Security hotspot issues fail quality gate

stephan.schuster · December 3, 2018, 8:08am

Hi,

in SonarQube 7.4 issues of type Security Hotspot seem to fail quality gates defined on the issue metrics (blocker issues, critical issues, etc.). As I understand the documentation (https://docs.sonarqube.org/latest/user-guide/security-reports/), this should only happen when a security hotspot issue has been marked as detected. This would be consistent to the issues view, where issues of type Security Hotspot are hidden.

Is this a bug, or am I missing something here?

Best regards
Stephan

Nicolas_Harraudeau · December 3, 2018, 3:22pm

[EDIT: I had misunderstood the original question. This answer is not related to it]

Hi @stephan.schuster,

Thank you for your feedback.

There is indeed a bug in version 7.9 of SonarC# and SonarVB which was released last week. Just as you said, Security Hotspots should never impact the quality gate, except when they are “detected” as Vulnerabilities. We are currently working on a fix.

The bug report is available here: https://github.com/SonarSource/sonar-dotnet/issues/2131

In the mean time you can either:

revert to the previous version of the SonarC#/SonarVB plugin.
deactivate external roslyn issues like this: Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option.
Create a copy of the SonarWay Quality Profile and disable the Security Hotspot rules for C# and VB .Net.

I would personally recommend the second option as it can easily be reset once we release a fixed plugins.

We apologize for the inconvenience.

I will let you know as soon as the plugins are fixed.

Best regards,
Nicolas

stephan.schuster · December 3, 2018, 3:43pm

Hi Nicolas,

thanks for the quick reply.

I have forgotten to mention that the problem occurs with java projects. Do you know of a similar bug in the Java analyzer? We are using version 5.9.2 (build 16552).

Many thanks in advance & best regards,
Stephan

Nicolas_Harraudeau · December 3, 2018, 5:43pm

Excuse me as I have misunderstood your first question and my answer was not related to your problem.

You are right that Security Hotspots should never impact the Quality Gate, whatever the language used. I created the corresponding ticket: https://jira.sonarsource.com/browse/SONAR-11555.

In the meantime you can use the “blocker issues” metric in your quality gate, as security hotspots never have this severity level. It is also possible to use “Bugs”, “New Bugs”, “Code Smells”, etc… metrics.

I hope this answers your question.

Best Regards,
Nicolas

stephan.schuster · December 4, 2018, 7:02am

Thanks for your help!

Best regards,
Stephan

Ramya_Akula · April 2, 2019, 9:22am

Hi Nicolas,

I think still some security hotspot issues exist in sonar.

Is the above issue is fixed in sonar?

Regards,
Ramya

Nicolas_Harraudeau · April 2, 2019, 10:08am

Hi @Ramya_Akula,

The issue mentioned above has been fixed.
Could you describe your problem, preferably in a separate topic?

Regards,
Nicolas

Ramya_Akula · April 2, 2019, 11:23am

Hi Nicolas,

Please find my new topic link,

Could you please help me.

Regards,
ramya

ganncamp · April 2, 2019, 2:59pm

Hi Ramya,

Please don’t cross-post the same issue in multiple topics.

Thx,
Ann

Nicolas_Harraudeau · April 2, 2019, 3:04pm

Hi @ganncamp,

Sorry for the confusion. I was the one asking for a different thread as the problem was probably not related to this one.

@Ramya_Akula Thank you for creating the other tread. The problem is indeed different, I’ll reply there.

ganncamp · April 2, 2019, 3:24pm

Sorry Ramya!