How to handle squid:S4529?

java
hotspots

(Matthias Kammerinke) #1

I would like to know, how to handle the Java/Spring rule
Exposing Spring endpoints is security-sensitive (squid:S4529).
https://sonarcloud.io/coding_rules?open=squid%3AS4529&rule_key=squid%3AS4529

Unlike in other rules SonarSource does not provide a “Compliant” description.
Is the only way to handle, to add a “SuppressWarning” annotation to the method?
We are using SonarQube 7.1.


(G Ann Campbell) #2

Hi,

You’re looking at a Hotspot rule. Hotspots are uses of sensitive APIs. Essentially, this is Schroedinger’s Vulnerability; you won’t know if it’s a problem or not until you look at it. Unfortunately, you’re using a new analyzer version with a slightly stale version of the platform, so you’re not getting the full experience which was added in 7.3. This may be partly why the experience is confusing.

There’s a little documentation for how this is intended to work (starting in 7.3):

We’d be interested in any feedback you have.

 
Ann


(Matthias Kammerinke) #3

Thanks for the quick response.
I wasn’t aware of the Audit Concept - that clarifies a lot.