SonarQube 10.3 : Maintainability issue tagged as Vulnerability (inconsistency between types)

Here are my SonarQube information :

  • SonarQube Enterprise Edition 10.3 (Build 82913)

  • SonarQube is deployed as a Docker container

  • Project “myproject” > Overview > Overall Code : I have 3 vulnerabilities in the “Security” section.

  • The issue : when I click on the “3” (vulnerabilities) link, I am redirected to the “Issue” section, which lists 3 “maintainability” issues (all are “java:S1104”). In addition, when I look at the “Software Quality” section, there is 0 “Security” issue.
    Those 3 issues are incorrectly tagged as “Vulnerability” within the “Issues” section but when I get to the detail of the vulnerability, it is tagged as “Maintainability” and “Code smell”.

  • This means that SonarQube doesn’t handle its software quality types, correctly.

Could you please take a look and fix this issue, please ?

Hi,

Welcome to the community!

Would you mind providing some screenshots, please?

 
Thx,
Ann

Hi,

Sorry, I was not noticed by your reply.

Please find attached an exemple :
1 - Within the overiew, we can see that there are 92 vulnerabilities
2 - Within the detail (issues), we can see that there are “only” 75 vulnerabilities

Feel free if you need any additionnal information.

Yoann


Hi,

Thanks for the screenshots. They’re very helpful.

In fact, what you’re experiencing is a side effect of a shift we’re undertaking right now. We’re moving from the old Bug/Vulnerability/Code Smell categorization to a more nuanced way of classifying issues. Open the Type facet and you should see that there are indeed 92 Vulerabilities. And in the newer categorization, some of these vulnerabilities - 75 of them - are classified as impacting the final software’s Security, and some - 17 of them - as impacting its Maintainability. Add that up and you get 92.

 
HTH,
Ann

Hi Yoann,

Thanks for the feedback.
To build upon Ann’s explanations, we are currently transitioning the project summary to the new classification. This should address the discrepancy you’ve noticed.

Chris

Hi,

Thanks to both of you for those inputs.
I guess that futur updates should resolve my “issue” in the upcoming days/months.