- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Version 7.7
- what are you trying to achieve
As part of an ask from my employer they would like to capture the total vulnerabilities in SonarQube from the previous week. For example, in week 1 say there are already 20 vulnerabilities in SonarQube. During week 1 an additional 10 vulnerabilities were created giving us a total of 30. Also, during that week lets say 6 are closed as false-positives, 9 are closed as won’t-fix and 2 are closed as fixed. Our total vulnerabilities in SonarQube after that are now 13.
The issue here is that when we pull the SonarQube issues into an excel sheet for analysis I have no way of pulling the total vulnerabilities from a fixed point in time. Ideally… I’d like to know what was the TOTAL vulnerabilities (both outstanding and newly created) from last week, thus the 30 vulnerabilities I mentioned earlier. Using the SonarQube API’s there is only a way to pull current numbers and not numbers from a fixed date in the timeline that I’ve seen.
There is also an additional problem of vulnerabilities changing their resolution or status as they’re worked on by R&D. As vulnerabilities state (resolution, status) change, I have not found a way to corollate them back to the previous week. The only way I have found this to be possible was if the vulnerability was in fact created during the previous week and thus I can filter by the creation_date column in the API. However, like in my example, if we have 20 outstanding vulnerabilities from say several months ago that were closed, marked as false-positive, etc… during the previous week then I have no way of knowing they should be counted as part of the TOTAL vulnerability count for the previous week.
Also, filtering by updated date could be an option but from what I’ve seen filtering by updated_date seems to produce incorrect results especially when trying to pull items whose resolution is now labeled under false-positive, removed, fixed, and won’t-fix.
I would love to have a discussion with anyone who has worked on a similar issue like this before. I’m happy to share in more detail what I’ve tried so far but, what I wrote above should you a general idea of the issue I am looking to resolve.
Thank you the help!