问题描述

SonarQube 只是在非常基本的 Spring Boot 应用程序中显示了一个严重的安全问题.在 main 方法中.

SonarQube is just showing a Critical security issue in the very basic Spring Boot application. In the main method.

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

}

SonarQube 要我确保在此处安全使用命令行参数.

SonarQube wants me to Make sure that command line arguments are used safely here.

我在 StackOverflow 和 Google 上都搜索了这个，我很惊讶我找不到任何关于这个问题的评论.我几乎可以肯定 SpringApplication.run 方法内部已经进行了一些安全检查.而且，我什至不记得有人在调用 SpringApplication.run 之前清理了主要方法参数.我只是想将其标记为 误报 并继续.

I searched this on both StackOverflow and Google, and I am surprised that I couldn't find any single comment about this issue. I am almost sure that there are some security checks inside the SpringApplication.run method already. And also, I don't even remember that anyone sanitizes the main method arguments before calling SpringApplication.run. I simply want to tag it as false positive and move on.

这里也提出了这个问题的一部分:SonarQube 在 Spring Framework 控制器和 Spring Framework Application 主类中显示安全错误

Part of this question is also asked here: SonarQube shows a secuirty error in Spring Framework controllers and in Spring Framework Application main class

是误报吗?

推荐答案

如果你没有使用任何命令行参数，那么你可以避免在run方法中提及args参数.就像下面的代码.

If you are not using any command-line arguments ,then you could avoid mentioning the args parameter in the run method .Like the below code.

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }

}

这将消除声纳热点问题.

This will remove sonarqube hotspot issue.

这篇关于SonarQube 规则:“使用命令行参数是安全敏感的"；在 Spring Boot 应用程序中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！