Security reports web page of sonarqube does show "-", instead of rating and # of vulnerabilities

security

(Hilal Emeksiz) #1

Hello
we have sonarqube 7.5 community version
in security reports tab in a project ( … /project/security_reports/owasp_top_10?id=JAVA%3AGTN_DEPENDENCY_CHECK_TEST%3Afeature%2Fa-67713063), although json returns the data to be displayed , in web page A9 related rating and # of vulnerabilities not shown


(G Ann Campbell) #2

Hi,

You should be seeing dashes (’-’) only when no relevant rules are active in your profile. Do you confirm that you do have rules that are tied to the relevant standards. Unfortunately, we haven’t added the Standards facet to the Rules page so this is difficult to check from that side. You can verify that you have issues that should be showing up on the Issues page, which does have the Standards facet. In the type facet choose Security Hotspot and Vulnerability, then expand the Standard facet (and its children) to see that the standards have issues tied to them.

Selection_282

Note that simply tagging a rule with A1, for instance, is not sufficient to make its issues show up on the Security reports page.

 
Ann


(Hilal Emeksiz) #3

Hi Ann,
in issues tab of the same sonar project I am able to see the violations :
What could be the problem avoiding us to see the numbers on reports tab?

Thank you


(G Ann Campbell) #4

Hi,

Your screenshot shows the default type selection: Bug, Vulnerability, Code Smell. Please narrow that selection to just Vulnerabilities (I can already see you have 0 Hotspots) and then see if you have non-zero numbers in the Standard facet.

 
Ann


(Hilal Emeksiz) #5

hi @ganncamp
I only chose vulnerabilities:


(G Ann Campbell) #6

Hi,

Your initial screenshot shows part of a web service response highlighted. Would you mind posting the entire response here, please?

 
Ann


(Hilal Emeksiz) #8

Hi @ganncamp

{“categories”:[{“category”:“a1”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a2”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a3”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a4”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a5”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a6”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a7”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a8”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a9”,“vulnerabilities”:2,“vulnerabilityRating”:3,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“a10”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:0,“totalRules”:0},{“category”:“unknown”,“vulnerabilities”:0,“toReviewSecurityHotspots”:0,“openSecurityHotspots”:0,“wontFixSecurityHotspots”:0,“distribution”:,“activeRules”:5,“totalRules”:10}]}


(G Ann Campbell) #9

Hi,

Thanks for this. This is the part I was hoping to see more of:

“activeRules”:0,“totalRules”:0

My memories on how this is put together are a little fuzzy, but it seems that the profile assigned to/last used by the project currently has no relevant rules in it. It’s probably a bug on our side that because of that we suppress display of the 2 violations that were raised in the previous analysis. We’re planning to rework this whole security experience “soon”, though so we aren’t likely to spend a lot of time on this glitch.

 
Ann


(Hilal Emeksiz) #10

Hi @ganncamp
devsecops department follows this, hoping to hear from you soon.