Security Hotspot Annotations are Not Persisted Across Scanned Project Versions

Alexandra · January 10, 2023, 6:37pm

I am using SonarQube server v9.4 Enterprise.

We’ve recently discovered that status updates, comments, etc. being made to specific Security Hotspots are not kept when new versions of a project are scanned by SonarQube.
i.e. In project version 1.0 the Security Hotspots are set to “Safe” and comments added for justification, but when version 2.0 of the project is scanned those same Security Hotspots are brought back as if never addressed.

From what I understand this is intentional on SonarQube’s part, given that security hotspots are intended to highlight potential security vulnerabilities or weaknesses in the code that need to be manually reviewed and addressed with each new scan.
However in this particular case, persisting our edits to certain security hotspots seem somewhat necessary.

All that to say, is there a preferred or recommended method for persisting Security Hotspots across scanned project versions in SonarQube? (At the moment, we are possibly looking at SonarQube’s internal API to achieve this: SonarQube)

Thank you!

ganncamp · January 11, 2023, 2:59pm

Hi,

How are you distinguishing versions? Is this a variation of the sonar.projectVersion value in the same branch, or is this multiple, different branches?

Ann

Alexandra · January 11, 2023, 3:27pm

So this would be across multiple, different branches. (Sorry I should have specified previously.)

ganncamp · January 11, 2023, 3:29pm

Hi,

Then this is working as designed.

I know the Product Managers are aware that there’s some friction in this area. I’ll make sure they’re aware of your situation too.

Ann

Alexandra · January 11, 2023, 6:18pm

Thank you Ann!