Security hotspot issues fail quality gate


(Stephan Schuster) #1

Hi,

in SonarQube 7.4 issues of type Security Hotspot seem to fail quality gates defined on the issue metrics (blocker issues, critical issues, etc.). As I understand the documentation (https://docs.sonarqube.org/latest/user-guide/security-reports/), this should only happen when a security hotspot issue has been marked as detected. This would be consistent to the issues view, where issues of type Security Hotspot are hidden.

Is this a bug, or am I missing something here?

Best regards
Stephan


(Nicolas Harraudeau) #3

[EDIT: I had misunderstood the original question. This answer is not related to it]

Hi @stephan.schuster,

Thank you for your feedback.

There is indeed a bug in version 7.9 of SonarC# and SonarVB which was released last week. Just as you said, Security Hotspots should never impact the quality gate, except when they are “detected” as Vulnerabilities. We are currently working on a fix.

The bug report is available here: https://github.com/SonarSource/sonar-dotnet/issues/2131

In the mean time you can either:

  • revert to the previous version of the SonarC#/SonarVB plugin.
  • deactivate external roslyn issues like this: Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option.
  • Create a copy of the SonarWay Quality Profile and disable the Security Hotspot rules for C# and VB .Net.

I would personally recommend the second option as it can easily be reset once we release a fixed plugins.

We apologize for the inconvenience.

I will let you know as soon as the plugins are fixed.

Best regards,
Nicolas


(Stephan Schuster) #4

Hi Nicolas,

thanks for the quick reply.

I have forgotten to mention that the problem occurs with java projects. Do you know of a similar bug in the Java analyzer? We are using version 5.9.2 (build 16552).

Many thanks in advance & best regards,
Stephan


(Nicolas Harraudeau) #5

Excuse me as I have misunderstood your first question and my answer was not related to your problem.

You are right that Security Hotspots should never impact the Quality Gate, whatever the language used. I created the corresponding ticket: https://jira.sonarsource.com/browse/SONAR-11555.

In the meantime you can use the “blocker issues” metric in your quality gate, as security hotspots never have this severity level. It is also possible to use “Bugs”, “New Bugs”, “Code Smells”, etc… metrics.

I hope this answers your question.

Best Regards,
Nicolas


(Stephan Schuster) #6

Thanks for your help!

Best regards,
Stephan