False positive on squid:S4508 (deserializing objects is security-sensitive)

  • SonarQube 6.7.6

As you can see our code uses ValidatingObjectInputStream as suggested.

Hello Remi,

Thanks for coming back to us about Security Hotspots, that gives me the opportunity to give some details about them. Security Hotspots are not problems that must be fixed, they are highlighting of piece of code that must be carefully reviewed. We highlight code that is generally used in attacks and request a security expert to review them. If you click on the link just after the word “here”, you will get explanations about how to react when looking at such issue.

By definition, a Security Hotspot issue can’t be a False-Positive. A Security Hotspot issue will highlight all pieces of code that are security-sensitive. In your case, the readObject() method is highlighted and it requires a manual review.
This is what you did and you confirmed that you are doing already the validation that the deserialized object is safe. So the next action is to change the status of this Security Hotspot to “Cleared” by clicking on the “Clear” entry:


In case you look at a Security Hotspot and you believe there is a problem to fix, then you should click on “Detect”. That will transform the Security Hotspot into a Vulnerability.

See: https://docs.sonarqube.org/latest/user-guide/security-reports/


Ok many thanks for your very clear explanation. I guess that Developer License is required to automatically report on other branches this kind of manual clearing?

If I am not mistaken I believe that I don’t have “Security HotSpot” in my 6.7 version… Same for the Detect/Clear functions…

You are right Security Hotspot issue type is only provided with SQ 7.3+. See https://www.sonarqube.org/sonarqube-7-3/
Security Hotspots are visible as Vulnerabilities on SQ 6.7 LTS. So in your case, there is no other option than closing the issue as “Won’t Fix”.

Ok well noted. Thanks again for your answers.