Sonar raises security alerts on backend endpoints allowing GET & POST methods, as described here.
How is it related to CSRF?
CSRF is explained by OWASP here but I don't get why having an endpoint opened in both GET & POST is harmful? If I limit it to a POST-only endpoint, the attacker can still build a CSRF POST request.
As Heiko said in comment, Sonar assumes we're using a framework that adds and handle CSRF Token for us on sensitive endpoints.
For example, Java Spring allows you to configure it as explained in the documentation. Sonar assumes you've already configured it.
It's considering POST/PUT/PATCH/DELETE requests but not considering GET requests because it assumes that your code follows the best practice: no data alteration in GET endpoints. Of course, you should adapt it to your use case, identifying what are your sensitive endpoints and configure it accordingly.