Skip to content

Security Hotspots

Jump to bottom
kevin-hinz edited this page Feb 27, 2023 · 9 revisions

Beginning in version 8.0, local detection of Security Hotspots is enabled if you are using Connected Mode with a project on SonarQube 9.7 or above.​ Security hotspots are shown under the Security Hotspots tab located in the SonarLint view window.

Reviewing hotspots

First, open a file while your project is running in Connected Mode with SonarQube 9.7+. SonarLint will automatically run an analysis to look for Security hotspots, then compare local results against those on the SonarQube server.

All security hotspot results are presented in the Security Hotspots tab of the SonarLint view window. Detected hotspots will be categorized by High, Medium, or Low review priority as noted by their icon. Hotspots found both locally and on the SonarQube server are identified by an additional SonarQube icon.

As with all issues found by SonarLint, double-clicking an issue in the SonarLint view window highlights the code in the code editor. Selecting a hotspot will automatically open the rule description where you have a chance to investigate further.

Ways to find hotspots

With SonarLint for IntelliJ, it is possible to analyze and detect security hotspots in all project files:

  • Select the Analyze All Project Files icon in the Report tab.
  • Select the Analyze VCS Changed Files icon to analyze files changed since the last commit.
  • Right-click on a selection of files in the explorer window and select SonarLint > Analyze with SonarLint to populate issues in the Report tab for review. In the Report tab, security hotspots are displayed separately from regular issues and are grouped by file.
Hotspots in the Reports tab

Investigating hotspots

New and matching hotspots

New hotspots

New security hotspots are those not yet detected by a SonarQube analysis and have only one hotspot icon that identifies its review priority. These hotspots can be fixed by modifying the code or submitting your code to trigger a new analysis in SonarQube.

If your Hotspot is safe:

  • submit your code to trigger a new analysis in SonarQube and mark it Safe on the server.

If you’re not sure that your Hotspot is safe:

  • Check the Rule description to assess the risk and the How can I fix it? tab for recommended secure coding practices and compliant solutions (when available).

Matching hotspots in SonarQube

Once the local analysis is complete, SonarLint will compare the local results against those found on the SonarQube server; those matched with SonarQube have an additional SonarQube icon. At the moment, the status of a security hotspot can only be updated in SonarQube and a link to the instance in SonarQube will be found in the Rule description tab: there, you can mark it To review, Acknowledged, Fixed, or Safe, and define an Assignee if needed.

Mark hotspot in SonarQube

Home

Getting Started
Fixing Issues
Bind to SonarQube or SonarCloud
Security Hotspots
Taint Vulnerabilities
Rider
Troubleshooting
Clone this wiki locally