Security hotspot in web.api

Must-share information (formatted with Markdown):

  • which version…s are you using (SonarQube, Scanner, Plugin, and any relevant extension) -
    Sonar Version 8.4.1
  • what are you trying to achieve
    We are using sonar for static code analysis of our application
  • what have you tried so far to achieve this
    We are facing issue with one of the security hotspot coming for our code-
    For this line -
    var identity = new ClaimsIdentity(context.Options.AuthenticationType);
    Error message coming is - Make sure that permissions are controlled safely here.
    As per as out research use of ClaimsIdentity is safe and its been used widely . Please suggest if there is any fix for this.

Hi Ujjawala,

Welcome to the community!
First of all let me clarify that a Security Hotspot is not equivalent to an “Error”. This is actually an area in your code to which we want to bring your attention due a potential security threat and ask you to manually review it since SonarQube cannot solely decide whether this is an actual real threat in your context or not.

I’d like to invite you to read our documentation on Security Hotspots here. If you deem this as safe after investigation, you would need to mark this as “Safe” manually in the Security Hotspot Review pane under your project.

If you have further questions please clarify what programming language you are working with. Otherwise I am confident the above should help.


A post was split to a new topic: Retrieve Security Hotspots through Web API