when you use java.util.Optional the taint analysis algorithm loses the taint information and therefor does not create an issue. Just compare these 2 XSS:
resp.getWriter().write(badValue); // detected by javasecurity:S5131
resp.getWriter().write(Optional.of(badValue).get()); // not detected javasecurity:S5131
below is an example file which also uses a Custom-Wrapper that gets recognized. It seems that only Optional causes a problem.
XssServlet.txt (970 Bytes)
I initially detected it with javasecurity:S3649 (sqli), but since xss is also affected, I guess all other security-rules are affected as well.
I don’t know which other languages supported by SonarQube Security Analyzer allow a similar pattern, but they might be affected as well.
SonarQube Datacenter Edition 9.6.1
scan was done through the Maven Plugin, no special config, maven project only contains this single file.