Safe marked Security Hotspots reopened after PR merge into main branch

  • SonarQube Enterprise Edition - 9.4
  • Scanner -

We have C,CPP project which is configured to run PR and develop (main) branch Sonar scans via Jenkins CI pipeline.
Recently in one of the PR Sonar detected 11 new Security HotSpots out of which 10 marked as SAFE and 1 marked as FIXED (100% reviewed).
Meanwhile on the main branch there was 0 total security hotspots (100% reviewed).

After merging the PR into main branch we have 5 new Security hotspots on new code. These are exactly the same ones which are marked as SAFE in the PR.

Any idea why are these hotspots again being created on main branch ?
(please note after PR merge during the main branch build there were no other changes than the changes from PR)


Hey there.

Thanks for the feedback. We’re already aware of the issue and expect to fix it soon, probably in the next SonarQube release (v9.6) [SONAR-16561] - Jira

Thanks @Colin , what is tentative time frame for v9.6 release ?


Hey @Colin,
9.6 is released, though the Jira is still in open state. Any idea if the fix is included in 9.6 ?


It looks like it didn’t make it into the release and remains in the backlog.