Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integration with Security Hotspot should be improved #272

Open
Gh0s7 opened this issue Aug 5, 2020 · 2 comments
Open

Integration with Security Hotspot should be improved #272

Gh0s7 opened this issue Aug 5, 2020 · 2 comments
Assignees
@Reamer
Labels
enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@Gh0s7
Copy link

Gh0s7 commented Aug 5, 2020

Is your feature request related to a problem? Please describe.
I just started using this plugin and configured it to use the Security Hotspot feature of SonarQube.
However, since the plugin writes everything in issue's title, this make it impossible for us to correctly review those reports.

Also, at least for the Maven version, all the created issues are linked to the first line of pom.xml instead of being linked to the correct line.

Describe the solution you'd like
Given the following hotspot in my project

Filename: keycloak-core-4.8.0.Final.jar | Reference: CVE-2019-3868 | CVSS Score: 3.8 | Category: CWE-200 | Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

  1. Review priority should be based on CVSS score
  2. Category should be either the CVE or the CWE (or maybe a new category for dependencies only)
  3. Title could be something like filename [reference] instead of the full report content
  4. The part after category should be added as the description instead of being in the title
  5. In the description, a link to the reported CVE should be added (linking only to CWE-937 defeats the purpose of the tool as we're missing the details for the real issue)

The goal is to make evrything easier to navigate, especially when you have a big number of active issues.
@Reamer
Copy link
Member

Reamer commented Aug 12, 2020

Hi @Gh0s7
thanks for your suggestions.
I created a Sonar Community Ticket, because I have no idea how to influence the style.

@Reamer Reamer self-assigned this Aug 12, 2020
@Reamer Reamer mentioned this issue Sep 13, 2021
Closed
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 19, 2022
@Reamer Reamer added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Reamer Reamer

Labels
enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Reamer @Gh0s7