Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3376

Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.9
    • Component/s: Rules
    • Labels:
      None

      Description

      Based on several discussions like in the community forum, this rule is:

      • changed to security-hotpot
      • with a new title/description/message/code examples

      Small improvement to the detection behavior, the rule should raise only when:

      • there is no methods defined for a RequestMapping annotation (already the case)
        @RequestMapping("/greet")  // Sensitive
        
      • when safe methods (RequestMethod.GET, HEAD, OPTIONS) are mixed with unsafe methods (RequestMethod.POST, PUT, DELETE) (currently this rule raises just when more than one method is defined):
        @RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Sensitive 
        @RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.HEAD}) // Compliant 
        

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                margarita.nedzelska Margarita Nedzelska
                Reporter:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: