It is not I personally that ask for this but the Security Office of the company I work for.
We have been using two other static code analyzers for the last 5 years to detect vulnerabilities.
Those have produced too many false positives and brought too much overhead.
At the same time we have been using SonarQube for detecting bugs, code smells and so on and for measuring test coverage but not for Security Reports.
Last year we started to do the Security Reports in SonarQube as well.
We now hope to be able to use SonarQube instead of the other tools and have had some meetings with our internal security office and they requested information about the data flow analysis in order to approve this.
Another thing they required was the same amount of rules or the ability to write own rules or to get rules added when needed.
That’s why we requested the new XSS rule (Missing rules to detect XSS and html injection in java servlets) since we saw that was missing.
I did write a custom rule for that myself that we used before you guys implemented it.
We have also written another custom rule since your java reflection hot spot detection is not complete.
It is missing the reflection done via java.beans.PropertyDescriptor.