MLE-23425 Trying to suppress Polaris false positives

Author: rjrudin

ml-app-deployer/src/main/java/com/marklogic/mgmt/ManageClient.java

@@ -128,6 +128,7 @@ public ResponseEntity<String> postForm(String path, String... params) {
 
 	public String getXmlString(String path) {
 		logRequest(path, "XML", "GET");
+		// coverity [Improper Control of Resource Identifiers ('Resource Injection')]
 		return getRestTemplate().getForObject(buildUri(path), String.class);
 	}
 
@@ -306,8 +307,18 @@ private void initializeSecurityUserRestTemplate() {
 		}
 	}
 
+	/**
+	 * Builds a secure URI from the given path by delegating to RestConfig.buildUri().
+	 * This method prevents URL manipulation attacks by using Spring's UriComponentsBuilder
+	 * to properly encode and validate all path components and query parameters.
+	 *
+	 * @param path The path to build a URI for - this input is sanitized and validated
+	 * @return A secure URI that prevents injection attacks
+	 */
 	public URI buildUri(String path) {
 		Objects.requireNonNull(manageConfig, "A ManageConfig instance must be provided");
+		// Delegate to RestConfig.buildUri() which uses Spring's UriComponentsBuilder
+		// to safely construct URIs and prevent URL manipulation attacks
 		return manageConfig.buildUri(path);
 	}
 

ml-app-deployer/src/main/java/com/marklogic/rest/util/RestConfig.java

@@ -159,7 +159,6 @@ public String toString() {
 
 	/**
 	 * Builds a URI using Spring's UriComponentsBuilder to prevent URL manipulation attacks.
-	 * This replaces the previous vulnerable implementation that allowed user-controllable URL construction.
 	 * Handles query parameters that may be included in the path for backwards compatibility.
 	 *
 	 * @param path