-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reinstate security hotspot rule definition #900
Reinstate security hotspot rule definition #900
Conversation
The two rules should be different. One with the marking that it is a security hotspot rule. |
@Reamer Apologies for the delay. Is it just the name that needs to change, i.e. "Using Components with Known Vulnerabilities Security Hotspot"? |
I have finally found time to test the latest version of the SonarQube. I noticed the following regarding the security hotspot. |
I think I have found a solution. What do you think? Does it work for you? diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
index 436f3c5..f311a3e 100644
--- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
+++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
@@ -21,9 +21,9 @@ package org.sonar.dependencycheck.rule;
import javax.annotation.ParametersAreNonnullByDefault;
+import org.sonar.api.issue.impact.Severity;
import org.sonar.api.issue.impact.SoftwareQuality;
import org.sonar.api.rule.RuleStatus;
-import org.sonar.api.issue.impact.Severity;
import org.sonar.api.server.rule.RulesDefinition;
import org.sonar.dependencycheck.base.DependencyCheckConstants;
@@ -40,6 +40,7 @@ public class KnownCveRuleDefinition implements RulesDefinition {
NewRule rule = repo.createRule(DependencyCheckConstants.RULE_KEY);
fillOWASPRule(rule);
+ rule.addDeprecatedRuleKey(DependencyCheckConstants.REPOSITORY_KEY, DependencyCheckConstants.RULE_KEY_WITH_SECURITY_HOTSPOT);
repo.done();
}
diff --git a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java
index 99ac009..d57e849 100644
--- a/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java
+++ b/sonar-dependency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/NeutralProfile.java
@@ -28,8 +28,6 @@ public class NeutralProfile implements BuiltInQualityProfilesDefinition {
public void define(Context context) {
NewBuiltInQualityProfile dependencyCheckWay = context.createBuiltInQualityProfile("Neutral", DependencyCheckConstants.LANGUAGE_KEY);
dependencyCheckWay.activateRule(DependencyCheckConstants.REPOSITORY_KEY, DependencyCheckConstants.RULE_KEY);
- dependencyCheckWay.activateRule(DependencyCheckConstants.REPOSITORY_KEY,
- DependencyCheckConstants.RULE_KEY_WITH_SECURITY_HOTSPOT);
dependencyCheckWay.done();
}
} |
I see, thank you for this. The changes work for me in so far as I can now start SonarQube again with the plugin installed. I have still managed to produce security hotspots on the dashboard's overview tab but trying to view them is giving me an error. I'll try to come back to this next week. |
Whatever issue I'd hit on Friday I can't now recreate using 10.2.1 or 10.3.0. I still have security hotspots but I can view them without any issues. I hope you don't mind, I've pushed your suggested changes. |
Related to #870
SonarQube 10.2 requires the security hotspot rule to be defined, otherwise it throws an error: