Whatever the maturity level of the SAST solution used to scan software, many vulnerabilities can only be spotted through a manual code review process. Security auditors can use SonarQube to help guide their code review process by highlighting sensitive pieces of code (Security Hotspots) such as use of an encryption algorithm, execution of an OS command, access to the file system, and so on. Once these sensitive places in the code are identified, it's up the Security Auditor to determine whether or not a Vulnerability exists at each Security Hotspot. While security skills are required to qualify a Security Hotspot as a true Vulnerability, all stakeholders can agree that identified Vulnerabilities can be exploited in a software execution context.
A Security Auditor is the person in charge of making sure an application has no security problems and giving recommendations on how to remediate identified threats. This role can be part of the development team or a person outside the team who is responsible for running security audits.
How to use Security Reports?
The Security Reports are designed to quickly give you the big picture on your application's security, with breakdowns of where you stand in each of the OWASP Top 10 and SANS Top 25 categories, along with CWE -specific details. The Security Reports are fed by the analyzers, which rely on the rules activated in your Quality Profiles to raise security issues. If there are no rules corresponding to a given OWASP category activated in your Quality Profile, you will get no issues for that specific category and the rating displayed will be 'A'. An 'A' rating doesn't mean you are safe for that category, only that you have no issues related to the activated rules.
You can use the reports to:
Communicate to stakeholders the current state of the project and show the area at risks
Run your security audit and manage the backlog of issues you have to review and which quantity of them were discarded because they have been already reviewed.
How to perform a Security Audit with SonarQube?
Prior to running the analysis of your application, be sure that all the Vulnerability rules are active in the Quality Profile for each language associated with your Project. Then, on top of the Vulnerabilities, determine which Security Hotspot rules you want to activate. Once you activate all of the security rules, you will run your code scan, as usual, and analyzers will generate Vulnerabilities and Security Hotspots issues.
You'll have the opportunity to review Vulnerabilities, but it is assumed that they are real problems to fix. Your Security Auditor, along with the documentation provided for each Vulnerability rule are resources available to help developers find a solution and implement fixes.
For the Security Hotspots, it's up to the Security Auditor to go to the Security Reports menu and start a review based on the OWASP Top 10 and SANS Top 25 reports. Both reports follow the same process:
Click on the figures on the Open column to get the full list of all issues for a particular category
Review issues one by one and decide whether or not there is a real Vulnerability; at this stage you need security skills, you can't guess
If you determine that an issue really is a Vulnerability, click on the Detect option, otherwise click on the Clear option to remove it from the queue
See Issue Lifecycle for more detail on the statuses and actions possible on a Security Hotspot issue.