From 763676218ef408d2a12147ed4cb90dc79c67fcf0 Mon Sep 17 00:00:00 2001 From: Dorian Burihabwa <75226315+dorian-burihabwa-sonarsource@users.noreply.github.com> Date: Tue, 17 Dec 2024 11:20:37 +0100 Subject: [PATCH] SONARJAVA-5523 Update rule metadata (#4965) --- .../org/sonar/l10n/java/rules/java/S1075.html | 24 +++++++++++++++++++ .../org/sonar/l10n/java/rules/java/S115.html | 13 ++++++++++ .../org/sonar/l10n/java/rules/java/S1190.html | 2 +- .../org/sonar/l10n/java/rules/java/S1451.json | 4 +++- .../org/sonar/l10n/java/rules/java/S1751.json | 5 +++- .../org/sonar/l10n/java/rules/java/S1948.html | 16 ++++++++++--- .../org/sonar/l10n/java/rules/java/S2077.html | 2 +- .../org/sonar/l10n/java/rules/java/S3749.html | 4 ++++ .../org/sonar/l10n/java/rules/java/S3981.json | 4 +++- sonarpedia.json | 2 +- 10 files changed, 67 insertions(+), 9 deletions(-) diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1075.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1075.html index bfa52b4f018..3da4bd9d5bd 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1075.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1075.html @@ -10,11 +10,20 @@
For all those reasons, a URI should never be hard coded. Instead, it should be replaced by a customizable parameter.
Further, even if the elements of a URI are obtained dynamically, portability can still be limited if the path delimiters are hard-coded.
This rule raises an issue when URIs or path delimiters are hard-coded.
+This rule does not raise an issue when:
+public class Foo { + public static final String FRIENDS_ENDPOINT = "/user/friends"; // Compliant path is relative and has only two parts + public Collection<User> listUsers() { File userList = new File("/home/mylogin/Dev/users.txt"); // Noncompliant Collection<User> users = parse(userList); @@ -40,4 +49,19 @@+Compliant solution
} }
Exceptions examples:
++public class Foo { + public static final String FRIENDS_ENDPOINT = "/user/friends"; // Compliant path is relative and has only two parts + + public static final String ACCOUNT = "/account/group/list.html"; // Compliant path is used in an annotation + + @Value("${base.url}" + ACCOUNT) + private String groupUrl; + + @MyAnnotation() + String path = "/default/url/for/site"; // Compliant path is annotated + +} +diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S115.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S115.html index 54b462e0446..5b992c1584a 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S115.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S115.html @@ -46,6 +46,19 @@
The rule applies to fields of primitive types (for example, float
), boxed primitives (Float
), and Strings. We do not
+apply it to other types, which can be mutated, or have methods with side effects.
+public static final Logger log = getLogger(MyClass.class); +public static final List<Integer> myList = new ArrayList<>(); + +// call with side-effects +log.info("message") + +// mutating an object +myList.add(28); +
public class MyClass { - String s = ""; // Noncompliant + String s = ""; // Compliant }
This rule raises an issue on a non-transient and non-serializable field within a serializable class, if said class does not have
writeObject
and readObject
methods defined.
By contract, fields in a Serializable
class must themselves be either Serializable
or transient
. Even if the
-class is never explicitly serialized or deserialized, it is not safe to assume that this cannot happen. For instance, under load, most J2EE
-application frameworks flush objects to disk.
By contract, non-static fields in a Serializable
class must themselves be either Serializable
or transient
.
+Even if the class is never explicitly serialized or deserialized, it is not safe to assume that this cannot happen. For instance, under load, most
+J2EE application frameworks flush objects to disk.
An object that implements Serializable
but contains non-transient, non-serializable data members (and thus violates the contract)
could cause application crashes and open the door to attackers. In general, a Serializable
class is expected to fulfil its contract and
not exhibit unexpected behaviour when an instance is serialized.
Finally, static fields are out of scope for serialization, so making a field static prevents issues from being raised.
++public class Person implements Serializable { + private static final long serialVersionUID = 1905122041950251207L; + + private String name; + + private static Logger log = getLogger(); // Compliant, static fields are not serialized +} +
Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the -query. However, this rule doesn’t detect SQL injections (unlike rule {rule:javasecurity:S3649}), the goal is only to highlight complex/formatted queries.
+query. However, this rule doesn’t detect SQL injections (unlike rule {rule:java:S3649}), the goal is only to highlight complex/formatted queries.org.springframework.beans.factory.annotation.Value
javax.annotation.Inject
javax.annotation.Resource
javax.persistence.PersistenceContext
jakarta.annotation.Resource
jakarta.inject.Inject
jakarta.persistence.PersistenceContext
Add one of these annotations to all non-static
members: @Resource
, @Inject
, @Autowired
or
diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3981.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3981.json
index b89a6bb842e..bdd9a5c2ba5 100644
--- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3981.json
+++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S3981.json
@@ -12,7 +12,9 @@
"func": "Constant\/Issue",
"constantCost": "2min"
},
- "tags": [],
+ "tags": [
+ "confusing"
+ ],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3981",
"sqKey": "S3981",
diff --git a/sonarpedia.json b/sonarpedia.json
index 1c08bab2e01..51944eee7f9 100644
--- a/sonarpedia.json
+++ b/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"JAVA"
],
- "latest-update": "2024-11-29T11:04:25.911576775Z",
+ "latest-update": "2024-12-17T09:08:48.208626612Z",
"options": {
"no-language-in-filenames": true,
"preserve-filenames": false