All methods of a @Controller object annotated with @RequestMapping (or all its variants such as @GetMapping, @PostMapping, @PutMapping, @PatchMapping and @DeleteMapping) are remotely reachable. One should review these exposed methods to be sure no attackers will be able to abuse them.

This rule is there to allow a security auditor to quickly find some potential hotspots to review.

Noncompliant Code Example

@RequestMapping(path = "/profile", method = RequestMethod.GET) // Noncompliant
public UserProfile getUserProfile(String name) {
...
}

See