I’m just testing the propagation of status and resolution for Security Hotspots and I have found that resolving the Hotspots as safe in a branch doesn’t propagate the status to other branches after merge. It seems to work if a pull request is analysed, but if I merge the branch directly it doesn’t work.
This is what I have tested:
- Main branch analysis, 3 hotspots found. Marked 1 as safe (OK)
- New branch develop from main, new analysis, 2 hotspots found (OK, it was propagated)
- New branch release from develop, new analysis, 2 hotspots found (OK, it was propagated)
- New feature branch from develop, new analysis (as branch), 2 hotspots found (OK, it was propagated).
– New hotspot introduced in the code. New branch analysis, and 3 hotspots found (OK)
– Hotspot is resolved as fixed (no changes in the code). New branch analysis and 2 hotspots found (OK)
– Pull request from this feature branch to develop. New PR analysis and 2 hotspots found (OK)
- PR approved and merged in develop, new analysis for develop, and 2 hotspots found (OK, it was propagated).
If I repeat the same steps, but merging the feature branch into develop without a Pull Request, the hotspot that was manually resolved as fixed is detected on develop branch and we must resolve it again.
So please, is there anyone that could share how the hotspots propagation should work with branches? Are we forced to do a pull request in order to work as expected?
Thanks and best regards.