Hi @Roy_Sela , @agabrys, @Joerg.Sesterhenn,
Thank you for your patience. As of SonarJava 5.9, which was released two weeks ago, rule S2077’s type changed from “Vulnerability” to “Security Hotspot”. The deprecation has been removed.
Security Hotspot rules raise issues on security-sensitive code which needs to be reviewed. The goal of these rules is not to pinpoint real vulnerabilities, but instead to guide security auditors during their code review, thus simplifying their work. Security Hotspot issues do not count in the Quality Gate.
The rule S3649 replaces S2077 as “Vulnerability rule”. It uses SonarQube’s taint analysis engine which creates less false positives and explains where the injection comes from. However, just as any other taint analysis engine, it cannot detect every possible injection. Only a “manual secure code review” (see OWASP doc) can do it, which is why we added the concept of Security Hotspots.
The taint analysis engine is available starting with the Developer Edition. Security Hotspot rules are available in the SonarQube Community Edition and can be accessed via the Security Report. This is a new feature and we welcome all feedbacks
@Joerg.Sesterhenn Regarding your request to disable inherited rules, this is a separate discussion. May I ask you to create a new thread in https://community.sonarsource.com/c/suggestions/features?