Security Review E with 0 Security Hotspots

tbutler · June 22, 2022, 12:05pm

SonarQube 9.5 Enterprise
Trying to get my project green.

I am on a branch.
My project had a security hotspot on existing code so Security Review E
I marked the issue as safe.
“Overall Code” now shows 0 Security Hotspots, 100% Reviewd, Security Review A
“New Code” shows 0 Security Hotspots, 0% Reviewd, Security Review E

So the branch has failed the quality gate check

ganncamp · June 22, 2022, 5:51pm

Hi,

Could you double-check the Security Hotspots tab/page, please, to see if it shows any unreviewed Security Hotspots? I’m asking to see if this is some sort of rounding error.

Thx,
Ann

tbutler · June 23, 2022, 7:12am

Hi - there are no security hotspots to review on that tab (I have checked all, not just assigned to me)

ganncamp · June 23, 2022, 11:34am

Hi,

Thanks for looking. I’ve flagged this for more expert attention.

Ann

dmeneses · June 24, 2022, 12:19am

Hello Tony,

Was the hotspot on new code?

If the project gets analyzed again, could you please let us know if the security review rating gets corrected? That would confirm that the problem is related with the real time update of measures when the hotspot was reviewed.

dmeneses · June 24, 2022, 2:40am

Also please check if you have any error logs, specifically in the web.log file, around the time you made the change to the hotspot.

tbutler · June 24, 2022, 10:09am

Hi

Per my original post it was new code.

The issue is not showing right now - the project has been analysed a few times since.
For future reference, do you mean from the UI Download Logs, Web Server - those are the logs you would want?

I had another issue which magically disappeared with no more reviews which maybe was related to realtime updates - ie the summary showed a problem but clicking on it couldn’t find any issues.
Wondering if it was related to elastic indexing being really s-l-o-w for some reason.
Is there a way I can verify if that is the case in the future?

We are using the k8s instance of SonarQube Enterprise - have only added a couple of projects to it so far and I am manually uploading analyses so it is not being hammered - later we will be connecting it to our CI pipeline…

dmeneses · June 24, 2022, 5:49pm

Yes. You could still check if there are any errors around the time the change was done to the hotspot.

system · September 1, 2022, 2:03pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.