[EDIT: I had misunderstood the original question. This answer is not related to it]
Thank you for your feedback.
There is indeed a bug in version 7.9 of SonarC# and SonarVB which was released last week. Just as you said, Security Hotspots should never impact the quality gate, except when they are “detected” as Vulnerabilities. We are currently working on a fix.
The bug report is available here: https://github.com/SonarSource/sonar-dotnet/issues/2131
In the mean time you can either:
- revert to the previous version of the SonarC#/SonarVB plugin.
- deactivate external roslyn issues like this: Go to your project’s Administration tab > General Settings > External analyzers > C# Ignore issues from external Roslyn analyzers > enable the option.
- Create a copy of the SonarWay Quality Profile and disable the Security Hotspot rules for C# and VB .Net.
I would personally recommend the second option as it can easily be reset once we release a fixed plugins.
We apologize for the inconvenience.
I will let you know as soon as the plugins are fixed.