SonarQube Version 1.0.10
Hello, SonarQube community,
To learn more about SonarQube’s security features, beyond what its documentation can offer, I am reaching out to its community for answers. I listed a set of questions below I have about SonarQube and would be very greatful for any answers you can give. Being that I am looking at SonarQube from a security analyst POV, all my questions will be security-focused. My questions are posted below. Thank you!
How specifically, does SonarQube determine the letter grade security ranking assigned to projects that have detected vulnerabilities and hotspots?
Issuespage, how does the
Creation Datefilter work? Is the filter based on the first time it detects a vulnerability? Is the
Creation Datefor a specific vulnerability updated on each repeated scan?
After a vulnerability is marked as fixed, how long does SonarQube keep that set status? Is the status removed after each new scan? Is the status only removed if the line where the vulnerability was detected has been edited?
If a vulnerable line of code that was previously logged by SonarQube is removed by the next scan will SonarQube also remove the logged vulnerability from its dashboard?
How does SonarQube handle
False Positives? Does it require a user manually setting this status or does SonarQube handle this automatically?