S3752 @RequestMapping with multiple specified methods


(ddevrien) #1

I agree that not specifying a HTTP method should be a blocking issue but that shouldn’t be the case if you explicitly specify that both GET and POST are supported. For example the OpenID-Connect /userinfo endpoint should support both GET and POST requests according to the spec (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).

@RequestMapping(value = "/oauth/userinfo", method = {GET, POST}, produces = APPLICATION_JSON_VALUE)

This will trigger with the message: “Consider narrowing this list of methods to one” (using SonarQube 7.6)

(Adam Gabryś) #2

I don’t understand the problem. The rule says:

In most cases people use only one method, and this is just a reminder “please verify if you need all those methods”. In your case you should mark it as Won't Fix because it is compliant with the specification.


(ddevrien) #3

Hi Adam,

I understand that I can just disable the rule for that specific line of code but I’m not a fan of that.

My suggestion was that the extension “consider narrowing this list of methods to one” should be removed because there are valid scenarios for allowing multiple HTTP methods. If a developer has explicitly indicated the allowed methods, he probably had a reason to do that so Sonar shouldn’t indicate as a blocking issue. Maybe seperate this check into a seperate rule but with a lower severity?