I have got the custom import working using the eslint importer. But potential issues gets marked as code smells. We would like to use the “Security Hotspots” review feature to handle these issues.
Is there any way to accomplish that? We could use the Generic issue format import instead, but it does not look like it supports importing of Security Hotspots
I would say that you are right, it’s not possible to import external issues as security-hotspots because security-hotspots are not strictly considered as issues (they have a different UI, workflow etc).
I took a quick look at the Microsoft eslint plug-in you point out to us, in order to identify the value, in addition to the in-house SonarSource analyzers, that it can provide:
As you can see, most of the relevant rules from Microsoft eslint plugin are already supported in SQ. There are certainly some interesting checks (*) that SQ doesn’t natively support at the moment, we will discuss internally about them and possibly add them to our backlog.
The rule we are mostly interested in getting checked that we did not find support for is @microsoft/sdl/no-angular-bypass-sanitizer. As you wrote it is now supported by rule S6268 that you added support for in SonarQube 9.0.