Hotspots are both reviewed and not reviewed at the same time?

SonarQube 8.6.0 Community

I marked a bunch of SQL injection hotspots safe, but two ended up in an inconsistent state.

If I go to the project on the web portal and go to the Security Hotspots tab, these two are listed, while all the others I marked are gone.

If I use the web API to look for the ones that are still TO_REVIEW, I use the URI “…/api/hotspots/search?statuses=TO_REVIEW&status=TO_REVIEW&ps=100&p=1&projectKey=…” and get in return an object whose main array contains two hotspots. The first is

key : AXfxh2ZWL4bd72AKP4h8

project : us.or.state.pers:OR_CLT_9_7_1
securityCategory : sql-injection
vulnerabilityProbability : HIGH
status : REVIEWED
resolution : SAFE

And when I use hotspots/show to view the details, it also shows the status/resolution as REVIEWED/SAFE and also shows the comment I added explaining why the code is safe.

I deleted my comments from those two, then tried using the hotspots/change_status endpoint to change them directly to REVIEWED/SAFE (while reapplying my comment). This didn’t work. They were still in this inconsistent state where they showed up on the web portal but were still reported as TO_REVIEW. Also, my comment was not on either one. Apparently, the change_status endpoint believed that the status was already REVIEWED, and therefore didn’t attempt to change it or add my comment.

I had to change each of them back to TO_REVIEW status, and then change them back to REVIEWED/SAFE, and now they appear to be in a correct and consistent state.