From 99f0f0be7cc540dd32aacc770468d73444bcfb18 Mon Sep 17 00:00:00 2001
From: Bruno Sakoto <bruno.sakoto@bell.ca>
Date: Wed, 10 Mar 2021 13:13:50 -0500
Subject: Suppress csrf sonar security hotspot warning

Issue-ID: CPS-285
Signed-off-by: Bruno Sakoto <bruno.sakoto@bell.ca>
Change-Id: I95d2b7d48714d21e2cdcaab36f3ba9903f0b5342
---
 cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'cps-rest/src/main/java')

diff --git a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
index 943e02c27..553834111 100644
--- a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
@@ -44,6 +44,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     private static final String USER_ROLE = "USER";
 
     @Override
+    // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
+    // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
+    // web browsers are. CPS  does not manage sessions, each request requires the authentication token in the header.
+    // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
+    @SuppressWarnings("squid:S4502")
     protected void configure(final HttpSecurity http) throws Exception {
         http
                 .csrf().disable()
-- 
cgit 1.2.3-korg