistent meaning for Security Hostpot non-vulnerability

ianw · June 10, 2020, 4:51am

SonarQube LTS 7.9.3

Users are confused by the state transition for the type “Security Hotspots”.
From the Docs,

The action is described as:

Resolve as Reviewed - There is no vulnerability in the code.

The target status is described as:

Reviewed – the Security Hotspot has been checked and no security issue was found.

Yet, the state is the UI displays:

Reviewed (Fixed)

If there was “no security issue”, then there was nothing to be “fixed”. It would seem the more appropriate wording should be “Reviewed (Closed)” or “Reviewed (not an issue)”. The latter is probably preferred as what was not an issue today might become one in the future.

May be related to MMF-1251: Issue states should be coherent and understandable

eric.therond · June 10, 2020, 7:26am

Hi @ianw

SonarQube 8.2 introduced a new security-hotspots UI and the documentation has been updated too.

Now the statuses for security-hotspots are:

to review
resolved as fixed
resolved as safe

Eric

ianw · June 10, 2020, 9:35pm

I’m going to guess these states will not be packported to 7.93 LTS at all, will it?

eric.therond · June 11, 2020, 6:47am

Indeed, it’s a completely new UI/workflow, you need to upgrade SonarQube

Eric

Topic		Replies	Views
Hotspots are both reviewed and not reviewed at the same time? SonarQube Server / Community Build sonarqube , security , security-hotspot	3	985	October 18, 2022
Security hotspot management SonarQube Server / Community Build sonarqube	3	568	December 22, 2022
Security Hotspot needs to be reviewed repeatedly SonarQube Server / Community Build	3	565	December 15, 2020
Security Hotspots that has been marked safe is not reported SonarQube Server / Community Build sonarqube	8	74	September 12, 2024
Fixing/Suppressing Hotspots doesn't improve Security Review Rating SonarQube Server / Community Build security-hotspot	7	2654	January 25, 2023

Inconsistent meaning for Security Hostpot non-vulnerability

Related topics