Security hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code. For more information about Security Hotspots, take a look at the SonarQube and SonarCloud documentation.

Hotspot analysis

SonarLint for Eclipse does not detect hotspots on its own but is able to report hotspots found by SonarQube when running in Connected Mode. Starting from SonarLint Eclipse 5.7, you can use the SonarQube Open in IDE feature to open a security hotspot in Eclipse.

Reviewing hotspots

First, open a file in Eclipse and bind your project using Connected Mode with SonarQube 9.7 or newer. In SonarQube, go to the Your Project > Security Hotspots page and select a hotspot to review. Then, select the Open in IDE button and choose your Eclipse IDE from the list; the correct file will open in Eclipse and the hotspot will be highlighted in the code explorer. By default, a SonarLint hotspot badge is displayed for the security hotspot in the Eclipse Vertical ruler. 

More information about your security hotspot result is presented in the SonarLint Security Hotspots view window where you can find more details about the potential risk and how to fix it. 

Hotspots are categorized by a High, Medium, or Low review priority. As with all issues found by SonarLint, double-clicking an issue in the SonarLint view window highlights the code in the code editor. Selecting a hotspot will automatically open the rule description where you have a chance to investigate further.

Fixing hotspots

How you fix a security hotspot depends on your assessment of the risk. Check the Rule description and the How can you fix it? tab to find recommended secure coding practices and compliant solutions (when available). More information can be found in the SonarQube documentation.

Once you determine the risk, you can either fix or mark your hotspot accordingly.

The SonarLint Security Hotspots view window in Eclipse will give you three tabs to help asses the hotspot’s risk and in most cases, will offer you a compliant solution. You can update your code locally and submit your code to SonarQube for analysis to improve your code’s health.

Or, in SonarQube, navigate to the hotspot and select the Change status button. From there, you can mark it as Acknowledged, Fixed, or Safe. You must be granted the Administer Security Hotspot permission level by a SonarQube project administrator to see the Change status button.