To learn more about SonarQube’s security features, beyond what its documentation can offer, I am reaching out to its community for answers. I listed a set of questions below I have about SonarQube and would be very greatful for any answers you can give. Being that I am looking at SonarQube from a security analyst POV, all my questions will be security-focused. My questions are posted below. Thank you!
How specifically, does SonarQube determine the letter grade security ranking assigned to projects that have detected vulnerabilities and hotspots?
On the Issues page, how does the Creation Date filter work? Is the filter based on the first time it detects a vulnerability? Is the Creation Date for a specific vulnerability updated on each repeated scan?
After a vulnerability is marked as fixed, how long does SonarQube keep that set status? Is the status removed after each new scan? Is the status only removed if the line where the vulnerability was detected has been edited?
If a vulnerable line of code that was previously logged by SonarQube is removed by the next scan will SonarQube also remove the logged vulnerability from its dashboard?
How does SonarQube handle False Positives? Does it require a user manually setting this status or does SonarQube handle this automatically?
As described in the documentation, the letter grade is determined by the severity of the worst open Security Vulnerability. Hotspots are not factored in to this rating.
Creation date is set at the initial discovery of the issue and not updated. There are cases where Issues are backdated to the last time the relevant line was edited.
Let’s distinguish between Fixed and Closed. Fixed is set manually by a user to claim “I’ve corrected the problem, and the next analysis will close this issue”. If the next analysis finds that the problem still exists, the Issue will be ReOpened. Any time an analysis fails to re-find an Open issue, (the problem has been removed) the Issue is Closed. Closed Issues are retained in the database for 30 days, and then cleaned out as part of the first analysis after the 30-day period.
If SonarQube were able to automatically recognize that an Issue were a False Positive… it wouldn’t raise it in the first place!
So yes, this status is set manually.
