The Security Review Rating was designed to measure how good is a team to follow the process around Security Hotspots. It is visible at Portfolio level and computed but not visible at Project/Application level. It targets Managers while we expect at first Developers to act on Security Hotspots, not Managers.
- Developers have not way to know if they follow correctly the process to review Security Hotspots.
- Managers have access to an information (Security Review Rating) that is hard to understand: the formula and range of the ratings are not trivial and not easy to remember
- Developers don't have access to this information, the Security Review Rating
- The current formula used to compute the Security Review Rating is not representing the truth: a team not reviewing its Security Hotspots can easily have a A rating while it should not be the case
As a developer:
- I would like to know if I run the Security Hotspots process correctly and be encouraged to review more.
- each time I do an action on a Security Hotspots, some indicators should be updated so I know the impact of my action
- when I run the process perfectly (ie: all Security Hotspots are reviewed), I should get the best reward/rating
The Security Review Rating currently existing on Portfolios will be available and visible on Applications and Projects.
The formula behind Security Review Rating is changed and based on a newly introduced measure called: Security Hotspots Reviewed.
It is computed by doing a ratio between the number of Reviewed (Fixed or Safe) and To_Review Security Hotspots.
Security Review Rating value is based on the value of the Security Hotspots Reviewed measure following this table:
|B||>= 70% and < 80%|
|C||>= 50% and < 70%|
|D||>= 30% and < 50%|
Project / Application Overview Page
The Security Review Rating is added in the same way the Security Rating is displayed.
MMF-1886 is implemented before this one:
- a new row Security Review is added after the Security row and before the Maintainability one.
- the "Security Hotspots" measure is removed from the "Security" row.
- this applies for "New Code" and "Overall Code"
- the Security Rating and Security Hotspots Reviewed % are showed in this new row
A new row is added after the "New Vulnerabilities" one and before the Code Smell one.
This new row is containing "New Security Hotspots", "New Security Review Rating", Security Hotspots Reviewed %.
The Security Review Rating is already display in the Home and Security Reports pages, so there is nothing to add.
Still, the formula used to compute the Security Review Rating at Portfolio level should be changed to be easier to understand.
The new formula will be the same as the one used for the Vulnerability and Reliability ratings: calculated as the average of the ratings for all projects included in the Portfolio.
Security Hotspots Page
The Security Review Rating (Overall or New Code depending on the filter selected) is displayed on the top right, in the filter bar so that developer see it changing each time he will review a Security Hotspot.
The 2 Security Hotspots measures are removed from the "Security" facet to clarify their purpose.
A new facet "Security Review" is introduced containing the following measures:
- security_review_rating [NEW on Projects]
- security_hotspots_reviewed (%) [NEW]
- new_security_review_rating [NEW]
- new_security_hotspots_reviewed (%) [NEW]
These [NEW]ly introduced measures should be configurable in a Quality Gate.
No "Overview" entry should be provided for the "Security Review" facet.
A new facet is added on the left column called Security Review below the Security one.
In term of layout it's a mix between Security and Coverage:
- Ratings are displayed as icons
- The percentages breakdown is displayed like it is done for Coverage facet
The layout of a project summary is adjusted to included the Security Review Rating (security_review_rating) and Security Hotspots Reviewed % (security_hotspots_reviewed)
The impacts on PR decoration will be handled by
During the ideation phase it was discussed that we compute the percentage of reviewed hotspots that belongs to the High, Medium, Low review priorities. Given the fact that this concept of Review Priority is just introduced by
MMF-1868 and we received no feedback about it, no related measure will be computed for the moment.
The current value of the Security Review Rating should be deleted (NULL) and will be recomputed automatically during next analysis.
A special note should be added to the Release Notes.
See Jira tickets.