(SonarQube Scanner 4.2.0.1873)
(SonarQube server 8.3.1)
Hello,
We are working with a Typescript project where a few Security Hotspots have been reviewed as safe.
Every time there is a new push to the codebase, these same hotspots (same file, same line) arise again with the “To review” status, even after being reviewed several times in the past.
This is causing us to fail the quality gate with new PRs for things that have already been resolved. How can we preserve the status of these hotspots so they don’t keep reappearing?
When the Security Hotspots are re-reported, do they include history entries that show you’ve already reviewed them, or does SonarQube seem to think they’re really brand new?
Also, SonarQube 8.6 was just released. I’m not aware of anything specific, but it’s possible this part of the experience improved since then. Anyway there have been a lot of other improvements. You should consider upgrading.
I confirm the behavior your are describing is unexpected and should not happen unless you updated the exact line where the Security Hotspot was raised in the past.
Which ALM (GitHub, Bitbucket, Azur DevOps, GitLab, other) are you using?
Can you use to the latest version of SonarQube 8.6? Do you reproduce the problem with it?