How to handle squid:S4529?

I would like to know, how to handle the Java/Spring rule
Exposing Spring endpoints is security-sensitive (squid:S4529).

Unlike in other rules SonarSource does not provide a “Compliant” description.
Is the only way to handle, to add a “SuppressWarning” annotation to the method?
We are using SonarQube 7.1.


You’re looking at a Hotspot rule. Hotspots are uses of sensitive APIs. Essentially, this is Schroedinger’s Vulnerability; you won’t know if it’s a problem or not until you look at it. Unfortunately, you’re using a new analyzer version with a slightly stale version of the platform, so you’re not getting the full experience which was added in 7.3. This may be partly why the experience is confusing.

There’s a little documentation for how this is intended to work (starting in 7.3):

We’d be interested in any feedback you have.


1 Like

Thanks for the quick response.
I wasn’t aware of the Audit Concept - that clarifies a lot.