Security hotspots
A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code. For more information about Security Hotspots, take a look at the SonarQube Server, SonarQube Cloud, and SonarQube Community Build documentation.
Hotspot analysis
In SonarQube for VS Code, local detection of Security hotspots is enabled if you are using Connected mode with a project on SonarQube Server or SonarQube Community Build; from version 3.18+ Security hotspots are also found when bound to a project in SonarQube Cloud. These issue types are shown under the SECURITY HOTSPOTS view located in the SonarQube View Container and are grouped by file.
Reviewing hotspots
First, open a file while your project is running in connected mode with SonarQube (Server, Cloud) or SonarQube Community Build. SonarQube for VS Code will automatically run an analysis to look for Security hotspots and then compares local results against those found on the SonarQube (Server, Cloud) or SonarQube Community Build. The Security Hotspot results will be automatically grouped by file and labeled as Newly detected or Already known.
Selecting an issue in either category highlights the code in the explorer window. It is possible to change the vulnerability status in SonarQube for VS Code, or in SonarQube (Server, Cloud) or SonarQube Community Build server. See the Fixing hotspots article below for more information.
Newly detected hotspots
Newly detected security hotspots are those found during the analysis and exist only locally. Newly detected hotspots can be fixed by modifying your code or by submitting your code to trigger a new analysis on the server where you can mark it as Fixed or Safe on the server.
Right-clicking on a Newly detected hotspot reveals 2 options to select:
- Clear Highlighting to remove the highlight over your code in the explorer window.
- Show Rule Description to open the rule in the SonarQube for VS Code view window.
Already known hotspots
Once the security hotspot analysis is complete, SonarQube for VS Code will compare the local results against those found on the server and sort them accordingly. Already known security hotspots are those that exist locally and in SonarQube (Server, Cloud) or SonarQube Community Build. Already known hotspots can be fixed by modifying your code in the IDE, or you can mark it as Fixed or Safe on the server.
Right-clicking on an Already known hotspot gives you these 3 options to select:
- Change Status to modify the status of a known hotspot.
- Clear Highlighting to remove the highlight over your code in the explorer window.
- Review on Server to open the hotspot in SonarQube Server or SonarQube Community Build where you can mark it as Fixed or Safe.
- Show Hotspot Details will open the details view and provide information about the rule and the current status of the hotspot.
Reporting security hotspots In the Whole Folder
By default, SonarQube for VS Code will search for Security Hotspots only in open files each time an analysis is triggered; the use of Connected Mode is required. To activate an analysis for security hotspots in your entire project, select In Whole Folder from the SONARQUBE > SECURITY HOTSPOTS view container.
When selecting In Whole Folder, a scan of your entire project will be made. Switching back to In Open Files will filter the results to files open in the code editor. Each time you select In Whole Folder, a new analysis will be triggered on the entire project.
Using the In Whole Folder feature may consume excessive resources depending on the size of your project. If your project is too large, a notice will appear to confirm the action. Therefore, it is recommended that users define a set of file exclusions when analyzing large projects with the In Whole Folder feature. Because SonarQube for VS Code exclusions are ignored when running in Connected mode, file exclusions must be defined in SonarQube Server, SonarQube Cloud, or SonarQube Community Build.
However, SonarQube for IDE will deploy these file exclusions automatically:
- File extension: SonarQube for IDE knows the primary language of your project and will restrict the scope of analysis to files matching that set of extensions.
- File size: Files larger than 0.5 Mb will be ignored…
- .gitignore: Exclusions added to your .gitignore file will be excluded.
Although .gitignore files are excluded from analysis by default, git offers little transparency and the analyzer cannot investigate further when there is an error. Therefore, it is recommended that you use the VS Code exclusions or the SonarQube (Server, Cloud) and SonarQube Community Build exclusions when running in connected mode, to supplement what’s defined in your .gitignore file.
Defining file exclusions
Because SonarQube for VS Code exclusions are ignored when running in Connected mode, file exclusions must be defined in SonarQube Server, SonarQube Cloud, or SonarQube Community Build.
Using wildcards
Check the SonarQube Server, SonarQube Cloud, or SonarQube Community Build documentation about defining your analysis scope to see examples using wildcard patterns for file exclusion. Note that SonarQube for IDE does not consider test file patterns for exclusion; you should follow the VS Code guidelines above to define your exclusions for large projects.
Fixing hotspots
How you fix a security hotspot depends on your assessment of the risk. Check the Rule description and the How can I fix it? tab to find recommended secure coding practices and compliant solutions (when available). More information can be found in the SonarQube Server, SonarQube Cloud, and SonarQube Community Build documentation.
Once you determine the risk, you can either update your code locally, or if the hotspot matches one found on the server, change the hotspot’s review status in the IDE from To Review to Fixed, or Safe. Prerequisites to change the review status in the IDE are:
- The security hotspot detected locally is already known by SonarQube (Server, Cloud) and SonarQube Community Build.
- You are granted the Administer Security Hotspot permission level by a project administrator.
In SonarQube for VS Code v3.21 or newer running in Connected Mode with SonarQube Server 10.2 or newer, it is possible to mark issues locally before submitting a PR for analysis. Note that it is not possible to mark security hotspots found locally.
Please see the Marking issues article on the Fixing issues page for more details.
Simply right-click the hotspot in the SECURITY HOTSPOTS view to select Change Status; from there, a wizard will open to help you mark it as To review, Fixed, or Safe from the IDE. Next time your project binding syncs with the server, your status update will be reflected in SonarQube (Server, Cloud) and SonarQube Community Build.
When running in connected mode with SonarQube Server 10.4 or newer, Won’t Fix becomes Accept.
Was this page helpful?