Security Hotspots that has been marked safe is not reported

Must-share information (formatted with Markdown):

• which versions are you using: SonarQube Enterprise 10.5.1
• how is SonarQube deployed: zip
• what are you trying to achieve: I need to create a report of Security Hotspots (per project) that has been reviewed and marked safe by someone.
• what have you tried so far to achieve this: Its not possible to get such a report.

Our problem is developers or reviewers marking Security Hotspots safe, so that the problem dissapears. The problems however remains unfixed.

• Is there any report that we can run, to get reviewed and safe security hotspots (per project)?
• Is this a feature request?

Hey @jensmadsen

Wouldn’t you just filter to “Safe” here?

image1920×1108 103 KB

yes, exactly. This is what the developers do, and then the problem dissapears from the list. What we need now is to get a report indicating which Security Hotspots has been marked safe.

(The actual problem is that some of the problems actually has not been solved and are not actually safe - in most cases because the reviewer don’t always understand the underlaying problem.)

but yes, this is what they do…

Sorry @jensmadsen, something isn’t clicking. What I’ve shared a screenshot of is a list of security hotspots that have been marked safe for the project. Are you saying that after some time (or immediately?) the hotspot disappears from this filtered list?

No, this list (picture) it remains in the safe state, and the Review button lights up blue.

The problem that we are having is that the problem dissapears from the “Security Reports” section. Suddenly the project are just green A on everything, and the problem has not actually been resolved. We need this “safe” marking to show up somewhere in the final reports.

Hm. It sounds like something fishy is going on.

If you go to the Activity. tab of an affected project and look at Security Hotspots, do you see some wild variation in the total number being reported (dropping to 0, for example).

I’ve tested these things, I think maybe its by design.

• On the Project > Overview (tab); it says Security Hotspots 0 (and a green A)

• On the Project > Security Hotspots (tab); it says green 100%
  Security Hotspots Reviewed → in the Safe (tab) the blue/purple button Review is lit up.

• On the Project > Security Reports > All tabs show (green A) on everything.

• On the Project > Security Reports > All tabs; SonarSource, PCIDSS, OWasp ASVS, OWasp Top 10, CWE Top 25 - lists of (green A)

  • Opening a PDF report here;
    • Overall Code > all green 100% reviewed - 0 vuln, 0 sec hotspots, security (green A), sec review (green A)
    • New Code > all green 100% reviewed - 0 vuln, 0 sec hotspots, security (green A), sec review (green A)
    • and this is the problem (the PDF says nothing about “what” has been marked 100% green.)

Problem
I think maybe a separate report of the “safe” markings for people who don’t work with the developers and don’t have access to SonarQube… It should, if possible say something at the bottom of the report, about what has been marked safe. (and it was some critical security hotspot that was reviewed)

It seems to be working fine, but maybe its by design?

Hey @jensmadsen

Thanks for this feedback. I’m going to ping the responsible PMs. Right now, I think we are taking a look at PDF reports anyways due to some other topics.

Hi @jensmadsen,

Thank you for your feedback here. I think there is room for us to do more around the hotspots workflow and we’ll take a look at this.

Have you seen the regulatory reports? They will provide you with a list of all issues (including hotspots) and what happened to them along with comments on why the decision was made. That might help with what you are looking for. Please let us know if this won’t give you what you need.

John