问题
SonarQube is just showing a Critical security issue in the very basic Spring Boot application. In the main method.
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
SonarQube wants me to Make sure that command line arguments are used safely here.
I searched this on both StackOverflow and Google, and I am surprised that I couldn't find any single comment about this issue. I am almost sure that there are some security checks inside the SpringApplication.run method already. And also, I don't even remember that anyone sanitizes the main method arguments before calling SpringApplication.run. I simply want to tag it as false positive and move on.
Part of this question is also asked here: SonarQube shows a secuirty error in Spring Framework controllers and in Spring Framework Application main class
Is it false positive?
回答1:
If you are not using any command-line arguments ,then you could avoid mentioning the args parameter in the run method .Like the below code.
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class);
}
}
This will remove sonarqube hotspot issue.
回答2:
It appears this is marked as a security hotspot as per sonar documentation. It states
Unlike Vulnerabilities, Security Hotspots aren't necessarily issues that are open to attack. Instead, Security Hotspots highlight security-sensitive pieces of code that need to be manually reviewed. Upon review, you'll either find a Vulnerability that needs to be fixed or that there is no threat.
You can read more about it here security hotspot
As per this rule RSPEC-4823 or S4823, command line arguments are to be evaluated based on
- Any of the command line arguments are used without being sanitised first.
- Your application accepts sensitive information via command line arguments.
If your application falls into this category they are definitely a possible security issue to your application.
回答3:
No, it is a critical security issue indeed. It's just asking to sanitize the args before using it. There's no need for such a concern on a simple application, but it may be a big matter on a production application.
More details can be found on https://rules.sonarsource.com/java/RSPEC-4823?search=Make%20sure%20that%20command%20line%20arguments%20are%20used%20safely%20here.
来源:https://stackoverflow.com/questions/57809861/sonarqube-rule-using-command-line-arguments-is-security-sensitive-in-spring-b