How to handle squid:S4529?

bugbouncer · September 18, 2018, 3:08pm

I would like to know, how to handle the Java/Spring rule
Exposing Spring endpoints is security-sensitive (squid:S4529).
https://sonarcloud.io/coding_rules?open=squid%3AS4529&rule_key=squid%3AS4529

Unlike in other rules SonarSource does not provide a “Compliant” description.
Is the only way to handle, to add a “SuppressWarning” annotation to the method?
We are using SonarQube 7.1.

ganncamp · September 18, 2018, 4:13pm

Hi,

You’re looking at a Hotspot rule. Hotspots are uses of sensitive APIs. Essentially, this is Schroedinger’s Vulnerability; you won’t know if it’s a problem or not until you look at it. Unfortunately, you’re using a new analyzer version with a slightly stale version of the platform, so you’re not getting the full experience which was added in 7.3. This may be partly why the experience is confusing.

There’s a little documentation for how this is intended to work (starting in 7.3):

We’d be interested in any feedback you have.

Ann

bugbouncer · September 19, 2018, 1:16pm

Thanks for the quick response.
I wasn’t aware of the Audit Concept - that clarifies a lot.

Topic		Replies	Views
How to resolve issue Exposing Spring endpoints is security-sensitive SonarQube Server / Community Build java , sonarqube , security-hotspot	2	4886	March 8, 2019
How to configure ignoring security hotspots SonarQube Server / Community Build javascript , security-hotspot	10	12412	June 13, 2024
How to fix issue in Spring mvc trigger: Make sure that exposing this HTTP endpoint is safe here SonarQube Server / Community Build java , sonarqube	2	3314	June 21, 2019
Sonar rule java:S4507 is not working for sonar community version 8.9, nor 9.9 Report False-positive / False-negative... java , sonarqube , rules	6	1222	May 8, 2023
Clarification on squid:S2077 evolution SonarQube Cloud java , rules	1	820	January 7, 2019

How to handle squid:S4529?

Related topics