I can see some vulnerabilities and hotspots marked as C and E on the dashboard. However, when I check the issue details, they show medium-priority or Informational risks.
Looking at the SonarQube matrix, it categorizes security bugs as follows:
Security Rating (security_rating )
A = 0 Vulnerabilities
B = at least 1 Minor Vulnerability
C = at least 1 Major Vulnerability
D = at least 1 Critical Vulnerability
E = at least 1 Blocker Vulnerability
Should I consider E as a blocker or a critical vulnerability?
Could you help me understand how to categorize these correctly?
Since Security issues and Hotspots are different concepts, the ratings have slightly different meanings in the 2 cases:
Security rating is E when there is at least one blocker vulnerability.
Security Review rating is E when less than 30% of Security Hotspots are reviewed.
Please notice that if you’re using a recent version of SonarQube (10.x), we’ve simplified the concept of severity (high, medium, or low), which is now always associated with the rule and with the concept of software quality. See Clean-Code-based analysis | SonarQube Docs. This may lead to some temporary inconsistency between the explanation you still see in Security reports and the main severity you’ll now see associated with the issue.
