Hi Marvin,
Thanks for bringing this up. I think that you are right: it feels odd to classify some of these as Bugs or Code Smells. Indeed, we have been thinking about this too. Once you start digging, you also find different examples, like code that is lacking in security while not being an immediate vulnerability.
We think we have come to the core of this. And we are actually changing the way we classify the results of our analysis.
You can read more about it here:
It’s not what you described, yet I’m curious to know if you think it would help.
Feel free to share any feedback!
Gab