SonarQube rule: "Using command line arguments is security-sensitive" in Spring Boot application

If you are not using any command-line arguments ,then you could avoid mentioning the args parameter in the run method .Like the below code.

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }

}

This will remove sonarqube hotspot issue.


If you are sure then you can include the following to get rid of the issue.

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class);
    }

}

It appears this is marked as a security hotspot as per sonar documentation. It states

Unlike Vulnerabilities, Security Hotspots aren't necessarily issues that are open to attack. Instead, Security Hotspots highlight security-sensitive pieces of code that need to be manually reviewed. Upon review, you'll either find a Vulnerability that needs to be fixed or that there is no threat.

You can read more about it here security hotspot

As per this rule RSPEC-4823 or S4823, command line arguments are to be evaluated based on

  • Any of the command line arguments are used without being sanitised first.
  • Your application accepts sensitive information via command line arguments.

If your application falls into this category they are definitely a possible security issue to your application.


No, it is a critical security issue indeed. It's just asking to sanitize the args before using it. There's no need for such a concern on a simple application, but it may be a big matter on a production application.

More details can be found on https://rules.sonarsource.com/java/RSPEC-4823?search=Make%20sure%20that%20command%20line%20arguments%20are%20used%20safely%20here.