I am currently working on a prototype project that has a frontend built with Apache Wicket and uses a web.xml file. Since we are prototyping, we don't have any requirements or need to implement any security related features yet. That being said, the project as a whole uses SonarQube for enforcing coding standards, one of which is "Add security-constraint elements to this descriptor" in my web.xml file.
I thought I could simply add in an empty tag e.g. <security-constraint></security-constraint> to the file, which satisfies the sonar rule, but a team member said I shouldn't do this because an empty tag is not the same as no tag at all, and that it can bring in a bunch of default constraints that may break things. I've googled this but I've only been able to find information relating to the sub tags of security-constraint i.e. <web-resource-collection>, <auth-constraint> etc., which say they can bring in default values if left empty.
I have actually added the empty <security-constraint></security-constraint> to my xml file to test this and seen no side effects from doing so, but I'm wondering if this is actually true or have I brought in a bunch of default security constraints without knowing it.
I'm also aware I shouldn't just add things to the project to please Sonar, but as I mentioned in a comment below, the reality of the situation is upper management use Sonar as a way to view project statuses. If it's failing they don't really care why, they just want it to go green.
I'd suggest you to contact the administrator of your SonarQube instance and tell him/her that this rule does not apply to your project.
If you use Spring Security or Apache Shiro, or something else then you will still have security layer but nothing in web.xml.