| Rule | A coding standard or practice which should be followed. Not complying with coding rules leads to **Bugs**, **Vulnerabilities**, **Security Hotspots**, and **Code Smells**. Rules can check quality on code files or unit tests. |
| Remediation Cost | The estimated time required to fix Vulnerability and Reliability Issues. |
| Snapshot | A set of **measures** and **issues** on a given project at a given time. A snapshot is generated for each analysis. |
-| Security Hotspot | A security-related issue highlighting a piece of code that uses a security-sensitive API (E.G. use of a weak algorithm, connection to a database without a password, ...). Security hotspots must be reviewed by a security auditor who may determine that the APIs are used in ways that introduce Vulnerabilities. |
+| Security Hotspot | A security-related issue highlighting a piece of code that uses a security-sensitive API (E.G. use of a weak algorithm, connection to a database, ...). Security Hotspots must be manually reviewed to determine if the APIs are being used in ways that introduce Vulnerabilities. |
| Technical Debt | The estimated time required to fix all Maintainability Issues / code smells |
| Vulnerability | A security-related issue which represents a backdoor for attackers. See also [Security-related rules](/user-guide/security-rules/). |
**Security remedation effort on new code** (`new_security_remediation_effort`)
Same as _Security remediation effort_ but on the code changed in the New Code period.
+**Security Hotspots** (`security_hotspots`)
+Number of Security Hotspots
+
+**New Security Hotspots** (`new_security_hotspots`)
+Number of new Security Hotspots
+
+**Security Hotspot Review Rating** (`security_hotspot_review_rating`)
+The ratio of the number of Security Hotspots that are in "To Review" or "In Review" status per 1K lines of code.
+
+A = 0–3 "To Review" and "In Review" Security Hotspots per 1K lines of code
+B = 4–10
+C = 11–15
+D = 16–25
+E = 26+
+
+**Security Hotspot Review Rating on new code** (`new_security_hotspot_review_rating`)
+Same as _Security Hotspot Review Rating_ but on the code changed in the New Code period.
+
---
## Size
**Classes** (`classes`)
### Portfolios Home Page
-The Portfolio Home Page is the central place for managers and tech leads to keep an eye on the Releasability of the projects under their supervision. Releasability is based on the project's quality gate: green (pass) is releasable. Red (error) is not. Each Portfolio home page offers an aggregate view of the releasability of all the projects in the Portfolio.
+The Portfolio Home Page is the central place for managers and tech leads to keep an eye on the Releasability of the projects under their supervision. Releasability is based on the project's quality gate: Passed is releasable and Failed is not. Each Portfolio home page offers an aggregate view of the releasability of all projects in the Portfolio.
-At the top of the page, you can easily see whether overall Portfolio is currently rated as releasable and if any projects in the Portfolio have failed their Quality Gate. And the Reliability, Security, and Maintainability ratings show the overall health of the Portfolio in these three domains, along with an indicator of the worst-performing project(s) in each domain.
+At the top of the page, you can easily see whether the overall Portfolio is currently rated as releasable and if any projects in the Portfolio have failed their Quality Gate. And the Reliability, Security Vulnerabilities, Security Hotspots Review, and Maintainability ratings show the overall health of the Portfolio in these three domains, along with an indicator of the worst-performing project(s) in each domain.
-For each domain you see:
+For each domain, you'll see:
* the rating (see [Metric Definitions](/user-guide/metric-definitions/) for more details about how they are computed)
* an indicator of when the rating last changed
### Releasability Rating
-The Releasability Rating tells you the ratio of projects in the Portfolio that do NOT have a **FAILED** Quality Gate (ie QG being **PASSED**) :
+The Releasability rating is the ratio of projects in the Portfolio that have a **Passed** Quality Gate:
**A**: > 80%
**B**: > 60%
**D**: > 20%
**E**: <= 20%
-### Reliability, Security and Maintainability Ratings
+### Reliability, Security Vulnerabilities, Security Hotspots Review, and Maintainability Ratings
-Each of the Reliability, Security and Maintainability Ratings for a Portfolio is calculated as the average of the ratings for all projects included in the Portfolio. SonarQube converts the rating for each project to a number (see conversion table below), calculates an average for the portfolio and converts that average back to a rating. Averages that land exactly on the 0.5 mark are rounded up (i.e. the result is the "lower" of the two possible ratings, so an average of 2.5 would result in a "C" rating).
