aboutsummaryrefslogtreecommitdiffstats
path: root/server/sonar-docs/src
diff options
context:
space:
mode:
authorG. Ann Campbell <ann.campbell@sonarsource.com>2018-07-13 09:13:58 -0400
committerSonarTech <sonartech@sonarsource.com>2018-07-17 20:21:26 +0200
commit839e6c28fb607659e9452c716332abdd79b85dcf (patch)
treed392fb13851ae6cb027c54da13f66f77e46495dc /server/sonar-docs/src
parent0544f6b1692afb8f81becee9d40f1f2a178fb518 (diff)
downloadsonarqube-839e6c28fb607659e9452c716332abdd79b85dcf.tar.gz
sonarqube-839e6c28fb607659e9452c716332abdd79b85dcf.zip
Security Report docs first draft
Diffstat (limited to 'server/sonar-docs/src')
-rw-r--r--server/sonar-docs/src/pages/security-reports.md21
1 files changed, 18 insertions, 3 deletions
diff --git a/server/sonar-docs/src/pages/security-reports.md b/server/sonar-docs/src/pages/security-reports.md
index f1c3adb46ca..cf88af609db 100644
--- a/server/sonar-docs/src/pages/security-reports.md
+++ b/server/sonar-docs/src/pages/security-reports.md
@@ -1,7 +1,22 @@
---
-title:
+title: Security Reports
---
-## h2
+## What do the Security Reports show?
+The Security Reports are designed to quickly give you the big picture on your application's security, with breakdowns of just where you stand in regard to each of the the [OWASP Top 10](https://www.owasp.org/index.php/Top_10-2017_Top_10), and [SANS Top 25 categories](https://www.sans.org/top25-software-errors), and [CWE](http://cwe.mitre.org/)-specific details.
-text text text
+## What's the difference between a Hotspot and a Vulnerability?
+Vulnerabilities are points in the code which are open to attack.
+Hotspot are sensitive API calls which, if misused, could easily result in Vulnerabilities. Having a Hotspot in your application does not mean there is a problem. What it does mean is that a human should look over the code to see if the sensitive API is being used in the safest manner.
+
+## I'm a developer. Should I care about Hotspots?
+Probably not. Hotspots, as such, aren't really actionable. They simply mark *potential* problems, so there's really nothing to do. That's why you don't receive notficiations when Hotspot issues are raised, and why Hotspots aren't shown in the Issues page by default.
+
+## What if my Hotspot really marks a Vulnerability?
+If you look at the code where a Hotspot is raised and realize that there really is a problem, click on the current status (probably `Open`) to register that you've *Detect*ed a Vulnerability at that point in the code. Once you do, it will be converted to a Vulnerability, and the developer who last touched the line will receive "new issue" notifications (if she's signed up to get them).
+
+## What happens after my Hotspot becomes a Vulnerability?
+Once you've *Detect*ed that there really is a problem at a Hotspot location, it will be assigned to the appropriate developer, who will make a fix, and must then `Request Review` *via the UI*. That request moves the issue from Vulnerability back to Hotspot. From there, it's up to the security auditor to either *Accept* or *Reject* the fix. Accepting the fix will mark it "Won't Fix", and rejecting it will turn it back into a Vulnerability, putting it back in the developer's queue.
+
+## What does it mean for a Hotspot to be marked "Won't Fix".
+The Won't Fix designation is used to indicate that a Hotspot has been reviewed and found okay.