Issue with Inheriting Reviewed Security Hotspots from Master Branch

virender.singh · September 20, 2024, 4:36am

Hello Sonar Community,

We have encountered an issue where our SonarQube instance has stopped inheriting reviewed security hotspots from the master branch. Here are the details:

SonarQube Version: Community Edition v10.6 (92116)
Issue Observed: Five days ago, all security issues were correctly inherited from the master branch. However, without any configuration changes on our end, this inheritance has stopped.
Impact: The Quality Gate is now failing, requiring us to review the security hotspots again.
Troubleshooting Steps Taken: We have tried removing the branch from SonarQube and creating a new one, but this did not resolve the issue.

Expected Behavior: Reviewed security hotspots should be inherited from the master branch, maintaining the Quality Gate status.

Actual Behavior: Reviewed security hotspots are not being inherited from the master branch, causing the Quality Gate to fail and requiring a re-review of the security hotspots.

Is this a known issue? Are there any additional steps we can take to resolve this?

Thank you for your assistance.

ganncamp · September 23, 2024, 2:37pm

Hi,

Per the docs,

security hotspots are not synchronized.

What kind of synchronization were you seeing?

Ann

virender.singh · September 25, 2024, 10:08am

Hi Ann,

i am checking with users for the same , will update the case shortly

virender.singh · October 14, 2024, 3:47am

All the security hotspots are reviewed - 100%. In the message below there is an information ‘The issue has been copied from branch ‘master’ to branch ‘release/2.16.0’’ That is the expected behavior.

As of today, it is working again. It seems like a random issue, and I would like to make sure it does not happen again. We did not make configuration changes and the Sonar works differently each time. Can we make something on our side? Now, on the sonar community and docs, I see it should not be inherited at all

I open the doc and see the following:

Which is contradicting to what I see in actual behavior.

ganncamp · October 14, 2024, 12:18pm

Hi,

I really don’t know what to tell you. As you and I have both pointed out, Security Hotspots aren’t expected to be synchronized, so it looks like you sometimes get a bonus behavior.

Ann

Julien_HENRY · October 25, 2024, 12:31pm

Hi,

We double-checked and security hotspot status are actually synchronized between branches:

We will update the documentation.

Regarding your initial problem where the synchronization did not happen, it might be caused by multiple factors. One common case where issue sync between branches is not working is when files have been renamed.
Another case could be multiple levels of branch “forking”. Like master → branchA → branchB.

If you can reproduce it again, feel free to re-open a thread, and we can try to investigate.