Skip to content

Posture for Sonarcloud's "security hotspots" #160

Description

@nutjob4life

Earlier we had a pull request that Sonarcloud flagged with 2 medium priority and 1 low priority security hotstpots. They were mitigated despite being such minor issues and the PR later got a green light from Sonarcloud. It was successfully merged.

In the future, though, as schedule pressures increase or as availability decreases, we may want a more targeted approach to these automated hotspot findings. For example, our JPL system administrators have a policy that critical and high priority findings from the penetration testing tool must be addressed, but medium and low findings can be ignored. The National Cancer Institute's own deployment team has a similar policy for findings from the "Invicti" security scanner: you can skip low and medium but you must mitigate high and critical.

@ramesh-maddegoda suggests a weighted approach, where critical issues can get a heavy weighting while low get a light weighting, and then determine a normalized vulnerability score, and this can guide the criteria for what mitigations should be taken.

For now, we will continue the policy to address all security hotspots found by Sonarcloud without regard to priority. This issue exists in case we should revisit the policy.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    ToDo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions