Hi everyone,
Before SonarQube 8.4.2 inclusive, all ‘Rules’ \ ‘Issues’ that had CWE IDS were assigned to ‘Security Category > CWE’,
and if ‘Rules’ \ ‘Issues’ were not associated, they were assigned to ‘No CWE associated’.
In SonarQube 8.5.1, this behavior changed. Now only ‘Rules’ \ ‘Issues’ that have the ‘Vulnerability’ or ‘Security HotSpot’ type fall into the ‘Security Category’ tab. It turns out that if a rule of the ‘Bug’ \ ‘Code Smell’ type has the securityStandards fields filled in, it doesn’t get into the ‘Security Category’ tab in any way.
Example:
the rule from sonar-java > java:S3655, CWE-476, Optional value should only be accessed after calling isPresent()
SonarQube 8.4.2:
SonarQube 8.5.1
Is this behavior expected in SonarQube 8.5.1, or is it a bug?