SonarQube Security Hotspots and OWASP

Security is one of the most critical aspects of modern software. SonarQube helps teams catch security problems early by identifying vulnerabilities and security hotspots. This topic explains how SonarQube connects to industry security standards like OWASP and how to review and resolve security findings.

Vulnerability vs Security Hotspot

VULNERABILITY                          SECURITY HOTSPOT
-----------------------------          ----------------------------
SonarQube is certain it is risky       SonarQube is unsure
Must be fixed                          Must be reviewed by a human
Affects Security Rating (A-E)          Does not affect rating until reviewed
Example: SQL injection confirmed       Example: Random number generation
                                       (safe or unsafe depends on context)

Think of a vulnerability as a broken lock on your front door. A security hotspot is a door with a lock that might be broken — you need to check it yourself.

What Is OWASP Top 10

The Open Web Application Security Project (OWASP) publishes a list of the ten most critical web application security risks. This list is updated every few years and is widely used by security professionals worldwide.

OWASP TOP 10 (2021 edition)
+----+----------------------------------------+
| A1 | Broken Access Control                  |
| A2 | Cryptographic Failures                 |
| A3 | Injection (SQL, command, LDAP)         |
| A4 | Insecure Design                        |
| A5 | Security Misconfiguration              |
| A6 | Vulnerable and Outdated Components     |
| A7 | Identification and Authentication Fails|
| A8 | Software and Data Integrity Failures   |
| A9 | Security Logging and Monitoring Fails  |
|A10 | Server-Side Request Forgery (SSRF)     |
+----+----------------------------------------+

SonarQube tags its security rules with the relevant OWASP category. You can filter issues and hotspots by OWASP category to focus on the most critical security risks first.

The Security Hotspots Page

Each project has a dedicated Security Hotspots tab in the dashboard. Hotspots are organized by security category:

SECURITY HOTSPOTS TAB
+----------------------------------------------+
| TO REVIEW    | REVIEWED                      |
+----------------------------------------------+
| OWASP A2 - Cryptographic Failures: 3 items   |
|   src/auth/TokenService.java line 45         |
|   src/util/HashHelper.java line 12           |
|   src/api/SecureComm.java line 78            |
|                                              |
| OWASP A3 - Injection: 1 item                 |
|   src/db/QueryBuilder.java line 101          |
+----------------------------------------------+

Reviewing a Security Hotspot

Click any hotspot to open the review panel. SonarQube shows the flagged code, explains the risk category, and asks you to assess whether this specific instance is safe or not.

HOTSPOT REVIEW PANEL
+----------------------------------------------+
| HOTSPOT: Weak cryptography algorithm used    |
| File: src/auth/TokenService.java : 45        |
|                                              |
| CODE:                                        |
|   MessageDigest md = MessageDigest           |
|       .getInstance("MD5");                   |
|                                              |
| RISK: MD5 is considered cryptographically    |
| broken and should not be used for passwords  |
| or sensitive data hashing.                   |
|                                              |
| YOUR ASSESSMENT:                             |
|  [Safe]  [Fixed]  [Acknowledged]             |
+----------------------------------------------+

Hotspot Status Options

STATUS          MEANING
----------      -----------------------------------------------
To Review       Newly found, not yet assessed by a human
Acknowledged    Reviewed; the risk is accepted (documented reason)
Fixed           Developer changed the code to remove the risk
Safe            Reviewed; this specific usage is not actually risky

Common Security Hotspot Categories

Weak Cryptography

Using outdated or broken algorithms like MD5, SHA-1, or DES for sensitive operations. These algorithms have known weaknesses that make them unsuitable for protecting passwords, tokens, or encrypted data.

RISKY:    MessageDigest.getInstance("MD5")
SAFE:     MessageDigest.getInstance("SHA-256")
SAFER:    Use BCrypt or Argon2 for passwords specifically

Hardcoded Credentials

Passwords, API keys, or tokens written directly in source code. Anyone who reads the code — including version control history — can extract these values.

RISKY:
  private static final String API_KEY = "sk-abc123def456";

SAFE:
  private static final String API_KEY = System.getenv("API_KEY");

Cross-Site Scripting (XSS) — OWASP A3

When user input is embedded directly in an HTML response without sanitization, an attacker can inject JavaScript that runs in a victim's browser and steals session cookies or performs actions on behalf of the user.

RISKY (JSP):
  <div> Welcome, <%= request.getParameter("name") %> </div>

SAFE:
  <div> Welcome, <c:out value="${param.name}"/> </div>
  (c:out escapes HTML characters automatically)

Path Traversal — OWASP A1

Using user-supplied input to construct file paths can allow an attacker to read files outside the intended directory.

RISKY:
  File f = new File("/uploads/" + userInput);

ATTACK INPUT: userInput = "../../etc/passwd"
RESULT:       reads /etc/passwd (system password file)

SAFE:
  Path safePath = Paths.get("/uploads")
      .resolve(userInput).normalize();
  if (!safePath.startsWith("/uploads")) {
      throw new SecurityException("Path traversal attempt");
  }

SonarQube Security Standards Support

SonarQube maps its rules to multiple security standards so teams can filter and report by whichever standard their organization follows:

STANDARD        DESCRIPTION
---------       ------------------------------------------
OWASP Top 10    Most critical web vulnerabilities (2021)
OWASP ASVS      Application Security Verification Standard
CWE             Common Weakness Enumeration (MITRE)
SANS Top 25     Most dangerous software errors
PCI-DSS         Payment Card Industry security standard

Security Rating Explained

SECURITY RATING    CONDITION
---------------    -----------------------------------------
A                  No open vulnerabilities
B                  At least 1 minor vulnerability
C                  At least 1 major vulnerability
D                  At least 1 critical vulnerability
E                  At least 1 blocker vulnerability

Security hotspots do not affect the security rating. Only confirmed vulnerabilities impact the rating. This is intentional — hotspots require human judgment, and unreviewed hotspots should not automatically lower the project score.

Security Hotspot Review Process for Teams

RECOMMENDED TEAM WORKFLOW
  |
  +-- Developer writes new code
  |
  +-- SonarQube scan runs (CI/CD)
  |
  +-- New hotspots appear in "To Review"
  |
  +-- Security champion or senior developer reviews
  |         |
  |         +-- Safe? Mark as Safe + add comment explaining why
  |         |
  |         +-- Risky? Assign to developer to fix
  |         |
  |         +-- Cannot fix now? Mark as Acknowledged + document risk
  |
  +-- Quality Gate checks "Hotspots Reviewed = 100%"

Filtering Issues by Security Standard

On the Issues page, use the Standards filter to show only issues related to a specific security standard. This is especially useful during security audits — for example, showing only OWASP A3 Injection issues when preparing a PCI-DSS report.

ISSUES PAGE: STANDARDS FILTER
  [x] OWASP Top 10 2021
      [x] A3 - Injection          (5 issues)
      [ ] A2 - Cryptographic Fails
      [ ] A1 - Broken Access Control
Previous lessons
Back to courses
Next lessons

Leave a Comment

Your email address will not be published. Required fields are marked *