'Rules \ Issues' of the 'Bug' \ 'Code Smell' type do not fall into the "Security category" tab when filtering

MaxStefanov · December 2, 2020, 12:57pm

Hi everyone,

Before SonarQube 8.4.2 inclusive, all ‘Rules’ \ ‘Issues’ that had CWE IDS were assigned to ‘Security Category > CWE’,
and if ‘Rules’ \ ‘Issues’ were not associated, they were assigned to ‘No CWE associated’.

In SonarQube 8.5.1, this behavior changed. Now only ‘Rules’ \ ‘Issues’ that have the ‘Vulnerability’ or ‘Security HotSpot’ type fall into the ‘Security Category’ tab. It turns out that if a rule of the ‘Bug’ \ ‘Code Smell’ type has the securityStandards fields filled in, it doesn’t get into the ‘Security Category’ tab in any way.

Example:
the rule from sonar-java > java:S3655, CWE-476, Optional value should only be accessed after calling isPresent()
SonarQube 8.4.2:

SonarQube 8.5.1

Is this behavior expected in SonarQube 8.5.1, or is it a bug?

Colin · December 2, 2020, 1:38pm

Hey there.

Thanks for posting!

This is an expected change: SONAR-12459

Since we named the facet “Security Category”, we would not expect it to be used to find CWE-476, so only used to find Security related issues/rules. The expected behavior is to only be able to filter to security-related CWE.

MaxStefanov · December 2, 2020, 2:09pm

Thank you very much!

system · December 9, 2020, 2:09pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.