Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-12717

New dedicated project page displays the list of Security Hotspots

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8.2
    • Component/s: Security Hotspots
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      New page Security Hotspots

      • page name is "Security Hotspots"
      • it appears before "Security Reports"
      • visible to anyone
      • see wireframe for UI
      • displays the list of all Security Hotspots which are not resolved on the current project (ie. main branch)
        • count of hotspots is displayed in the title
        • grouped and ordered by "Risk Exposure"
        • "Risk exposure" groups are collapsable and display count of hotspots in the group
        • groups with no hotspots are hidden
        • in each group, hotspots are displayed grouped by SonarQube Security categories, in alphabetical order
        • should hotspots be grouped and ordered by project inside a category and then by alphabetical file name
      • UX of the list is not compatible with pagination but WS must be paginated => frontend should hide the pagination and display a loading icon
      •  what is the UI when there is no hotspot to review

      New WS api/hotspots/search

      • internal
      • requires the 'Browse' permission on the specified project
      • parameters
        • projectKey
        • p & ps (pagination)
      • hotspots should be returned in the order expected in the UI
      • response example:
        similar to api/issues/search response but
        1/ "users", "transitions", "actions", "textRange", "flows", "attr", "comments", "tags", "severity", "effort" and "type" were removed
        2/ "securityCategory" has been added
        3/ "vulnerabilityProbability" has been added (values: HIGH, MEDIUM, LOW)
        3/  is the "line" and "hash" needed?
        4/ rule "status", "lang" and "langName" are dropped
      {
        "paging": {
          "pageIndex": 1,
          "pageSize": 100,
          "total": 1
        },
        "hotspots": [
          {
            "key": "01fc972e-2a3c-433e-bcae-0bd7f88f5123",
            "component": "com.github.kevinsawicki:http-request:com.github.kevinsawicki.http.HttpRequest",
            "project": "com.github.kevinsawicki:http-request",
            "securityCategory": "command-injection",
            "vulnerabilityProbability": "MEDIUM",
            "status": "RESOLVED",
            "resolution": "FALSE-POSITIVE",
            "message": "'3' is a magic number.",
            "line": 81,
            "author": "Developer 1",
            "creationDate": "2013-05-13T17:55:39+0200",
            "updateDate": "2013-05-13T17:55:39+0200"
          }
        ],
        "components": [
          {
            "key": "com.github.kevinsawicki:http-request:src/main/java/com/github/kevinsawicki/http/HttpRequest.java",
            "qualifier": "FIL",
            "name": "HttpRequest.java",
            "longName": "src/main/java/com/github/kevinsawicki/http/HttpRequest.java",
            "path": "src/main/java/com/github/kevinsawicki/http/HttpRequest.java"
          },
          {
            "key": "com.github.kevinsawicki:http-request",
            "qualifier": "TRK",
            "name": "http-request",
            "longName": "http-request"
          }
        ]
      } 

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              sebastien.lesaint Sebastien Lesaint
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: