I’ve just started using SC for a javascript/node.js/express API project. I know it contains numerous vulnerabilities, and initially, SC identified them. After a day or so (and after I patched a minority of them), they disappeared from the dashboard. I can still find them as “security hotspots”, but vulnerabilities are now a fat zero, sending the wrong messages.
Has anyone experienced anything similar, and is there any known workaround?
ALM used: GitHub
CI system used: system is automatically configured
Languages of the repository: Javascript
Error observed: vulnerabilities not detected anymore
To be able to investigate this issue, I have some questions:
Is this a PR analysis or the main branch analysis?
What are the associated Rules of these Security Hotspots? You can find this in in the UI, when you click on any security hotspot, on the upper side of the screen you should have a link which should follow a format javascript:ID (for example javascript:S2068)
The Rule javascript:S2077 is categorised as Security Hotspot, so it’s expected that you see the findings as Security Hotspots. Are all the findings related to this Rule?
Assuming that you already set up a New Code Definition for your project, if you go to your project → Main Branch, on the right side you should see a switch (see screenshot)
I’ve looked at the security hotspots and it catches a whole bunch of Javascript:S2077 hotspots, but a number of them were reported before as actual vulnerabilities.
Ok I see, however the expected behaviour is that issues under Javascript:S2077 Rules are displayed as Security Hotspots. Also as you can see, your Quality Gate fails when a Security Review has rating E, so in order to have your Quality Gate green, you will still have to resolve them (same as if they were Vulnerabilities).
