Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-12718

Security Hotspots page displays details of Security Hotpost

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8.2
    • Component/s: Security Hotspots
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      New UI

      When user clicks on a Hotspot in the list of Hotspots, its details must be displayed:

      • see wireframe for UI
      • information displayed:
        • assignee
        • code snippet
        • recommendation (= the Hotspot message)

      ------------------------------------------------

      UPDATE 2020-02-10

      Rules section's mapping: 

      Rule's Description => What's the risk? => Order 1
      Exceptions => What's the risk? => Order 2

      Ask Yourself Whether => Are you vulnerable? => Order 1
      "Sensitive Code Example" => Are you vulnerable? => Order 2
      "Noncompliant Code Example" => Are you vulnerable? => Order 3

      "Recommended Secure Coding Practices" => How can you fix it ? => Order 1
      "Compliant Solution" => How can you fix it ? => Order 2
      "See" => How can you fix it ? => Order 3

       

      • "What is the risk", "Are you at risk?" and "How to fix" tabs
      • Don't display empty tab
      • Display "What is the risk" tab first.
      • Add the permalink button on the top right part of the screen. Do not send the user to a new page as we currently do for permalinks on issues. Instead confirm that the permalink as been copied to the clipboard. SImilar feedback that system gives when a user copies the path of an issue location.

      ------------------------------------------------

      New WS api/hotspots/show

      • internal
      • requires the 'Browse' permission on the specified project
      • parameters
        • hotspot: the hotspot key
      • in the not-supposed-to-happen event the rule's description can't be parsed into the three tab content, they will not be returned by the WS
      • example of response
      {
        "key": "AW7QOzS_tx1LNN8GcG6l",
        "component": {
          "organization": "default-organization",
          "key": "com.sonarsource.securityexpectedissues:S5122servlet:src/main/java/Servlet.java",
          "qualifier": "FIL",
          "name": "Servlet.java",
          "longName": "src/main/java/Servlet.java",
          "path": "src/main/java/Servlet.java"
        },
        "project": {
          "organization": "default-organization",
          "key": "com.sonarsource.securityexpectedissues:S5122servlet",
          "qualifier": "TRK",
          "name": "S5122servlet",
          "longName": "S5122servlet"
        },
        "rule": {
          "key": "squid:S5122",
          "name": "Enabling Cross-Origin Resource Sharing is security-sensitive",
          "securityCategory": "insecure-conf",
          "vulnerabilityProbability": "LOW",
          "riskDescription": "lorem ipsum",
          "vulnerabilityDescription": "lorem ipsum",
          "fixRecommendations": "lorem ipsum"
        },
        "status": "TO_REVIEW",
        "resolution": "FALSE-POSITIVE",
        "line": 22,
        "message": "Make sure that enabling CORS is safe here.",
        "author": "pierre-loup.tristant@sonarsource.com",
        "creationDate": "2019-10-25T09:25:21+0200",
        "updateDate": "2019-12-04T10:26:05+0100",
        "textRange": {
          "startLine": 22,
          "endLine": 22,
          "startOffset": 2,
          "endOffset": 16
        }
      }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              philippe.perrin Philippe Perrin
              Reporter:
              sebastien.lesaint Sebastien Lesaint
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: