Security Hotspots status propagation between branches

Hi all,

I’m just testing the propagation of status and resolution for Security Hotspots and I have found that resolving the Hotspots as safe in a branch doesn’t propagate the status to other branches after merge. It seems to work if a pull request is analysed, but if I merge the branch directly it doesn’t work.

This is what I have tested:

  1. Main branch analysis, 3 hotspots found. Marked 1 as safe (OK)
  2. New branch develop from main, new analysis, 2 hotspots found (OK, it was propagated)
  3. New branch release from develop, new analysis, 2 hotspots found (OK, it was propagated)
  4. New feature branch from develop, new analysis (as branch), 2 hotspots found (OK, it was propagated).
    – New hotspot introduced in the code. New branch analysis, and 3 hotspots found (OK)
    – Hotspot is resolved as fixed (no changes in the code). New branch analysis and 2 hotspots found (OK)
    – Pull request from this feature branch to develop. New PR analysis and 2 hotspots found (OK)
  5. PR approved and merged in develop, new analysis for develop, and 2 hotspots found (OK, it was propagated).

If I repeat the same steps, but merging the feature branch into develop without a Pull Request, the hotspot that was manually resolved as fixed is detected on develop branch and we must resolve it again.

So please, is there anyone that could share how the hotspots propagation should work with branches? Are we forced to do a pull request in order to work as expected?

Thanks and best regards.

Hi all!

Anyone to help on this?

Thanks!

Same situation in my project, any idea?
We have manually marked a specific Sec-Hotspot in our develop-branch. However, every time a new feature-branch is created from develop, this warning appears again.
We don’t use pull-requests, but directly review/merge using JIRA workflow.
Isn’t there a way to mark them as Safe, at a global level? At SQ-project level maybe?
We would prefer to not haveto use //NOSONAR
Thx

2 Likes