Returning false-positives? (Security Hotspots to review)

we’re witnessing the following issue and asking for help: One of our services/projects has currently 28 Security Hotspots to review. According to experts, even if FPs are marked, they are returning again and again.
Any explanation/reasoning/knowledge about this behavior? Setting of SQ that’s not right?

SQ Version is Developer Edition 8.2 (build 32929)

Hi Ludwig,

As of version 8.2, there is a dedicated space to review Security Hotspots. Marking them as “Safe” or “Fixed” will resolve them and they should not re-open on subsequent scans. They will also disappear on a subsequent scan if the code is removed or changed so that it no longer triggers a Security Hotspot.

Please confirm that your team is doing using the interface to mark these as “Safe” or “Fixed”. Note that there is no “False Positive” choice. If they are resolving properly and seeing unexpected re-opens, can you provide a sample of the code you are seeing this in so I can investigate further?



1 Like

Thanks Brian for quick reply. I come back a bit late to your answer. Yes, teams are using the interface to mark ‘Safe’ or ‘Fixed’, however this needs tweaking on the moral side in next weeks or months. If I have a concrete example, I will report back. Regards

I have the following figures: The number of fps is really high. Where to look next? Apparently they keep popping up without disappearing (being accepted by SQ?)… any ideas? BR


Hi Ludwig,

The report you are looking at are not for Security Hotspots, but for other types of issues (Code Smells, Bugs and Vulnerabilities). In these cases, developers are manually marking Issues as False Positive and I would speak to the individual developers (or look at the comments) to see why they are marking them. You can use the Assignee filter to see who is marking them.

If you determine certain Rules are “noisy” for developers, you should consider removing them from your Quality Profile(s).