Add an additional rules for security hotspot #252
Conversation
Reamer
force-pushed
the
security_hotspot
branch
3 times, most recently
from
57caa09
to
49cccb2
Compare
Reamer
force-pushed
the
security_hotspot
branch
from
49cccb2
to
a09fd1b
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
@alixwar |
|
@Reamer I built the plugin locally and downloaded SonarQube 8.1 community edition but I was surprised to see that the Security Hotspots feature is not there. So it seems it is a commercial feature only? To deploy a hand-hacked plugin into our licensed server environment is unfortunately not feasible. Perhaps someone from SonarSource could help us out here? |
|
Hi @alixwar, You must also enable the function either via the global plug-in configuration or the sonar scanner configuration. |
|
@Reamer I've now installed SonarQube 8.2 and here I can actually see the Security Hotspots menu. In other words the Security Hotspots list is completely empty but the vulnerable dependencies are listed as vulnerabilities. An example is rule OWASP:UsingComponentWithKnownVulnerability Have I missed something? Update: Damnit. I think I built the wrong branch... Will try again... Update 2: Nope... Same issue. I deleted the project before and made sure to delete any caches. The violations from the plugin are reported. But not as hotspots:
|
|
Hi @alixwar As I wrote you can enable the function either via the global plug-in configuration or the sonar scanner configuration. Check out this part of the official documentation. |
|
@Reamer I misunderstood you and had missed this option in my last verification. Will check now. Is there a reason to not have this option checked by default you think? |
|
I doesn't want release a new major version. A minor release step should not change the logic. |
|
@Reamer Unfortunately I end up in this state:
I can confirm that it seems that the violations are reported as hotspots because the correct number of hot spots are listed in the dashboard. But as you can see I can't load the hotspots UI. I can't find anything in the different server logs. Do you have any suggestions? I'm guessing it's a javascript issue. When I refresh the page I can see for a millisecond a UI with one of the violations to review... But the rendering is breaking for some reason. |
|
My user interface looks good. I'm using Firefox. Which browser did you use? The user interface comes from SonarQube. This plugin does not affect the user interface. Maybe you can test with another project. Take a look at our example folder. |
|
@Reamer I tried Chrome and also Edge. Will check with Firefox... I don't see how changing project would help. There is something wrong that needs to be fixed. If it helps I can find out exactly which rule violations are causing issues. Maybe it's a character or similar in the rule name that is the problem here |
|
Same problem with Firefox:
|
This would be very helpful. |
|
@Reamer OK, I deleted the project in my local SonarQube instance and changed the setting to not use security hotspots and then reported again:
|
|
@pethers Can you reproduce this issue? |
|
ping @pethers |
|
@Reamer sorry for the delay, just noticed this now but will test it. |
|
Tested it now and worked good, https://www.hack23.com/sonar/security_hotspots?id=com.hack23.cia%3Acia-all&sinceLeakPeriod=false |
Fixes #249