TechQA.

All imported generic issues are given a MEDIUM severity despite specifying rule severities

39 views Asked by At

I am running SonarQube 10.3 and sonar-scanner 5.0.1.3006. I would like to be able to define my own issue severities and have them displayed accordingly on the SonarQube UI, but it seems all issue severities are defaulting to MEDIUM.

I have this issue in a generic issue import format:

{
    "rules": [
        {
            "id": "B307",
            "name": "eval - use of possible insecure function",
            "engineId": "bandit",
            "cleanCodeAttribute": "FORMATTED",
            "impacts": [
                {
                    "softwareQuality": "MAINTAINABILITY",
                    "severity": "HIGH"
                }
            ]
        },
        "issues": {
            {
            "engineId": "bandit",
            "ruleId": "B307",
            "primaryLocation": {
                "filePath": "/tmp/repo/bandit/main.py",
                "textRange": {
                    "startLine": 36,
                    "startColumn": 5
                },
                "message": "Use of possibly insecure function - consider using safer ast.literal_eval."
            }
        },
}

Why is it that when I import this issue, the severity shows up as MEDIUM?

enter image description here

sonarqube sonarscanner
Original Q&A
1

There are 1 answers

0
slightly_toasted On

The issue was fixed by changing the engineId to one that isn’t recognized by SonarQube.

This behavior doesn't appear to be documented, but it seems SonarQube recognizes the bandit tool and tries to apply its own quality profiles which don't exist, then defaults to MEDIUM sev.

Related Questions in SONARQUBE

Related Questions in SONARSCANNER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions