Security Hotspot UI does not display rule descriptions properly

  • version: SonarQube 8.2
  • error observed: It looks like the new Security Hotspots UI can only handle HTML descriptions. This doesn’t play well with template rules, which vomit a garbled mess of markdown into the “What’s the risk?” tab.
  • steps to reproduce: Create a security hotspot rule from a template and view one in the new Security Hotspots UI



Actually the bug is more on the fact that you managed to create a Security Hotspot from a Template Rule which is not a use case we identified.

How did you manage to create this Security Hotspot? From which Template Rule?


Hi Alex,

Actually, the bug is the fact that SonarQube is arbitrarily ripping apart the HTML descriptions of security hotspot rules according to your own header conventions in order to construct these tabs on the new UI interface.

This is a custom plugin, and the Security Hotspot rule in question is derived from a “track use of method” template rule. This is an important use case for us, and it will be problematic if it’s removed.
With this rule for example, we have our own regex framework in this codebase. If we can’t define the regex methods to track in some template rule then we’d have to hardcode method signatures from our own personal framework into the plugin, which is simply not the right place for that data to live.

In answer to your question of how I created this, you have always been able to create Security Hotspot rules from templates. An option for which type of rule it should be is provided when you create it. (See below)

Thanks @Jonah_IntegraDev for the detailed explanations.

To be completely honest, we missed this use case when we worked on the new Security Hotspots page, hence why you have this weird display. Still it makes sense and the markdowns should not be ignored like it is today, so here is the ticket to fix that problem:


1 Like

Hi @Alexandre_Gigleux,

I was happy to see that markdown is now being converted to HTML in Sonar 8.3.
There is a slight issue with the current implementation though.

Even when using the markdown-equivalent of h2, markdown descriptions won’t be split into the ‘What’s the risk?’, ‘Are you at risk’, and ‘How can you fix it?’ tabs. This is because, when the line “== Ask Yourself Whether\n” is converted to HTML, it’s converted as “<h2>Ask Yourself Whether\n</h2>” with the newline inside of the tags instead of outside.

The trailing newline causes a problem with recognizing these headers as sections in the description, and so the entire description is displayed under the single ‘What’s the risk?’ tab.


Hi @Jonah_IntegraDev,

I’ve created a ticket to fix that.

Thanks for the feedback!