PHP Custom Plugin - I want to change the type of the issue


I am writing this post because I don’t know if it is possible to do what I have in mind.

I am developing a plugin in PHP to detect certain potentially dangerous functions.

I have already developed the plugin and it works correctly, but when I scan the branches, the issues are detected as code smell and I would like them to be security hotspot, but I don’t know how to do it.

key = ForbiddenFunctionUseCheck.KEY,
priority = Priority.MAJOR,
name = “Using a restricted php function is security-sensitive”,
tags = {“hotspot”}

I have this rule defined, but I don’t know if it is possible to set the type of issue.

I have followed this example to develop the plugin sonar-custom-rules-examples/php-custom-rules at master · SonarSource/sonar-custom-rules-examples · GitHub

If you need more information, please ask.

Thank you very much for your help


I suggest that you try calling the setType method in your implementation of RulesDefinition.
In the example plugin, that would be in MyPhpRules.


Thank you for your answer, I am seeing that there are three types (BUG, CODE SMELL AND VULNERABILITY) but you know if it’s possible to change the type to security hotspot.

In the documentation explain:

public abstract RulesDefinition.NewRule setType​(RuleType t)
The type as defined by the SonarQube Quality Model.
When a plugin does not define rule type, then it is deduced from tags:
if the rule has the "bug" tag then type is RuleType.BUG
if the rule has the "security" tag then type is RuleType.VULNERABILITY
if the rule has both tags "bug" and "security", then type is RuleType.BUG
default type is RuleType.CODE_SMELL
Finally the "bug" and "security" tags are considered as reserved. They are silently removed from the final state of definition.

Reading the documentation, I guess I can’t set the security hotspot type.

Most of the documentation you cited explains the behavior when setType is not called.
Did you try something like the following?


I am seeing this article in the documentation RuleType (sonar-plugin-api API) but when I changed the type in my IDE and I compiled the plugin, in the terminal said that cannot find symbol
symbol: variable SECURITY_HOTSPOT
location: class org.sonar.api.rules.RuleType

The solutions was:

repository.rules().forEach(rule → rule.setType(RuleType.valueOf(“SECURITY_HOTSPOT”)));

Thank you so much!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.