As reported today, there is a vulnerability when using Unicode characters that allows a malicious actor to disguise source code in the eyes of the programmer, by using Unicode BIDI characters. This was published today as the “Trojan Source” bug affecting virtually all development environments and compilers.
The research paper is available here: https://www.trojansource.codes/trojan-source.pdf
And a summary by Krebs on Security is here: ‘Trojan Source’ Bug Threatens the Security of All Code – Krebs on Security
It should be an easy thing for SonarQube to scan for those characters in Unicode files, and flag them as a (Critical?) Security Hotspot.