I am trying to write a custom configuration for Java SAST Engine for the @RestQuery annotation. I want to mark parameters annotated with @RestQuery as a source. I cannot figure out how I can do it from the documentation.
Is there a specific way to add annotations as a source in SAST Engine using json custom configuration?
Do I have to dig into the documentation from the library for the consumer of this annotation, and try to add to the SAST Engine config the method that assigns the value to the annotated parameter based on the presence of the annotation?
My aim is to be able to enable sonar rules to detect issues for RestQuery, as it does for QueryParam for example:
That mechanism was intended for naming specific methods, rather than for declaring a pattern for recognition. So what you’re after isn’t currently possible.
Thank you for the response. It is a pity that it’s not possible. Would be great if annotations would be supported in a future release, but I don’t know how complicated the implementation would be, so I will not get my hopes too high.
Do you confirm you are using SonarQube Enterprise Edition? Which version?
For such API provided by Quarkus (@RestQuery), I believe Sonar should support it out of the box.
The engine’s customization was designed to support APIs that Sonar can’t know. For example, an internal API only used in your company.
I’ll double check with our AppSec team to see if @RestQuery should be considered out of the box as a “source”.
