diff options
| author | G. Ann Campbell <ann.campbell@sonarsource.com> | 2018-07-13 09:13:58 -0400 |
|---|---|---|
| committer | SonarTech <sonartech@sonarsource.com> | 2018-07-17 20:21:26 +0200 |
| commit | 839e6c28fb607659e9452c716332abdd79b85dcf (patch) | |
| tree | d392fb13851ae6cb027c54da13f66f77e46495dc /server/sonar-docs/src/pages/security-reports.md | |
| parent | 0544f6b1692afb8f81becee9d40f1f2a178fb518 (diff) | |
| download | sonarqube-839e6c28fb607659e9452c716332abdd79b85dcf.tar.gz sonarqube-839e6c28fb607659e9452c716332abdd79b85dcf.zip | |
Security Report docs first draft
Diffstat (limited to 'server/sonar-docs/src/pages/security-reports.md')
| -rw-r--r-- | server/sonar-docs/src/pages/security-reports.md | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/server/sonar-docs/src/pages/security-reports.md b/server/sonar-docs/src/pages/security-reports.md index f1c3adb46ca..cf88af609db 100644 --- a/server/sonar-docs/src/pages/security-reports.md +++ b/server/sonar-docs/src/pages/security-reports.md @@ -1,7 +1,22 @@ --- -title: +title: Security Reports --- -## h2 +## What do the Security Reports show? +The Security Reports are designed to quickly give you the big picture on your application's security, with breakdowns of just where you stand in regard to each of the the [OWASP Top 10](https://www.owasp.org/index.php/Top_10-2017_Top_10), and [SANS Top 25 categories](https://www.sans.org/top25-software-errors), and [CWE](http://cwe.mitre.org/)-specific details. -text text text +## What's the difference between a Hotspot and a Vulnerability? +Vulnerabilities are points in the code which are open to attack. +Hotspot are sensitive API calls which, if misused, could easily result in Vulnerabilities. Having a Hotspot in your application does not mean there is a problem. What it does mean is that a human should look over the code to see if the sensitive API is being used in the safest manner. + +## I'm a developer. Should I care about Hotspots? +Probably not. Hotspots, as such, aren't really actionable. They simply mark *potential* problems, so there's really nothing to do. That's why you don't receive notficiations when Hotspot issues are raised, and why Hotspots aren't shown in the Issues page by default. + +## What if my Hotspot really marks a Vulnerability? +If you look at the code where a Hotspot is raised and realize that there really is a problem, click on the current status (probably `Open`) to register that you've *Detect*ed a Vulnerability at that point in the code. Once you do, it will be converted to a Vulnerability, and the developer who last touched the line will receive "new issue" notifications (if she's signed up to get them). + +## What happens after my Hotspot becomes a Vulnerability? +Once you've *Detect*ed that there really is a problem at a Hotspot location, it will be assigned to the appropriate developer, who will make a fix, and must then `Request Review` *via the UI*. That request moves the issue from Vulnerability back to Hotspot. From there, it's up to the security auditor to either *Accept* or *Reject* the fix. Accepting the fix will mark it "Won't Fix", and rejecting it will turn it back into a Vulnerability, putting it back in the developer's queue. + +## What does it mean for a Hotspot to be marked "Won't Fix". +The Won't Fix designation is used to indicate that a Hotspot has been reviewed and found okay. |