Security Hotspots are not marked (in editor) or reported (in Security Hotspot View) in Visual Studio. It seems this was discussed before:
And the feature removed:
As far as I can tell the rationale being that this issues should be reviewed by human (Security Auditor). The workflow we’re using would greatly benefit if developers could be notified of the potential issues (as they do for non-security related potential bugs). All of those are reviewed by humans as well. the benefits being:
Developers can proactively remove security issues themselves.
Developers learn about potential security issues.
Adding comment about the shortens the code reviewing process.
The whole workflow is optimized as currently we’re discovering these potential issues very late in development process.
Currently we can see the issues in the Sonar portal, click open in IDE. Then the issue is underlined and added to the list. After restarting the IDE, the issues are no longer underlined and no longer in the list. I’m guessing an option to populate and keep the list would not be that hard to add?
Is there any other rationale for not having this feature (or option) I’m not aware of?
Hi @GoranSiska and welcome to the SonarSource community!
Thanks for the submitting this request, I agree with your reasoning - in fact supporting Security Hotspots in the IDE does make sense, moreover it is something we are already considering and there are chances we’ll work on this during 2022. You can find two features ideas around Hotspots in SonarLint roadmap page:
If you subscribe to those cards, you’ll get notified when there will be updates on them.
The workflow for Hotspots is a little different w.r.t. to code issues; for example when a Security Hotspot is detected, I don’t expect a developer to immediately stop coding in order to review the Hotspots; I’d rather review all the new Security Hotspots in my project from time to time, for example before committing or before sending a Pull request; in other words Security Hotspots deserve a dedicated UX design and this is one of the reasons why we introduced them in SonarQube and SonarCloud first. On the other hand, we do not believe that only Security Auditors should be in charge of reviewing Hotspots, at the contrary we’re promoting a developer-led approach on security (you can read more here ), and by bringing Hotspots to SonarLint we’d help the very people introducing Hotspots - developers - to review them and fix if needed, as early as possible in the development process.
I’m following the cards for a while now (without subscribing) and there is still the “coming soon” status. But when is “soon”? I’d really love to have this feature for Intellij IDEA. Is there already a date set when it might be released?
I also have to disagree with you because re-opening projects just for reviewing hotspots which are (in our case) mostly false positives - which means desired code - is in my opinion wasted time. Having a notification about possible dangerous coding patterns while coding is in fact a great thing and would also increase coding skills and awareness.
As you may have seen in the card, we’ve made a first release two weeks ago. This release introduces support for Security Hotspots in VSCode for users in connected mode with SonarQube.
The other good news is that we’re working in this very moment to release the functionality for IntelliJ IDEs - if all goes well we’ll be able to release it in a few weeks
Of course that’s not the end of the story - the first iteration is purely about reporting Security Hotspots: for now, you’ll still need to switch to SonarQube in order to mark them as Safe; of course we also plan to add the possibility to change Hotspot status directly in the IDE - and this will come a bit later.
Having a notification about possible dangerous coding patterns while coding is in fact a great thing and would also increase coding skills and awareness.
Thanks for your feedback! In IntelliJ, we’ll report Security Hotspots in a separate tab - but the detection itself will happen in real-time while you code. Don’t hesitate to share with us your thoughts on the new feature once it will be released.
…I assume there have been some difficulties? Is it assessable when the reporting function might come? It would help a lot and more importantly I do not need to make myself unpopular coming up with a bureaucratic solution like rotational checking and documenting hotspot within Sonarqube.
Hello @roadrunner ,
the support for Hotspots in IntelliJ was released at the end of February (you should have received an update if you follow the roadmap card). We’re now starting to work to allow changing the status directly in the IDE
It would be great if you give it a try and let us know what you think!
BTW, you can also watch this category to make sure you get notified of new releases of SonarLint for IntelliJ.
I have no ETA for now - as we’re currently in the process of introducing Clean Code principles in your products (see here) which could have an effect on how our detections are classified and presented in the products.