Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Filtered: 40 rules found

spring

Impact

Clean code attribute

"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
A new session should be created during user authentication
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
Disabling CSRF protections is security-sensitive
Security Hotspot
Factory method injection should be used in "@Configuration" classes
Code Smell
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
"@Qualifier" should not be used on "@Bean" methods
Bug
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
Methods with Spring proxying annotations should be public
Bug
Allowing user enumeration is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Superfluous "@ResponseBody" annotations should be removed
Code Smell
"@Controller" should be replaced with "@RestController"
Code Smell
Non-singleton Spring beans should not be injected into singleton beans
Code Smell
"@Value" annotation should inject property or SpEL expression
Code Smell
"@RequestMapping" methods should not be "private"
Code Smell
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Bean names should adhere to the naming conventions
Code Smell
"@Autowired" should be used when multiple constructors are provided
Code Smell
Composed "@RequestMapping" variants should be preferred
Code Smell
Spring beans should be considered by "@ComponentScan"
Code Smell
Members of Spring components should be injected
Code Smell
Spring "@Controller" classes should not use "@Scope"
Bug
Constructor injection should be used instead of field injection
Bug
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
Spring components should use constructor injection
Code Smell

Persistent entities should not be used as arguments of "@RequestMapping" methods

consistency - conventional

security

Vulnerability

CriticalSonarSource default severity
click to learn more

cwe
spring

With Spring, when a request mapping method is configured to accept bean objects as arguments, the framework will automatically bind HTTP parameters to those objects' properties. If the targeted beans are also persistent entities, the framework will also store those properties in the storage backend, usually the application’s database.

Why is this an issue?

How can I fix it?

More Info

By accepting persistent entities as method arguments, the application allows clients to manipulate the object’s properties directly.

What is the potential impact?

Attackers could forge malicious HTTP requests that will alter unexpected properties of persistent objects. This can lead to unauthorized modifications of the entity’s state. This is known as a mass assignment attack.

Depending on the affected objects and properties, the consequences can vary.

Privilege escalation

If the affected object is used to store the client’s identity or permissions, the attacker could alter it to change their entitlement on the application. This can lead to horizontal or vertical privilege escalation.

Security checks bypass

Because persistent objects are modified directly without prior logic, attackers could exploit this issue to bypass security measures otherwise enforced by the application. For example, an attacker might be able to change their e-mail address to an invalid one by directly setting it without going through the application’s email validation process.

The same could also apply to passwords that attackers could change without complexity validation or knowledge of their current value.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted