I’m using the sonarqube developer edition 8.1 and after sonarqube scans I see 46 instances of Make sure that using a regular expression is safe here error as Security Hotspots.
Why Don’t I see any severity for security hotspots ?
How do I conclude if it’s really an error or false-positive?
I like to describe Security Hotspots as Shroedinger’s Vulnerabilities: you won’t know if there’s a problem or not until you look. And since they’re only potential problems, we don’t assign a severity.
In later versions (we’re on 8.7 now; you might want to catch up ) we’ve crafted a special interface around Security Hotspot review. I guess in 8.1 you simply want to consult the rule description; it should give you what you need.