Security hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code. For more information about Security Hotspots, take a look at the SonarQube Server, SonarQube Cloud, and SonarQube Community Build documentation.

Hotspot analysis

SonarQube for Eclipse does not detect hotspots on its own but is able to report hotspots found by SonarQube Server and SonarQube Community Build when running in connected mode. Starting from SonarQube for Eclipse 5.7, you can use the SonarQube Open in IDE feature to open a security hotspot in Eclipse. Unfortunately, at this time, SonarQube for Eclipse does not report security hotspots found on SonarQube Cloud.

Reviewing hotspots

First, open a file in Eclipse and bind your project using Connected Mode with SonarQube Server 9.9 or newer. In SonarQube Server, go to the Your Project > Security Hotspots page and select a hotspot to review. Then, select the Open in IDE button and choose your Eclipse IDE from the list; the correct file will open in Eclipse and the hotspot will be highlighted in the code explorer. By default, a SonarQube for Eclipse hotspot badge is displayed for the security hotspot in the Eclipse Vertical ruler. 

More information about your security hotspot result is presented in the SonarQube Security Hotspots view window where you can find more details about the potential risk and how to fix it. 

Hotspots are categorized by a High, Medium, or Low review priority. As with all issues found by SonarQube for Eclipse, double-clicking an issue in the SonarQube for Eclipse view window highlights the code in the code editor. Selecting a hotspot will automatically open the rule description where you have a chance to investigate further.

Fixing hotspots

How you fix a security hotspot depends on your assessment of the risk. Check the Rule description and the How can you fix it? tab to find recommended secure coding practices and compliant solutions (when available). More information can be found in the SonarQube Server and SonarQube Community Build documentation.

Once you determine the risk, you can either fix or mark your hotspot accordingly.

The SonarQube Security Hotspots view window in Eclipse will give you three tabs to help asses the hotspot’s risk and in most cases, will offer you a compliant solution. You can update your code locally and submit your code to SonarQube Server or SonarQube Community Build for analysis to improve your code’s health.

Or, in SonarQube Server or SonarQube Community Build, navigate to the hotspot and select the Change status button. From there, you can mark it as Acknowledged, Fixed, or Safe. You must be granted the Administer Security Hotspot permission level by a SonarQube Server or SonarQube Community Build project administrator to see the Change status button.