SonarQube rule: “Using command line arguments is security-sensitive” in Spring Boot application

Question

SonarQube is just showing a Critical security issue in the very basic Spring Boot application. In the main method.

@SpringBootApplication
public class Applic         


        

Answer 1

If you are sure then you can include the following to get rid of the issue.

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }

}

It appears this is marked as a security hotspot as per sonar documentation. It states

Unlike Vulnerabilities, Security Hotspots aren't necessarily issues that are open to attack. Instead, Security Hotspots highlight security-sensitive pieces of code that need to be manually reviewed. Upon review, you'll either find a Vulnerability that needs to be fixed or that there is no threat.

You can read more about it here security hotspot

As per this rule RSPEC-4823 or S4823, command line arguments are to be evaluated based on

• Any of the command line arguments are used without being sanitised first.
• Your application accepts sensitive information via command line arguments.

If your application falls into this category they are definitely a possible security issue to your application.