I am using Sonarqube v.9.5 with around 100 projects and I have a doubt about security hotspots usage: an hotspot indicates a point of code to be reviewed but after I review it the problem is not transferred as a vulnerabilities in case the review is acknowledged.Consider a case where I have 10 sec. hotsposts and 0 vulnerabilities , I review them and I evaluate all as Acknowledged, the product iin sonar shows 0 vulnerabilities and 100% hotsposts reviewed so it seems all done but in reality there are 10 points that require code changes.
I would like to obtain some information about this condition from sonarqube :
for example as possible charting options there are only the number of security hotspot reviewed ( without considering their status ) so I cannot easily count the acknowledged hotspots unless I enter in security hotspot page an filter by status ( to be repeated for every project)
How can I add ths information to sonar to present it?
Can I add the issues found in the security hotspot in the vulnerabilities list?
When we introduced the status Acknowledged, we wanted to give the possibility for the users to confirm that there is an action to do but that action can’t be done immediately. In itself, you are not yet vulnerable, but you want to add an extra layer of protection to your application. As a developer, you did your work to review and you took a decision. This is the primary goal of the Security Hotspots space: raise awareness and decide.
This was with the idea that if you need to delay the fix for whatever reason, you have the information somewhere else (in a dev JIRA ticket?) and you don’t need it in Sonar.
Can you confirm that your role, in the company you are working for, is more a manager role than a developer one?
Can you also confirm you want to have a big picture of what has been Acknowledged across all your projects? If this is correct, how would you use this information? What would be your next action?
I am the security manager in our company but I also responsible of development for one of our products so I see both sides
I confirm I know our internal processes , for this reason I was trying to find a way to monitor security hotspot analysis activities, in particular I would to find a way to count or put in a report the number of hotspots that require a development activities.
I saw that in the past sonarqube releases there was an automatic generation of vulnerabilities in case of confirmation of a security hotspot but it has been removed
Hi Alexandre ,
our company is still interested in knowing if sonarqube is plannig to create any mechanism in the UI to create a vulnerability issue in case that a securuty hotspot is marked as acknowledged.
It would be useful to create a vulnerability issue to trace that the warning raised by the security hotspot identified an issue to be solved by some coding action.
Can you provide me a view on that?