问题描述
SonarQube 只是在非常基本的 Spring Boot 应用程序中显示了一个严重的安全问题.在 main 方法中.
SonarQube is just showing a Critical security issue in the very basic Spring Boot application. In the main method.
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
SonarQube 要我确保在此处安全使用命令行参数.
SonarQube wants me to Make sure that command line arguments are used safely here.
我在 StackOverflow 和 Google 上都搜索了这个,我很惊讶我找不到任何关于这个问题的评论.我几乎可以肯定 SpringApplication.run
方法内部已经进行了一些安全检查.而且,我什至不记得有人在调用 SpringApplication.run
之前清理了主要方法参数.我只是想将其标记为 误报 并继续.
I searched this on both StackOverflow and Google, and I am surprised that I couldn't find any single comment about this issue. I am almost sure that there are some security checks inside the SpringApplication.run
method already. And also, I don't even remember that anyone sanitizes the main method arguments before calling SpringApplication.run
. I simply want to tag it as false positive and move on.
这里也提出了这个问题的一部分:SonarQube 在 Spring Framework 控制器和 Spring Framework Application 主类中显示安全错误
Part of this question is also asked here: SonarQube shows a secuirty error in Spring Framework controllers and in Spring Framework Application main class
是误报吗?
推荐答案
如果你没有使用任何命令行参数,那么你可以避免在run方法中提及args参数.就像下面的代码.
If you are not using any command-line arguments ,then you could avoid mentioning the args parameter in the run method .Like the below code.
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class);
}
}
这将消除声纳热点问题.
This will remove sonarqube hotspot issue.
这篇关于SonarQube 规则:“使用命令行参数是安全敏感的";在 Spring Boot 应用程序中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!