SONARJAVA-4612 Supported jakarta package in SpringComponentWithNonAut…

…owiredMembersCheck, AbstractRegexCheck (#4475)

its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java

@@ -188,7 +188,7 @@ public void javaCheckTestSources() throws Exception {
      * No differences would mean that we find the same issues with and without the bytecode and libraries
      */
     String differences = Files.readString(pathFor(TARGET_ACTUAL + PROJECT_KEY + "-no-binaries_differences"));
-    assertThat(differences).isEqualTo("Issues differences: 3254");
+    assertThat(differences).isEqualTo("Issues differences: 3294");
   }
 
   private static Path pathFor(String path) {

its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json

@@ -302,7 +302,7 @@
   {
     "ruleKey": "S1161",
     "hasTruePositives": true,
-    "falseNegatives": 6,
+    "falseNegatives": 7,
     "falsePositives": 0
   },
   {
@@ -338,7 +338,7 @@
   {
     "ruleKey": "S1172",
     "hasTruePositives": true,
-    "falseNegatives": 11,
+    "falseNegatives": 13,
     "falsePositives": 0
   },
   {
@@ -698,7 +698,7 @@
   {
     "ruleKey": "S1874",
     "hasTruePositives": true,
-    "falseNegatives": 89,
+    "falseNegatives": 102,
     "falsePositives": 0
   },
   {
@@ -974,7 +974,7 @@
   {
     "ruleKey": "S2160",
     "hasTruePositives": true,
-    "falseNegatives": 0,
+    "falseNegatives": 1,
     "falsePositives": 0
   },
   {
@@ -1322,7 +1322,7 @@
   {
     "ruleKey": "S2637",
     "hasTruePositives": true,
-    "falseNegatives": 19,
+    "falseNegatives": 21,
     "falsePositives": 0
   },
   {
@@ -1610,7 +1610,7 @@
   {
     "ruleKey": "S3330",
     "hasTruePositives": true,
-    "falseNegatives": 30,
+    "falseNegatives": 51,
     "falsePositives": 0
   },
   {

java-checks-test-sources/pom.xml

@@ -386,6 +386,18 @@
       <type>jar</type>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>jakarta.ws.rs</groupId>
+      <artifactId>jakarta.ws.rs-api</artifactId>
+      <version>3.1.0</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+      <version>6.0.0</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>javax.inject</groupId>
       <artifactId>javax.inject</artifactId>

java-checks-test-sources/src/main/files/non-compiling/checks/security/CookieHttpOnlyCheck.java

@@ -83,3 +83,43 @@ void baw() {
     Unknown.unkown(() -> { Class<String> v = unknown(); });
   }
 }
+
+class JakartaCookieHttpOnlyCheck {
+
+  jakarta.servlet.http.Cookie field4;
+  jakarta.servlet.http.Cookie field6;
+
+  void servletCookie(boolean param, jakarta.servlet.http.Cookie c0) {
+    field6.setHttpOnly(false); // Noncompliant
+
+    jakarta.servlet.http.Cookie c7 = new UnknownCookie("name", "value"); // Noncompliant
+    Object c8 = new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant
+
+    jakarta.servlet.http.Cookie c13;
+    c13 = new UnknownCookie("name", "value"); // Noncompliant
+
+    field4 = new jakarta.servlet.http.Cookie("name, value"); // FN
+  }
+
+  jakarta.servlet.http.Cookie getC0() {
+    return new UnknownCookie("name", "value"); // FN
+  }
+
+  void compliant(jakarta.ws.rs.core.Cookie c) {
+    c.isHttpOnly();
+  }
+}
+
+class JakartaCookieHttpOnlyCheckCookie extends jakarta.servlet.http.Cookie {
+  public jakarta.servlet.http.Cookie c;
+  public void setHttpOnly(boolean isHttpOnly) { }
+  void foo() {
+    setHttpOnly(false); // Noncompliant
+  }
+  void bar(boolean x) {
+    setHttpOnly(x);
+  }
+  void baz() {
+    setHttpOnly(true);
+  }
+}

java-checks-test-sources/src/main/java/annotations/nullability/no_default/JakartaNullabilityAnnotation.java

@@ -0,0 +1,11 @@
+package annotations.nullability.no_default;
+
+import jakarta.annotation.Nonnull;
+import jakarta.annotation.Nullable;
+
+public class JakartaNullabilityAnnotation {
+  @Nullable
+  Object id9002_type_WEAK_NULLABLE_level_VARIABLE;
+  @Nonnull
+  Object id9003_type_NON_NULL_level_VARIABLE;
+}

java-checks-test-sources/src/main/java/checks/LeastSpecificTypeCheck.java

@@ -90,6 +90,33 @@ public void autowiredMethod3(List<Object> list) { // Compliant - List interface
     list.size();
   }
 
