Issue with Inheriting Reviewed Security Hotspots from Master Branch

SonarQube Server / Community Build
1

Hello Sonar Community,

We have encountered an issue where our SonarQube instance has stopped inheriting reviewed security hotspots from the master branch. Here are the details:

  • SonarQube Version: Community Edition v10.6 (92116)
  • Issue Observed: Five days ago, all security issues were correctly inherited from the master branch. However, without any configuration changes on our end, this inheritance has stopped.
  • Impact: The Quality Gate is now failing, requiring us to review the security hotspots again.
  • Troubleshooting Steps Taken: We have tried removing the branch from SonarQube and creating a new one, but this did not resolve the issue.

Expected Behavior: Reviewed security hotspots should be inherited from the master branch, maintaining the Quality Gate status.

Actual Behavior: Reviewed security hotspots are not being inherited from the master branch, causing the Quality Gate to fail and requiring a re-review of the security hotspots.

Is this a known issue? Are there any additional steps we can take to resolve this?

Thank you for your assistance.

2

Hi,

Per the docs,

security hotspots are not synchronized.

What kind of synchronization were you seeing?

 
Ann

3

Hi Ann,

i am checking with users for the same , will update the case shortly

4

All the security hotspots are reviewed - 100%. In the message below there is an information ‘The issue has been copied from branch ‘master’ to branch ‘release/2.16.0’’ That is the expected behavior.

image
image1707×634 80 KB

As of today, it is working again. It seems like a random issue, and I would like to make sure it does not happen again. We did not make configuration changes and the Sonar works differently each time. Can we make something on our side? Now, on the sonar community and docs, I see it should not be inherited at all

I open the doc and see the following:

image
image1045×270 24.6 KB

Which is contradicting to what I see in actual behavior.

5

Hi,

I really don’t know what to tell you. As you and I have both pointed out, Security Hotspots aren’t expected to be synchronized, so it looks like you sometimes get a bonus behavior.

 
Ann

8

Hi,

We double-checked and security hotspot status are actually synchronized between branches:

image
image816×581 46.9 KB

We will update the documentation.

Regarding your initial problem where the synchronization did not happen, it might be caused by multiple factors. One common case where issue sync between branches is not working is when files have been renamed.
Another case could be multiple levels of branch “forking”. Like master → branchA → branchB.

If you can reproduce it again, feel free to re-open a thread, and we can try to investigate.

1 Like