SonarCloud Community: we’ve elevated Security Hotspots to first-class citizen status

Hello SonarCloud Community,

We’ve made some changes to SonarCloud pertaining to features in the security domain. Here’s an update on these changes to help you understand them and quickly integrate them into your organization.

First, we’ve elevated Security Hotspots to first-class citizen status. They now belong to the Security domain alongside vulnerabilities. For vulnerabilities, there is no change, they are proper issues and require a fix. On the other hand, Security Hotspots, require a different action set. They need a careful review to properly categorize them - either they fall into the issue bucket (and become true vulnerabilities) or they can be safely ignored. To assist with this triage, we highlight Security Hotspots in your PR analysis so you know where to focus your attention. They’re also visible on the Overview Page of your project.

On the Issues page, we’ve added a reminder to explain the action needed for Security Hotspots:

image

We were careful to display Security Hotspots differently so it’s clear that they require a different action from ‘normal’ issues. A proper Security Hotspot workflow involves review and a bit of inspection along with probing questions to ensure your code isn’t linking to a known security attack or weakness.

We also break things down into Security Categories (SonarSource, OWASP Top 10 and SANS Top 25) so it’s easier to understand the effort (code fixes vs. code review/fix) involved in order to resolve all items.

image

Finally, we removed the “Security Reports” feature. As a developer, reports are not as useful as an actionable list of issues and this is provided by the Issues Page and its new Security Category filter.

Soon, we’ll add a bit more clarity to the Security Hotspot workflow by incorporating a clear action status: To Review > In Review > Reviewed.

As always, we love your feedback! Please reach out on this forum if you have questions or comments! Happy coding!

13 Likes

Hey @Alexandre_Gigleux,

is there a plan to make Security Hotspots visible in the IDE?
SonarLint still doesn’t report Security Hotspots.

Cheers,
Robin

2 Likes

Hello,

Yes, I confirm we want to bring Security Hotspots into SonarLint in 2020 and we don’t want to mix them up in the middle of Issues so we need to work on new UI for that.

Alex

2 Likes

Hey Alex,

that’s great to hear! Looking forward to this feature!

Cheers,
Robin

1 Like

+1 on that!

1 Like

Seconding that we want security hotspots as an option in SonarLint! Thank you!

2 Likes

@Alexandre_Gigleux wanted to chime in and see if there’s any update on the effort to get security hotspots integrated with Sonarlint?

Is there a better place for me to track the feature status for this item?

thank you and the team for your work!

  • Gianni

Hello,

Thanks for asking. This is what is coming if everything goes well with SQ 8.6 and later in SonarCloud:

image

You should soon be able to start your Security Hotspots review from SonarQube/SonarCloud and jump into your IDE easily to continue your investigation.

See:

SonarCloud will also soon get the new Security Hotspots experience that was introduced a couple of months ago on SonarQube. See: MMF-2176

Regards
Alex

1 Like

@Alexandre_Gigleux - Is there a way to bulk edit these hotspots? I have 26 of the same thing in a file and all of them are safe. I dont want to click each one and type in a comment and pick a radio button and save it

There is no way to bulk update a list of Security Hotspots as of now.

It would be great to not have to pay so much of a a time penalty for false positives. After all, they are not a mistake on the users part.

Hi @StingyJack,

It would be nice if you could create a new thread in False-positive - SonarSource Community to report this false positive.
Providing a code example would greatly help.

Thank you.

I’m hinting that you take that advice into consideration when designing any new feature. Asking for a single FP to be fixed hasn’t been a productive use of my time.