Dependencies are now being listed as hotspots in SonarQube Project

Pipeline using Azure DevOps
SonarQube Enterprise Edition Version 8.9.9 (build 56886)
Gradle 8.1
SonarQube Gralde Plugin

We have an Azure Pipeline that builds using Gradle and the OWASP Dependency Report is published to SonarQube (visible under More → HTML Dependency-Check) but require the issues to be listed under Security Hotspots. Under “Security Hotspots” states “There are no Security Hotspots to review.”


  • task: SonarQubePrepare@5
    SonarQube: ‘SonarQube OUR-URL’
    scannerMode: ‘CLI’
    configMode: ‘file’
    extraProperties: |

I would suggest getting in touch with the maintainer: GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube

And, your SonarQube version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.9.9 → 9.9.1 → 10.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.