yes, exactly. This is what the developers do, and then the problem dissapears from the list. What we need now is to get a report indicating which Security Hotspots has been marked safe.
(The actual problem is that some of the problems actually has not been solved and are not actually safe - in most cases because the reviewer don’t always understand the underlaying problem.)
Sorry @jensmadsen, something isn’t clicking. What I’ve shared a screenshot of is a list of security hotspots that have been marked safe for the project. Are you saying that after some time (or immediately?) the hotspot disappears from this filtered list?
No, this list (picture) it remains in the safe state, and the Review button lights up blue.
The problem that we are having is that the problem dissapears from the “Security Reports” section. Suddenly the project are just green A on everything, and the problem has not actually been resolved. We need this “safe” marking to show up somewhere in the final reports.
If you go to the Activity. tab of an affected project and look at Security Hotspots, do you see some wild variation in the total number being reported (dropping to 0, for example).
I’ve tested these things, I think maybe its by design.
On the Project > Overview (tab); it says Security Hotspots 0 (and a green A)
On the Project > Security Hotspots (tab); it says green 100%
Security Hotspots Reviewed → in the Safe (tab) the blue/purple button Review is lit up.
On the Project > Security Reports > All tabs show (green A) on everything.
On the Project > Security Reports > All tabs; SonarSource, PCIDSS, OWasp ASVS, OWasp Top 10, CWE Top 25 - lists of (green A)
Opening a PDF report here;
Overall Code > all green 100% reviewed - 0 vuln, 0 sec hotspots, security (green A), sec review (green A)
New Code > all green 100% reviewed - 0 vuln, 0 sec hotspots, security (green A), sec review (green A)
and this is the problem (the PDF says nothing about “what” has been marked 100% green.)
Problem
I think maybe a separate report of the “safe” markings for people who don’t work with the developers and don’t have access to SonarQube… It should, if possible say something at the bottom of the report, about what has been marked safe. (and it was some critical security hotspot that was reviewed)
It seems to be working fine, but maybe its by design?
Thanks for this feedback. I’m going to ping the responsible PMs. Right now, I think we are taking a look at PDF reports anyways due to some other topics.
Thank you for your feedback here. I think there is room for us to do more around the hotspots workflow and we’ll take a look at this.
Have you seen the regulatory reports? They will provide you with a list of all issues (including hotspots) and what happened to them along with comments on why the decision was made. That might help with what you are looking for. Please let us know if this won’t give you what you need.