+  @jakarta.annotation.Resource
+  public void jakartaResourceAnnotatedMethod3(List<Object> list) { // Noncompliant {{Use 'java.util.Collection' here; it is a more general type than 'List'.}}
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+
+  @jakarta.inject.Inject
+  public void jakartaInjectAnnotatedMethod1(List<Object> list) { // Noncompliant {{Use 'java.util.Collection' here; it is a more general type than 'List'.}}
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+  @jakarta.annotation.Resource
+  public void jakartaRAnnotatedMethod4(Collection<Object> list) { // Compliant - since Spring annotated methods cannot take 'Iterable' as argument
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+
+  @jakarta.inject.Inject
+  public void jakartaInjectAnnotatedMethod2(Collection<Object> list) { // Compliant - since Spring annotated methods cannot take 'Iterable' as argument
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+
   public static void staticMethod(List<Object> list) { // Noncompliant {{Use 'java.util.Collection' here; it is a more general type than 'List'.}}
     list.size();
   }

java-checks-test-sources/src/main/java/checks/regex/RedosCheck.java

@@ -8,6 +8,9 @@ public class RedosCheck {
   @Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=9]] {{Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.}}
   String email;
 
+  @jakarta.validation.constraints.Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=40]] {{Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.}}
+  String email2;
+
   void realWorldExamples(String str) {
     String cloudflareAttack = "(?:(?:\"|'|\\]|\\}|\\\\|\\d|(?:nan|infinity|true|false|null|undefined|symbol|math)|\\`|\\-|\\+)+[)]*;?((?:\\s|-|~|!|\\{\\}|\\|\\||\\+)*.*(?:.*=.*)))";
     String stackOverflowAttack = "^[\\s\\u200c]+|[\\s\\u200c]+$";

java-checks-test-sources/src/main/java/checks/regex/RedosCheckJava8.java

@@ -7,6 +7,9 @@ public class RedosCheckJava8 {
   @Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=9]] {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
   String email;
 
+  @jakarta.validation.constraints.Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=40]] {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
+  String email2;
+
   void alwaysExponential(String str) {
     str.matches("(.*,)*?"); // Noncompliant [[sc=9;ec=16]] {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
     str.matches("(.?,)*?"); // Noncompliant {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}

