Earlier we had a pull request that Sonarcloud flagged with 2 medium priority and 1 low priority security hotstpots. They were mitigated despite being such minor issues and the PR later got a green light from Sonarcloud. It was successfully merged.
In the future, though, as schedule pressures increase or as availability decreases, we may want a more targeted approach to these automated hotspot findings. For example, our JPL system administrators have a policy that critical and high priority findings from the penetration testing tool must be addressed, but medium and low findings can be ignored. The National Cancer Institute's own deployment team has a similar policy for findings from the "Invicti" security scanner: you can skip low and medium but you must mitigate high and critical.
@ramesh-maddegoda suggests a weighted approach, where critical issues can get a heavy weighting while low get a light weighting, and then determine a normalized vulnerability score, and this can guide the criteria for what mitigations should be taken.
For now, we will continue the policy to address all security hotspots found by Sonarcloud without regard to priority. This issue exists in case we should revisit the policy.
Earlier we had a pull request that Sonarcloud flagged with 2 medium priority and 1 low priority security hotstpots. They were mitigated despite being such minor issues and the PR later got a green light from Sonarcloud. It was successfully merged.
In the future, though, as schedule pressures increase or as availability decreases, we may want a more targeted approach to these automated hotspot findings. For example, our JPL system administrators have a policy that critical and high priority findings from the penetration testing tool must be addressed, but medium and low findings can be ignored. The National Cancer Institute's own deployment team has a similar policy for findings from the "Invicti" security scanner: you can skip low and medium but you must mitigate high and critical.
@ramesh-maddegoda suggests a weighted approach, where critical issues can get a heavy weighting while low get a light weighting, and then determine a normalized vulnerability score, and this can guide the criteria for what mitigations should be taken.
For now, we will continue the policy to address all security hotspots found by Sonarcloud without regard to priority. This issue exists in case we should revisit the policy.