Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Filtered: 49 rules found

spring

Impact

Clean code attribute

Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract
Code Smell
Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
Code Smell
@EventListener methods should have one parameter at most
Bug
"@Scheduled" annotation should only be applied to no-arg methods
Bug
@InitBinder methods should have void return type
Code Smell
"@Cache*" annotations should only be applied on concrete classes
Code Smell
@Cacheable and @CachePut should not be combined
Code Smell
Injecting data into static fields is not supported by Spring
Code Smell
Use appropriate @DirtiesContext modes
Code Smell
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
Superfluous "@ResponseBody" annotations should be removed
Code Smell
"@Controller" should be replaced with "@RestController"
Code Smell
Non-singleton Spring beans should not be injected into singleton beans
Code Smell
"@Qualifier" should not be used on "@Bean" methods
Bug
Bean names should adhere to the naming conventions
Code Smell
"@Autowired" should be used when multiple constructors are provided
Code Smell
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
"@Value" annotation should inject property or SpEL expression
Code Smell
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
A new session should be created during user authentication
Vulnerability
Allowing user enumeration is security-sensitive
Security Hotspot
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
Spring beans should be considered by "@ComponentScan"
Code Smell
"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Composed "@RequestMapping" variants should be preferred
Code Smell
Spring components should use constructor injection
Code Smell
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
"@RequestMapping" methods should not be "private"
Code Smell
Spring "@Controller" classes should not use "@Scope"
Bug
Members of Spring components should be injected
Code Smell
Constructor injection should be used instead of field injection
Bug
Factory method injection should be used in "@Configuration" classes
Code Smell
Methods with Spring proxying annotations should be public
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot

Disabling CSRF protections is security-sensitive

consistency - conventional

security

Security Hotspot

cwe
spring

A cross-site request forgery (CSRF) attack occurs when a trusted user of a web application can be forced, by an attacker, to perform sensitive actions that he didn’t intend, such as updating his profile or sending a message, more generally anything that can change the state of the application.

The attacker can trick the user/victim to click on a link, corresponding to the privileged action, or to visit a malicious web site that embeds a hidden web request and as web browsers automatically include cookies, the actions can be authenticated and sensitive.

Ask Yourself Whether

The web application uses cookies to authenticate users.
There exist sensitive operations in the web application that can be performed when the user is authenticated.
The state / resources of the web application can be modified by doing HTTP POST or HTTP DELETE requests for example.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Protection against CSRF attacks is strongly recommended:
- to be activated by default for all unsafe HTTP methods.
- implemented, for example, with an unguessable CSRF token
Of course all sensitive operations should not be performed with safe HTTP methods like GET which are designed to be used only for information retrieval.

Sensitive Code Example

Spring Security provides by default a protection against CSRF attacks which can be disabled:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable(); // Sensitive: csrf protection is entirely disabled
   // or
    http.csrf().ignoringAntMatchers("/route/"); // Sensitive: csrf protection is disabled for specific routes
  }
}

Compliant Solution

Spring Security CSRF protection is enabled by default, do not disable it:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // http.csrf().disable(); // Compliant
  }
}

See

OWASP - Top 10 2021 Category A1 - Broken Access Control
CWE - CWE-352 - Cross-Site Request Forgery (CSRF)
OWASP - Top 10 2017 Category A6 - Security Misconfiguration
OWASP - Cross-Site Request Forgery
STIG Viewer - Application Security and Development: V-222603 - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities.
PortSwigger - Web storage: the lesser evil for session tokens

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted