Inconsistent meaning for Security Hostpot non-vulnerability

SonarQube LTS 7.9.3

Users are confused by the state transition for the type “Security Hotspots”.
From the Docs,

The action is described as:

Resolve as Reviewed - There is no vulnerability in the code.

The target status is described as:

Reviewed – the Security Hotspot has been checked and no security issue was found.

Yet, the state is the UI displays:

Reviewed (Fixed)

If there was “no security issue”, then there was nothing to be “fixed”. It would seem the more appropriate wording should be “Reviewed (Closed)” or “Reviewed (not an issue)”. The latter is probably preferred as what was not an issue today might become one in the future.

May be related to MMF-1251: Issue states should be coherent and understandable

Hi @ianw

SonarQube 8.2 introduced a new security-hotspots UI and the documentation has been updated too.

Now the statuses for security-hotspots are:

  • to review
  • resolved as fixed
  • resolved as safe

Eric

I’m going to guess these states will not be packported to 7.93 LTS at all, will it?

Indeed, it’s a completely new UI/workflow, you need to upgrade SonarQube

Eric