SonarQube rule: "Using command line arguments is security-sensitive" in Spring Boot application
SonarQube is just showing a Critical security issue in the very basic Spring Boot application. In the main method.
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
SonarQube wants me to Make sure that command line arguments are used safely here.
I searched this on both StackOverflow and Google, and I am surprised that I couldn't find any single comment about this issue. I am almost sure that there are some security checks inside the SpringApplication.run method already. And also, I don't even remember that anyone sanitizes the main method arguments before calling SpringApplication.run. I simply want to tag it as false positive and move on.
Part of this question is also asked here: SonarQube shows a secuirty error in Spring Framework controllers and in Spring Framework Application main class
Is it false positive?
Answer
If you are not using any command-line arguments ,then you could avoid mentioning the args parameter in the run method .Like the below code.
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class);
}
}
This will remove sonarqube hotspot issue.