+The Reliability, Security Vulnerabilities, Security Hotspots Review, and Maintainability ratings for a Portfolio are calculated as the average of the ratings for all projects included in the Portfolio.
-This gives an “issue density" measure on the three axes of Reliability, Security and Maintainability for your Portfolio.
+SonarQube converts each project's letter rating to a number (see conversion table below), calculates an average number for the projects in the portfolio, and converts that average to a letter rating. Averages ending with .5 are rounded up resulting in the "lower" of the two possible ratings, so an average of 2.5 would be rounded up to 3 and result in a "C" rating).
+
+This gives an "problem density" measure on the four axes of Reliability, Security Vulnerabilities, Security Hotspots Review, and Maintainability for your Portfolio.
Rating conversion:
*Note: the Portfolio Home Page is also available at Sub-Portfolio level*
-### Print as PDF or Subscribe
+### Portfolio PDF Report
-On a Portfolio Home Page you can choose to download an overview of the Portfolio as a PDF. To do that, simply click on the "Print as PDF" button. This is really convenient, for example, if you're going into a meeting where you may not have access to your SonarQube instance.
+On a Portfolio Home Page, you can download a PDF overview of the Portfolio by selecting **Download as PDF** from the "Portfolio PDF Report" dropdown menu in the upper-right corner. This is really convenient, for example, if you're going into a meeting where you may not have access to your SonarQube instance.
-If you don't want to perform this action every time, you can subscribe to receive the PDF by email. The frequency of the mailing is decided by the administrator of the Portfolio.
+You can subscribe to receive a PDF by email by selecting **Subscribe** from the "Portfolio PDF Report" dropdown. You can set the frequency of the report at the portfolio and global levels to **daily**, **weekly**, or **monthly**. The default frequency is monthly.
-Please note you will receive the PDF only if the Portfolio is computed.
+**Note:** You will only receive the PDF if the Portfolio is computed.
Portfolios are created and edited in the global Portfolio administration interface: **Administration > Configuration > Portfolios**. For more information, see [Configuring Portfolios and Applications](/project-administration/configuring-portfolios-and-applications/).
The Security Reports are fed by the analyzers, which rely on the rules activated in your quality profiles to raise security issues. If there are no rules corresponding to a given OWASP category activated in your Quality Profile, you will get no issues linked to that specific category and the rating displayed will be A. That won't mean you are safe for that category, but that you need to activate more rules (assuming some exist).
## What's the difference between a Security Hotspot and a Vulnerability?
-Vulnerabilities are points in the code which are open to attack.
-Security Hotspots are security-sensitive pieces of code that should be carefully reviewed by someone with a security auditor hat. This person can be:
-* a member of the development team who is more sensitive to security problems
-* someone outside the development team contracted for the purpose of reviewing these Hotspots.
-
-The main goal of Security Hotspots is to help focus the efforts of someone manually review application source code. The second goal is to educate developers and to increase their security-awareness.
-Having a Hotspot in your application does not mean there is a problem, but that someone should review the code to see if the sensitive piece of code is being used in the safest manner.
+Vulnerabilities are points in the code which are open to attack. Security Hotspots highlight security-sensitive pieces of code that need to be manually reviewed to ensure the sensitive piece of code is being used in the safest manner. Security hotspots also help educate developers on security issues.
For more details, see [Security Hotspots](/user-guide/security-hotspots/)