SonarQube Security Hotspots show warnings in the build even after reviewed as Safe

Hi All,

I am using SonarQube version 10.0 and the Security Hotspot feature looks a bit odd to me.
Even with me changing the status of a Security Hotspot to Safe, the issue continue to show up in my build as a warning in the same spot. This is the main branch build, not the PR build.
Is there any way to resolve this issue?
If I review the item as Safe, it shouldn’t keep showing as a warning in my build.
Can someone help me with more information about it?

Thank you very much!
Cristian

Hi Cristian,

I guess you’re analyzing a .NET solution?

The way it works is that every issue and Security Hotspot is raised in every analysis, and then at the server side, previous resolutions (Safe, Won’t Fix…) are re-applied. When analysis stops seeing the issues in code, then they’re Closed server-side.

And, assuming my .NET assumption is correct, yours is about the 3rd topic in the last couple weeks about what shows up in the .NET compile log. I’m going to flag this internally, but I don’t expect anything to change soon.

 
Ann

Hi,

Yes, it is a .NET Solution/
So, in this case, the warning will keep showing up, even if I update it as Safe, until I change the code in a way that SonarQube doesn’t understand it as a issue anymore. Am I correct?
The only way to remove the warning on Build is if I disable this specific rule?

Thank you!
Cristian

Hi Cristian,

You’re right on both counts.

I don’t suppose you could just ignore the compile log? :grin:

After all, everything that shows up there is present in SonarQube…

 
Ann

Hi,

We are trying to use a 0 warnings policy on our PRs, which means that we are trying to resolve all the issues that are showing up.
Every time a new security hotspot happens, we are verifying if it is a real issue, of if it is something that is alright on that specific case, which is the case for updating the security hotspot to Safe.
We would like to not see the warnings in case we changed the status to Safe, for example.
Is there a way to open a feature request for that?

Thank you!
Cristian

Hi Cristian,

If you work from the SonarQube interface, then this is very doable.

And as I said, I’ve referred this internally.

 
HTH,
Ann

Hi Ann,

Thank you very much for the information and for referring this internally.

Regards,
Cristian

Hi Cristian,

Thank you for sharing your issue with us. I have recorded that problem as a potential evolution on our side.

Denis