Value of parameter ‘types’ (SECURITY_HOTSPOT) must be one of: [CODE_SMELL, BUG, VULNERABILITY]

  • versions used: SonarCloud Azure DevOps (SonarScanner 4.6.2.2472)

  • error observed:

Value of parameter ‘types’ (SECURITY_HOTSPOT) must be one of: [CODE_SMELL, BUG, VULNERABILITY]
  • steps to reproduce:
    Analyze a repository with a security hotspot using SonarCloud steps for Azure DevOps, the quality gate will fail due to the security hotspot but you won’t be able to find it since the SECURITY_HOTSPOT type doesn’t exists.

  • potential workaround: There is an issue on GitHub (Getting Value of parameter 'statuses' (TO_REVIEW) must be one of: [OPEN, CONFIRMED, REOPENED, RESOLVED, error · Issue #45 · soprasteria/sonar-report · GitHub) that talks about a similar issue but I’m not sure how to make it work with SonarCloudPrepare@1 step in Azure DevOps, apparently you can set the flag --noSecurityHotspot=“true” as a workaround since the type SECURITY_HOTSPOT was removed from SonarCloud 8. Is there any way to set this flag on extraProperties? Is SonarCloud already working on getting this resolved?

Hey there.

Thanks for the report. We recently noticed this internally in the context of browsing a file in SonarCloud and clicking on the number of hotspots raised (which should direct users to the Security Hotspots) tab of their branch/pull request.

Can you clarify where you click in the UI that this error is raised?