which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Sonarqube
how is SonarQube deployed: zip, Docker, Helm
Docker
what are you trying to achieve
My team member can update review status by review button
what have you tried so far to achieve this
I create new member and give permissions
Security Hotspot Review Issue has occurred in NewCode as shown below.
When I tried to review by clicking on the link, the reviewable UI was not visible. (Only in some projects)
This Security Hotspot appears to be a Dockerfile issue.
Currently we are using SonarQube 10.1 version.
Please make sure this is not a bug in the new version.
(Review was possible in the overall code, and when the review was completed, the status was changed to Reviewed.)
In addition to the information requested by @ganncamp , how are your users authenticating? Are you using SAML or another method of SSO where the groups may be coming from?
Also, did you logout and login as the user in the “SonarQube-Admin” group before trying?
Are you in multiple groups with permissions on the project? And does one of them lack the permission in question?
Yes. I’m in multiple groups and one group don’t have that permission.
SonarQube-Admin : Administer Security Hotspots permission ( O )
SonarQube-Developer : ( X )
sonar-users : ( O )
But, I don’t think it’s the reason. Because it only happens in “new code” with same project. I can review “overall code”
Are you using SAML or another method of SSO where the groups may be coming from?
→ We use “SAML”
Also, did you logout and login as the user in the “SonarQube-Admin” group before trying?
→ Yes, I tried. but it happens.
In addition,
We are currently using version 10.1 of Sonarqube Enterprise and there seems to be a Security Hotspot UI bug in the current version.
The cases I’ve encountered are:
As I mentioned, New Code’s Security Hotspot Review item is not displayed properly. Even if I test after granting all permissions, the same happens.
Users who do not currently have Security Hotspot Admin privileges can change the security review status. (Acknowledged, Fixed, even Safe)
In my experience, I remember that there were no such bugs in versions below 9.9.
I would like SonarQube to perform a UI function check for the latest version.
I and my colleague @Robbie_Bise have made several attempts to recreate this issue with SonarQube Enterprise version 10.1 and have been unsuccessful. We have also asked you to rebuild your ElasticSearch index and this did not improve.
Please confirm our understanding of the issues:
Case #1: Some users that are in a group with the “Administer Security Hotspots” permission do not see the “Change Status” button. This only happens on issues in New Code.
Case #2: Not previously reported - Some users that are not in a group with the “Administer Security Hotspots” permission can change a Hotspot’s status
Please confirm if the above is correct and also answer the following…
Are you using SAML group syncing? If some are the groups (other than “sonar-users” which is given to all users) assigned through SAML?
Have the branches of the Projects in question been analyzed since you upgraded to SonarQube 10.1?
In Case #2, do you just see the button or can you actually change the status?
Are these cases with a single user or multiple users?
If you are certain that your users have the proper permissions at the time they are accessing the security hotspot, can you share the logs from your instance via a private direct message so I can review/
Are you using SAML group syncing? If some are the groups (other than “sonar-users” which is given to all users) assigned through SAML?
→ Yes, we use SAML group sync.
Have the branches of the Projects in question been analyzed since you upgraded to SonarQube 10.1?
→ yes. We upgrade SonarQube on June.29, but the branch with problem was analyzed on July 20.
In Case #2, do you just see the button or can you actually change the status?
→ Yes, people who do not have “Security Hotspot Admin privileges” can update status.
Are these cases with a single user or multiple users?
→ multiple users
