I am currently working on a prototype project that has a frontend built with Apache Wicket and uses a web.xml file. Since we are prototyping, we don't have any requirements or need to implement any security related features yet. That being said, the project as a whole uses SonarQube for enforcing coding standards, one of which is "Add security-constraint elements to this descriptor" in my web.xml file.
I thought I could simply add in an empty tag e.g. <security-constraint></security-constraint>
to the file, which satisfies the sonar rule, but a team member said I shouldn't do this because an empty tag is not the same as no tag at all, and that it can bring in a bunch of default constraints that may break things. I've googled this but I've only been able to find information relating to the sub tags of security-constraint i.e. <web-resource-collection>
, <auth-constraint>
etc., which say they can bring in default values if left empty.
I have actually added the empty <security-constraint></security-constraint>
to my xml file to test this and seen no side effects from doing so, but I'm wondering if this is actually true or have I brought in a bunch of default security constraints without knowing it.
I'm also aware I shouldn't just add things to the project to please Sonar, but as I mentioned in a comment below, the reality of the situation is upper management use Sonar as a way to view project statuses. If it's failing they don't really care why, they just want it to go green.