Hi All,
I have issue Exposing Spring endpoints is security-sensitive. but i don’t understand how to fix it.
Hi @budi_suryadi,
Thank you for your question.
You’re looking at a Hotspot rule. Security Hotspots are meant to help secure code reviews by pointing auditors to locations where vulnerabilities usually start. The goal of a secure code review is to manually find vulnerabilities which cannot be detected automatically.
There’s a little documentation for how Hotspots is intended to work (starting in SonarQube 7.3):
- https://docs.sonarqube.org/display/SONAR/Security+Audit+and+Reports
- https://docs.sonarqube.org/display/SONAR/Issue+Lifecycle#IssueLifecycle-SecurityHotspotIssueLifecycle
The rule you mentioned, i.e. S4529 “Exposing Spring endpoints is security-sensitive”, has been rewritten to better explain what should be checked. The updated description will be released in a future version of the SonarJava plugin.
Could you tell us which version of SonarQube you are using? If you are using a version smaller than 7.3 you will not benefit from the full experience of Hotspots.
We’d be interested in any feedback you have.
Nicolas