Sonarqube reporting Code Smell as Vulnerability (only in develop branch)

Version: SonarQube Enterprise 8.9.1 (44547)
Error: SonarQube is reporting a code smell as a vulnerability, specifically “S2384: Mutable Members should not be stored or returned directly”

steps: Unsure, it happens in one project, on one branch (develop), other branches report the correct type (Code Smell). Note, it happens every time this branch is built, even after code is merged in. The merged in branches have the correct category of “Code Smell”.


Welcome to the community!

How old is that issue? Over the history of SonarQube we’ve re-evaluated (and recategoried) rules multiple times. It sounds like that issue was first raised on your Develop branch with an earlier version of SonarQube that thought S2384 was a Vulnerability. And the other branches were initially analyzed by more recent versions, after the rule was recategorized.

“Why wasn’t the issue on Develop re-categorized?” I can hear you asking yourself. Because we make an effort not to impact your Quality Gate unexpectedly and because moving around the type or severity of existing issues could do that. So we don’t.