How to resolve issue Exposing Spring endpoints is security-sensitive

java
security-hotspot
sonarqube

(Budi Suryadi) #1

Hi All,

I have issue Exposing Spring endpoints is security-sensitive. but i don’t understand how to fix it.


(Nicolas Harraudeau) #3

Hi @budi_suryadi,

Thank you for your question.

You’re looking at a Hotspot rule. Security Hotspots are meant to help secure code reviews by pointing auditors to locations where vulnerabilities usually start. The goal of a secure code review is to manually find vulnerabilities which cannot be detected automatically.

There’s a little documentation for how Hotspots is intended to work (starting in SonarQube 7.3):

The rule you mentioned, i.e. S4529 “Exposing Spring endpoints is security-sensitive”, has been rewritten to better explain what should be checked. The updated description will be released in a future version of the SonarJava plugin.

Could you tell us which version of SonarQube you are using? If you are using a version smaller than 7.3 you will not benefit from the full experience of Hotspots.

We’d be interested in any feedback you have.

 
Nicolas