Which are security issues and which are security hotspots?

Jayant · November 14, 2023, 8:01am

Hey Ann,
Can you please tell me what are the issues which we will get to see in the “security issues” tab and what we will get to see in “security hotspots” tab ?

ganncamp · November 16, 2023, 3:05pm

Hi,

Welcome to the community!

The easy answer to this is to look at the type of the underlying rule.

The more serious answer is: if whether or not it’s actually a problem depends on context, then that’s a Security Hotspot. If it’s always a problem, regardless of context, then that’s a Vulnerability.

HTH,
Ann

Rebse · November 16, 2023, 5:39pm

Hi Ann,

I also asked myself this question and that is a comprehensive answer, right to the point.
Is it correct that using rules with type Security Hotspot in the Quality Profile only makes sense if I also have a corresponding condition (security hotspots reviewed) in the Quality Gate?

Gilbert

ganncamp · November 16, 2023, 6:00pm

Hi Gilbert,

IMO there’s probably also context to this.

We used to have a Security Hotspot rule (we’ve since dropped it) about setting cookies. My favorite illustration for Security Hotspots was: if you’re setting a cookie that contains PII and my credit card number, that’s a problem. If you’re setting a cookie that contains my favorite milkshake flavor, that’s not a problem. And if you’re setting a cookie in an application that has no access to PII or other sensitive information… it can’t possibly be a problem. (Don’t tell me to turn the rule off. That messes up my example. )

Our Security PM agrees with you and that’s actually why the built-in Quality Gate has this cranked up to 100% reviewed (on new code). And at the same time, we don’t show Security Hotspots in PRs or in SonarLint, so… make of that what you will.

Ann

Rebse · November 16, 2023, 7:02pm

If I have understood you correctly, this is where improvements need to be made !?

ganncamp · November 16, 2023, 7:04pm

Hi,

Ehm… Changes are coming here, but nothing I’m allowed to announce (or can convince anyone else to announce).

Ann

Garima_Goyal · December 8, 2023, 9:49am

Hi Sonar Team,

Currently our Sonarqube is on version 9.9.0.65466 which is on Community Edition. As per the Jayant’s query, does it support for security standards OWASP 2021/2017 and SANS 25 .

As we have tried to scan vulnerable code from GitHub GitHub - snoopysecurity/Vulnerable-Code-Snippets: A small collection of vulnerable code snippets (GitHub - cr0hn/vulnerable-node: A very vulnerable web site written in NodeJS with the purpose of have a project with identified vulnerabilities to test the quality of security analyzers tools tools) on our sonarqube server. which was not showing any vulnerability based on the security standards OWASP 2021/2017 and SANS 25 .

Can you please let us know if version 9.9 support above mentioned security standards?
or do we need to apply any changes or updates in our currently tool to find the security results.

Thanks & Regards,
Garima Goyal

Rebse · December 8, 2023, 9:57am

Welcome

see Security reports

Security reports are available starting in Enterprise Edition ($)

Gilbert