A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code.
Another way of looking at hotspots can be the concept of Defense in depth (computing), in which several redundant protection layers are placed in an application so that it becomes more resilient in the event of an attack.
Issue types (bug, vulnerability, and code smell) are deprecated. Issues are now tied to Clean Code attributes and software qualities impacted. See Clean Code for more details.
The main difference between a hotspot and a vulnerability is the need for review before deciding whether to apply a fix:
- With a hotspot, a security-sensitive piece of code is highlighted, but the overall application security may not be impacted. It's up to the developer to review the code to determine whether or not a fix is needed to secure the code.
- With a vulnerability, a problem that impacts the application's security has been discovered and needs to be fixed immediately.
An example of a hotspot is the RSPEC-2092 where the use of a cookie secure flag is recommended to prevent cookies from being sent over non-HTTPS connections. A review is needed in this example because:
- HTTPS is the main protection against MITM attacks and so the secure flag is only additional protection in case of some failures of network security.
- The cookie may be designed to be sent everywhere (non-HTTPS websites included) because it's a tracking cookie or similar.
With hotspots, we try to give some freedom to users and educate them on how to choose the most relevant/appropriate protections depending on the context (for example, budgets and threats).
While the need to fix individual hotspots depends on the context, you should view security hotspots as an essential part of improving an application's robustness. The more fixed hotspots there are, the more secure your code is in the event of an attack. Reviewing security hotspots allows you to:
- Understand the risk: Understanding when and why you need to apply a fix in order to reduce an information security risk (threats and impacts).
- Identify protections: While reviewing hotspots, you'll see how to avoid writing code that's at risk, determine which fixes are in place, and determine which fixes still need to be implemented to fix the highlighted code.
- Identify impacts: With hotspots, you'll learn how to apply fixes to secure your code based on the impact on overall application security. Recommended secure coding practices are included on the hotspots page to assist you during your review.
Security hotspots have a dedicated lifecycle. To make status changes, the user needs the Administrator security hotspots permission level. This permission is enabled by default. Users with the Browse permission level can comment on or change the user assigned to a security hotspot.
Through the lifecycle, a security hotspot takes one of the following statuses:
- To review: The default status of new security hotspots set by SonarQube. A security hotspot has been reported and needs to be checked.
- Acknowledged: A developer has reviewed the security hotspot and a resolution to the highlighted risk is pending. This covers cases where a fix is in progress or where time is needed to determine the next step.
- Fixed: A developer has reviewed the security hotspot and applied a fix.
- Safe: A developer has reviewed the security hotspot and determined that no change is necessary (for example, because other more relevant protections are already in place).
Follow this workflow to review security hotspots and apply any fixes needed to secure your code.
When SonarQube detects a security hotspot, it's added to the list of security hotspots according to its review priority from high to low. Hotspots with a high review priority are the most likely to contain code that needs to be secured and require your attention first.
Review priority is determined by the security category of each security rule. Rules in categories that are ranked high on the OWASP Top 10 and CWE Top 25 standards are considered to have a high review priority. Rules in categories that aren't ranked high or aren't mentioned on the OWASP Top 10 or CWE Top 25 standards are rated as Medium or Low. Please see Security-related rules for more details.
When reviewing a hotspot, you should:
- Review the What's the risk? tab to understand why the security hotspot was raised.
- From the Assess the risk tab, read the Ask Yourself Whether section to determine if you need to apply a fix to secure the code highlighted in the Security Hotspot.
- From the How can you fix it? tab, follow the recommended secure coding practices to fix your code if you've determined it's unsafe.
After following these steps, set the security hotspot to the appropriate status (see above): Acknowledged, fixed, or safe. If you need another user’s review, you can leave it as To review.
The Review history tab shows the history of the security hotspot including the status it's been assigned and any comments the reviewer had regarding the Hotspot.
Seeing a security hotspot directly in the IDE can help you better understand its context and decide whether it is safe or not. This is the purpose of the Open in IDE button that you'll see as an authenticated user.
This feature is available to users of:
- SonarLint for IntelliJ 4.13 and above
- SonarLint for Visual Studio 4.29 and above
- SonarLint for VS Code 1.20 and above
- SonarLint for Eclipse 5.7 and above
It’s best if your project is already open in the appropriate IDE and bound to the server through SonarLint's Connected Mode before selecting the Open in IDE button. With SonarLint for IntelliJ, VS Code, and Eclipse, Automatic Connected Mode setup is available; to use the Open in IDE feature with SonarLint for Visual Studio, you will need to have already set up Connected Mode beforehand.
Keep in mind that the revision or branch analyzed by SonarQube may not be the same as what you have opened in the IDE. In this case, SonarLint will do its best to locate the security hotspot in your local code.