Skip to content

How to SupressWarnings for Sonar Security Hotspots?

I’m getting a Sonar CSRF Security Hotspot complaint on a Spring Boot code with Spring Security enabled that needs to be reviewed every then and now, and I would like to suppress the hotspot from the code as in

  • @SuppressWarnings(“squid:x”)
  • sonar.cpd.exclusions
  • sonar.coverage.exclusions

but as it it not a rule it has no id, at least on the screen

How can I silence this warning on the server from the code?

Answer

Sonarlint/SonarQube allows you to use comments for disabling analysis in specific lines. In order to do this, you can just add a comment with the text NOSONAR in the same line:

Random rand=new Random();//NOSONAR not used in secure contexts

Aside from this, you can mark Security Hotspots as resolved in the web Dashboard of SonarQube. In order to do this, you need to navigate to the Security Hotspot and mark it as not an issue. You might even want to disable that specific type of Security Hotspot entirely if it is generally not applicable for your project.