Hi @agabrys, @mike12489,
Thank you again for your feedback.
I just wanted to let you know that since SonarJava 5.9 the deprecation on rule S2077 has been removed and it is now a Security Hotspot rule. As explained in the documentation, Security Hotspot rules raise issues on security-sensitive code which needs to be reviewed. The goal of these rules is not to pinpoint real vulnerabilities, but instead to guide security auditors during their code review, thus simplifying their work. Security Hotspot issues do not count in the Quality Gate.
As mentioned by @ganncamp , the new rule S3649 is different in that it is better at finding real vulnerabilities. It uses a taint analysis engine which creates less false positives and explains where the injection comes from. However, just as any other taint analysis engine, it cannot detect every possible injection. Only a “manual secure code review” (see OWASP doc) can do it, which is why we added the concept of Security Hotspots.
Security Hotspot rules are available in SonarQube Community Edition and can be accessed via the Security Report. This is a new feature and we welcome all feedbacks