Actually, the bug is the fact that SonarQube is arbitrarily ripping apart the HTML descriptions of security hotspot rules according to your own header conventions in order to construct these tabs on the new UI interface.
This is a custom plugin, and the Security Hotspot rule in question is derived from a “track use of method” template rule. This is an important use case for us, and it will be problematic if it’s removed.
With this rule for example, we have our own regex framework in this codebase. If we can’t define the regex methods to track in some template rule then we’d have to hardcode method signatures from our own personal framework into the plugin, which is simply not the right place for that data to live.
In answer to your question of how I created this, you have always been able to create Security Hotspot rules from templates. An option for which type of rule it should be is provided when you create it. (See below)