No rule to check for missing global error handler on web pages

SonarQube 6.7.4.

There is no rule available to detect missing global error handler on web pages (e.g. <%@page errorPage directive on jsp pages). This might mean that detailed error information may be unintentionally shown to the user, thus exposing critical information.

This is also documented in CWE-544.

Hi @ankurja,

Wouldn’t the <%@page errorPage directive be absent when the error page is specified in the web.xml config file? The rule would then raise false positive on every file.

1 Like