I’m using SonarQube 8.5 and I need to fail the quality gate when an owasp security hotspot issue is detected.
“Revised Security Hotspot is less than 100%” cannot be used, as it includes low severity issues and other security categories.
How could I do?
Here are my suggestions.
First you should think about using the latest version of SonarQube to get the latest version of our security engines. It’s more than recommended also to think about upgrading to SonarQube Developer Edition to get our taint rules which come on top of the default rules provided with SonarQube Community Edition and provides everything you need to assess your coverage against the OWASP Top 10 2017.
If you really want to make sure all Security Hotspots + Vulnerabilities related to OWASP are handled and none of them stay open before you can release then the best is to create a custom Quality Profile where you will activate only these rules. You can do that easily by using the “tags” filter and select the rules with an “owasp-ax” tag.
Then you should create a custom Quality Gate where you will say:
the situation is more complicated.
That kind of custom Quality Profile is not the solution because I need the default rules, for example java, plus I need to stop the security hotspots > major (I would prefer just the owasp type but that’s not a problem).
A Quality Gate like this
works only with issues but ignore security hotspots.
Furthermore the condition “Security Hotspots Reviewed is less than 100%” is too strict, it would block hotsposts with minor severity.
We have the same issue, and need as Francesco asked in the follow-up question. Is there any way to address these concerns: stop security hotspots > [some level] and change the strictness of “Security Hotspots reviewed” so that it can accommodate skipping minor ones rather than depending on % reviewed? Something like “Security Hotspots > [Level] Reviewed is less than [%]” would work great for us.