Issues API does not return security hotspots when passing a severity

Tested with: SonarQube version 7.9.1 (build 27448) and sonarcloud.io.

Error observed: issues API does not return security hotspots when severity parameter is used.

Steps to reproduce:

• Open https://sonarcloud.io/api/issues/search?componentKeys=nl.ictu:quality-time&resolved=false&ps=500&types=SECURITY_HOTSPOT,CODE_SMELL
• Note that both the two code smells and the five security hotspots are returned
• Open https://sonarcloud.io/api/issues/search?componentKeys=nl.ictu:quality-time&resolved=false&ps=500&severities=INFO,MINOR,MAJOR,CRITICAL,BLOCKER&types=SECURITY_HOTSPOT,CODE_SMELL
• Note that the two code smells are returned, but not the security hotspots

Potential workaround: make multiple calls to the issues API to retrieve security hotspots and other issues separately.

Hi,

That’s because Hotspots don’t have a severity. I think of them as Schroedinger’s Vulnerabilities - might be a problem, might not; you won’t know until you look. So (to extend the metaphor) just like Schroedinger’s cat is either dead (not Blocker/really dead or Info/a little dead) Hotspots are either problems or they’re not, and severity just isn’t appropriate in this context.

 
HTH,
Ann

Hi Ann,

That makes sense. Maybe this can be added to the API documentation? For example, "Note that if you specify one or more severities, no issues of type ‘security hotspot’ will be returned because security hotspots have no severity.

Thanks, Frank

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.