Issues API does not return security hotspots when passing a severity

Tested with: SonarQube version 7.9.1 (build 27448) and

Error observed: issues API does not return security hotspots when severity parameter is used.

Steps to reproduce:

Potential workaround: make multiple calls to the issues API to retrieve security hotspots and other issues separately.


That’s because Hotspots don’t have a severity. I think of them as Schroedinger’s Vulnerabilities - might be a problem, might not; you won’t know until you look. So (to extend the metaphor) just like Schroedinger’s cat is either dead (not Blocker/really dead or Info/a little dead) Hotspots are either problems or they’re not, and severity just isn’t appropriate in this context.


Hi Ann,

That makes sense. Maybe this can be added to the API documentation? For example, "Note that if you specify one or more severities, no issues of type ‘security hotspot’ will be returned because security hotspots have no severity.

Thanks, Frank

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.