Actually there is only a Security Hotspot when using System.getEnv()
The same rule should be present when using System.getProperty to access a property that could be changed by the user.
Hello again @reitzmichnicht and thanks for this suggestion
You are right but rule S5304 will be deprecated in a near future.
Environment variables could be controlled by users and thus considered as “sources” by our taint analyzer engine. It is likely the goal to add System.getEnv(), System.getProperty() and similar as “sources” however it will impact all injection flaws/rules like XSS, SQLI (available starting SonarQube DE or SonarCloud) thus it’s not a little change and needs discussion/time.
Eric