This comment about security hotspots no longer being permitted to be raised by external tools is disappointing. The Dependency Check plugin used to raise CVE’s as Security Hotspots, and they were able to be presented and managed well that way, but now they can’t be and are raised as security issues (poorly). This would seem the ideal use case for a Security Hotspot would it not? Would it not be better to be left to the end user to decide whether they want to install or uninstall a plugin based on its behaviour, rather than having this capability restricted to plugin developers? This is an open source plugin that a community contributes / comments and would still benefit greatly from raising these as Security Hotspots.