squid:S4684 (Persistent entities should not be used as arguments of “@RequestMapping” methods) false-positive on @AuthenticationPrincipal annotated arguments

versions used

  • SonarQube Community Edition - Version 8.9.3 (build 48735)
  • sonar-maven-plugin:3.9.0.2155

Hi,

in this scenario the scanner detects an issue on the rule squid:S4684 (Persistent entities should not be used as arguments of “@RequestMapping” methods)

import javax.persistence.Entity;
import org.springframework.security.core.userdetails.UserDetails;

@Entity
public class User implements UserDetails {
  String username;
  // ...
}

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class MyController {
  @RequestMapping("/greet")
  public void greet(@AuthenticationPrincipal User user) {
    // do something with User
  }
}

This does effectivly the same and no issue is raised:

@RestController
public class MyController {
  @RequestMapping("/greet")
  public void greet(Authentication user) {
    var user = (User)authentication.getPrincipal();
  }
}

@AuthenticationPrincipal annotated arguments are resolved by @AuthenticationPrincipalArgumentResolver. For my understanding using an @Entity user should be safe here and the detected issue is a false-positive.