search

gabrie-allaigre / sonar-gitlab-plugin

Add to each commit GitLab in a global commentary on the new anomalies added by this commit and add comment lines of modified files
GNU Lesser General Public License v3.0
713 stars 207 forks source link

Handling issues requiring manual code review #199

Open alexander-frolov opened 5 years ago

alexander-frolov commented 5 years ago

With the recent addition of the Security Hotspot issue type, we started seeing many issues that require code review with acknowledgment. Such issues usually start with a "Make sure ..." comment from SonarQube, such as "Make sure this file handling is safe here.". As the SonarQube documentation specifies:

Security Hotspot rules are purposefully designed to draw attention to code is security-sensitive. It is expected that more than 80% of the issues will be quickly resolved as "Won't Fix" after review by a Security Auditor

The problem is that when such issues occur in dev branches with the preview analysis mode, the build fails because of the Security Hotspot issues and there is no way to go to SonarQube and say "Won't Fix", because the changes are not merged to the master yet and issues are raised in the preview mode.

Is there a way to say that Security Hotspot issues should not fail the build, without reducing their criticality, so that the Security Auditor can go to SonarQube and acknowledge that no fix is required?

bsalotti commented 5 years ago

+1 for this issue. Our workaround is to add // NOSONAR everytime we encounter that kind of issue, that goes against the purpose of Security Hotspot rules.