which versions are you using: Enterprise Edition Version 9.9 (build 65466)
how is SonarQube deployed: zip
what are you trying to achieve:
I want to be able to see a history of security hotspots that have been fixed already. For example, a project recently was added to SonarQube and I get sent a link to a security hotspot and get asked to review if we need to address this via customer notification. But before i look at the link, the issue has been fixed by the project team. Now, opening SonarQubes hotspot link, I only get:
I have no way to see what the issue was about, nor a timeline how long the fix took etcâŚ
Is there any way I did not find, to view already fixed vulnerabilities & hotspots with their details? Since we are working for customers on project basis, I also might need this information if customer asks about billed hours, so I can show them the issues that have been fixed in these hours etc. Currently I have no reasoning to show.
Yes but it doesnât show any of the issues. Could it be that this is only showing something if the Status was changed to âFixedâ manually and not when SonarQube recognized the fix with the next Scan itself?
Iâve taken a closer look. The âFixedâ status is awarded manually: someone marks it âfixedâ to indicate that a code change was made. But if the code that gave rise to the Security Hotspot is removed, it looks like they just go away with no subsequent ability to report on them.
Thank you.
That is unfortunately pretty inconsistent then and not really good for reporting, traceability etc.
Could this be reconsidered for future releases? I would expect a similar treatment like the manual Fixed status.
