Hotspot rule java:S4531 (“Using setters in Struts 2 ActionSupport is security-sensitive”) is marked deprecated (and may have been deleted already). A dev working on Struts2 asked why, as he seems to feel the concern is legitimate.
Is it deprecated because Struts2 has been improved to where setters are no longer an issue? Or is it a case of merging this with a broader rule that should be a superset of this rule? (I hope it’s not one of those cases I’ve complained about – e.g., [SONARJAVA-4017] - Jira – of replacing a specific, reliable rule with a general, but unreliable, rule.) Or is it just “McCoy’s Law” (“I know engineers, they LOVE to change things.”
Any rule deprecation should be accompanied by the reason for the deprecation.
Thanks for the feedback. Indeed, for future deprecations, we will consider adding more context to the rule’s documentation to explain the reasoning.
In this particular case, over the last few years, we have greatly improved our dedicated security engine, which leverages taint flow analysis to detect security issues more reliably. As a result, we deprecated a collection of less sophisticated hotspot rules, to reduce the noise they generate for our users.
Ah, so sounds like the opposite of my earlier complaint. You’re replacing a generic “this COULD be risky” rule with specific analysis to determine whether or not a use is ACTUALLY a vulnerability?
Exactly. While the old rules did not check whether a “risky” library endpoint was actually used in a problematic way, the new security engine does exactly that and intends to only raise an issue iff the library endpoint is used in a way that allows for some form of injection by an attacker.