java-checks-test-sources/src/main/java/checks/security/CookieHttpOnlyCheck.java

@@ -256,17 +256,175 @@ void baz() {
 
 class CookieHttpOnlyCheckCookieB {
   CookieHttpOnlyCheckCookieA a;
-  public void setHttpOnly(boolean isHttpOnly) { }
+
+  public void setHttpOnly(boolean isHttpOnly) {
+  }
+
   void foo() {
     setHttpOnly(false);
   }
-  void bar() { return; }
+
+  void bar() {
+    return;
+  }
+
   CookieHttpOnlyCheckCookieA getA() {
     return new CookieHttpOnlyCheckCookieA(); // Noncompliant
   }
+
   void baw() {
     int i;
     i = 1;
     a.c = new Cookie("1", "2"); // FN
   }
 }
+
+class JakartaCookieHttpOnlyCheckCookieACookieHttpOnlyCheck {
+
+  private static final boolean FALSE_CONSTANT = false;
+
+  jakarta.servlet.http.Cookie field1 = new jakarta.servlet.http.Cookie("name", "value"); // FN
+  jakarta.ws.rs.core.Cookie field3 = new jakarta.ws.rs.core.Cookie("name", "value"); // FN
+  jakarta.servlet.http.Cookie field6;
+  void servletCookie(boolean param, jakarta.servlet.http.Cookie c0) {
+    c0.setHttpOnly(false); // Noncompliant [[sc=19;ec=26]] {{Make sure creating this cookie without the "HttpOnly" flag is safe.}}
+    field6.setHttpOnly(false); // Noncompliant
+
+    jakarta.servlet.http.Cookie c1 = new jakarta.servlet.http.Cookie("name", "value");
+    if (param) {
+      c1.setHttpOnly(false); // Noncompliant
+    } else {
+      c1.setHttpOnly(true);
+    }
+
+    jakarta.servlet.http.Cookie c2 = new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant [[sc=42;ec=69]]
+
+    c1.setHttpOnly(false); // Noncompliant
+
+    c1.setHttpOnly(FALSE_CONSTANT); // Noncompliant
+
+    boolean b = false;
+    c1.setHttpOnly(b); // Noncompliant
+
+    c1.setHttpOnly(param);
+
+    jakarta.servlet.http.Cookie c3;
+    c3 = new jakarta.servlet.http.Cookie("name", "value");
+    c3.setHttpOnly(false); // Noncompliant
+
+    c3.setHttpOnly(true);
+
+    boolean bValue = true;
+    c3.setHttpOnly(!bValue); // FN
+  }
+
+  jakarta.servlet.http.Cookie getC1() {
+    return new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant [[sc=16;ec=43]]
+  }
+
+  jakarta.servlet.http.Cookie returnHttpCookie(jakarta.servlet.http.HttpServletResponse response) {
+    jakarta.servlet.http.Cookie cookie = new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant
+    response.addCookie(new jakarta.servlet.http.Cookie("name", "value")); // Noncompliant
+    return new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant
+  }
+
+  void jakartaRsCookie() {
+    jakarta.ws.rs.core.Cookie c1 = new jakarta.ws.rs.core.Cookie("name", "value"); // Noncompliant
+    jakarta.ws.rs.core.Cookie c2 = new jakarta.ws.rs.core.Cookie("name", "value", "path", "domain"); // Noncompliant
+  }
+
+  void jakartaRsNewCookie(jakarta.ws.rs.core.Cookie cookie) {
+    jakarta.ws.rs.core.NewCookie c1 = new jakarta.ws.rs.core.NewCookie("name", "value", "path", "domain", "comment", 1, true); // Noncompliant
+    jakarta.ws.rs.core.NewCookie c2 = new jakarta.ws.rs.core.NewCookie(cookie, "comment", 2, true); // Noncompliant
+    jakarta.ws.rs.core.NewCookie c3 = new jakarta.ws.rs.core.NewCookie(cookie); // Noncompliant
+    jakarta.ws.rs.core.NewCookie c4 = new jakarta.ws.rs.core.NewCookie(cookie, "c", 1, true); // Noncompliant
+
+    jakarta.ws.rs.core.NewCookie c5 = new jakarta.ws.rs.core.NewCookie(cookie, "c", 1, new Date(), false, true); // last param is HttpOnly
+    jakarta.ws.rs.core.NewCookie c6 = new jakarta.ws.rs.core.NewCookie("1", "2", "3", "4", 5, "6", 7, new Date(), false, true);
+    jakarta.ws.rs.core.NewCookie c7 = new jakarta.ws.rs.core.NewCookie("1", "2", "3", "4", "5", 6, false, true);
+  }
+
+  jakarta.ws.rs.core.NewCookie getC3() {
+    return new jakarta.ws.rs.core.NewCookie("name", "value", "path", "domain", "comment", 1, true); // Noncompliant
+  }
+
+  // SONARJAVA-2772
+  jakarta.servlet.http.Cookie xsfrToken() {
+    String cookieName = "XSRF-TOKEN";
+
+    jakarta.servlet.http.Cookie xsfrToken = new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value"); // OK, used to implement XSRF
+    xsfrToken.setHttpOnly(false);
+
+    jakarta.servlet.http.Cookie xsfrToken2 = new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value");
+    xsfrToken2.setHttpOnly(true);
+
+    jakarta.servlet.http.Cookie xsfrToken3 = new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value");
+
+    jakarta.ws.rs.core.Cookie xsfrToken6 = new jakarta.ws.rs.core.Cookie("XSRF-TOKEN", "value");
+
+    jakarta.ws.rs.core.Cookie xsfrToken7 = new jakarta.ws.rs.core.Cookie("XSRF-TOKEN", "value", "path", "domain");
+
+    play.mvc.Http.CookieBuilder xsfrToken10;
+    xsfrToken10 = play.mvc.Http.Cookie.builder("XSRF-TOKEN", "2");
+    xsfrToken10.withHttpOnly(false);
+
+    play.mvc.Http.CookieBuilder xsfrToken11 = play.mvc.Http.Cookie.builder("XSRF-TOKEN", "2");
+    xsfrToken11.withHttpOnly(false);
+
+    jakarta.servlet.http.Cookie xsfrToken12 = new jakarta.servlet.http.Cookie("CSRFToken", "value");
+    xsfrToken12.setHttpOnly(false);
+
+    jakarta.servlet.http.Cookie xsfrToken13 = new jakarta.servlet.http.Cookie("Csrf-token", "value");
+    xsfrToken13.setHttpOnly(false);
+
+    return new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value");
+  }
+}
+
+class JakartaCookieHttpOnlyCheckCookieA extends jakarta.servlet.http.Cookie {
+  public jakarta.servlet.http.Cookie c;
+
+  public JakartaCookieHttpOnlyCheckCookieA() {
+    super("name", "value");
+  }
+
+  public void setHttpOnly(boolean isHttpOnly) {
+  }
+
+  void foo() {
+    setHttpOnly(false); // Noncompliant
+  }
+
+  void bar(boolean x) {
+    setHttpOnly(x);
+  }
+
+  void baz() {
+    setHttpOnly(true);
+  }
+}
+
+class JakartaCookieHttpOnlyCheckCookieB {
+  JakartaCookieHttpOnlyCheckCookieA a;
+
+  public void setHttpOnly(boolean isHttpOnly) {
+  }
+
+  void foo() {
+    setHttpOnly(false);
+  }
+
+  void bar() {
+    return;
+  }
+
+  JakartaCookieHttpOnlyCheckCookieA getC() {
+    return new JakartaCookieHttpOnlyCheckCookieA(); // Noncompliant
+  }
+
+  void baw() {
+    int i;
+    i = 1;
+    a.c = new jakarta.servlet.http.Cookie("1", "2"); // FN
+  }
+}