java:S4488 FP with @RequestMapping on a class

Rules and Languages Report False-positive / False-negative...
1

Make sure to read this post before raising a thread here:

Then tell us:

  • What language is this for? Java
  • Which rule? java:S4488
  • Why do you believe it’s a false-positive/false-negative?
  • Are you using
    • SonarQube Cloud?
    • SonarQube Server / Community Build - which version? Sonar Qube Server Data Center Edition v2025.2 (105476)
    • SonarQube for IDE - which IDE/version? IntelliJ 2024.3.7 Ultimate Edition
      • in connected mode with SonarQube Server / Community Build or SonarQube Cloud? Yes
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
@RestController
@RequestMapping(path = "/api/potato", produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.ALL_VALUE, method = RequestMethod.GET)
public class MyController{
  @GetMapping("/cooked")
  public ResponseEntity<Potato> getCookedPotato() {
    return new Potato("cooked");
  }
}

Function annotations can be switched from @RequestMapping to @GetMapping, but class annotations cannot - @GetMapping can’t be applied to a class. This mapping defines a base path for the whole class, shortening sub-paths in function annotations. We like keeping method=GET on the class as a safe fallback for any @RequestController functions in the class - unless they define a method, they’re limited to GET.

Sonar Community Roundup, November 29 - December 5
4

Hello,

You are right, the rule should not raise for the class annotations. I created a ticket for it.

When you define a default HTTP method at the class level, it gets applied to every endpoint method in that class. This approach requires careful review because combining safe HTTP methods (like GET) with unsafe methods (like POST or DELETE) can introduce security vulnerabilities, as explained in rule S3752.

Best regards,
Lucien