Even though I am still learning whitelisting this is first a conceptual question: We have code running in a docker compose instance that sits behind a nginx proxy. In other words, this code exposes itself as http traffic inside the docker network that was created for the instance, which is then exposed to the outside network as https traffic by the nginx proxy. As a result we want to whitelist it, but what would be the proper way to do that? I cannot just do a blank “whitelist all http: traffic” since there may be code in one of our repos which better be flagged. Should this then be done on a per case basis?
It’s not clear to me what this question has to do with SonarQube – is there a particular rule that is raising an issue on your code?
How do I find which rule created the " Using http protocol is insecure. Use https instead" issue?
it is hotspot S5332. If you review the hotspot it should not show up anymore.
Thank you for the reply. How did you find out it was hotspot S5332? So, is the only way to deal with this on a per case basis?
You’re welcome. In this case I used Google to find it on https://rules.sonarsource.com. For Bugs, Code Smells, & Vulnerabilities the rule id shows up in the details window but since Hotspots have an own workflow this information is not visible there.