Will It Vibe logoWill It Vibe?
SPRING-007Low severity-4 points

Inconsistent @RequestBody validation in a controller

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

This controller validates at least one @RequestBody with @Valid/@Validated but leaves another @RequestBody parameter unvalidated, so unchecked input reaches the handler on some endpoints but not others. Heuristic: it cannot see whether that particular endpoint validates by hand instead.

Why it matters

This controller validates at least one @RequestBody with @Valid/@Validated but leaves another parameter unvalidated, so the team clearly knows the pattern and uses it inconsistently. Unchecked input on the unvalidated endpoint reaches the handler with no schema check, while a nearly identical endpoint next to it is protected.

How to fix it

Add @Valid (or @Validated) to the unvalidated @RequestBody parameter, and add the corresponding Bean Validation annotations to its DTO class if they are not already there. If the endpoint truly validates by hand elsewhere in the method body, a short comment noting that keeps the next reader from re-flagging it.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks