Skip to content

Commit

Permalink
Upgrade SpotBugs to 4.8.4 (#1001)
Browse files Browse the repository at this point in the history
* deps: Upgraded SpotBugs to 4.8.4, updated profiles and rules count
  • Loading branch information
gtoison authored Apr 15, 2024
1 parent e9aff8f commit b3b75d8
Show file tree
Hide file tree
Showing 9 changed files with 146 additions and 9 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ jobs:
uses: ./.github/actions/sonar-update-center
with:
prop-file: findbugs.properties
description: Use SpotBugs 4.8.3, sb-contrib 7.6.4, and findsecbugs 1.13.0
description: Use SpotBugs 4.8.4, sb-contrib 7.6.4, and findsecbugs 1.13.0
minimal-supported-sq-version: 9.9
latest-supported-sq-version: LATEST
changelog-url: https://github.com/spotbugs/sonar-findbugs/releases/tag/${{ github.event.release.tag_name }}
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# SonarQube Spotbugs Plugin
[![.github/workflows/build.yml](https://github.com/spotbugs/sonar-findbugs/actions/workflows/build.yml/badge.svg)](https://github.com/spotbugs/sonar-findbugs/actions/workflows/build.yml)
![FindBugs Rules](https://img.shields.io/badge/SpotBugs_rules-933-brightgreen.svg?maxAge=2592000)
![FindBugs Rules](https://img.shields.io/badge/SpotBugs_rules-940-brightgreen.svg?maxAge=2592000)
[![Coverage Status](https://sonarcloud.io/api/project_badges/measure?project=com.github.spotbugs%3Asonar-findbugs-plugin&metric=coverage)](https://sonarcloud.io/component_measures?id=com.github.spotbugs:sonar-findbugs-plugin&metric=coverage)

## Description / Features
Expand Down Expand Up @@ -73,4 +73,4 @@ Findbugs Plugin version|Embedded SpotBugs/Findbugs version|Embedded Findsecbugs
4.2.6 | 4.8.2 (SpotBugs) | 1.12.0 | 7.6.2 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4.2.7 | 4.8.3 (SpotBugs) | 1.12.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4.2.8 | 4.8.3 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4.2.9-SNAPSHOT | 4.8.3 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4.2.9-SNAPSHOT | 4.8.4 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4 changes: 2 additions & 2 deletions generate_profiles/BuildXmlFiles.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ import groovy.json.JsonSlurper;

@Grapes([

@Grab(group='com.github.spotbugs', module='spotbugs', version='4.8.3'),
@Grab(group='com.github.spotbugs', module='spotbugs', version='4.8.4'),
@Grab(group='com.mebigfatguy.sb-contrib', module='sb-contrib', version='7.6.4'),
@Grab(group='com.h3xstream.findsecbugs' , module='findsecbugs-plugin', version='1.13.0')]
)


FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.8.3')
FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.8.4')
CONTRIB = new Plugin(groupId: 'com.mebigfatguy.sb-contrib', artifactId: 'sb-contrib', version: '7.6.4')
FSB = new Plugin(groupId: 'com.h3xstream.findsecbugs', artifactId: 'findsecbugs-plugin', version: '1.13.0')

Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@
Also need to update profiles, see ./generate_profiles/README.md for detail.
Update the version table and the rules count badge in README.md
-->
<spotbugs.version>4.8.3</spotbugs.version>
<spotbugs.version>4.8.4</spotbugs.version>
<sbcontrib.version>7.6.4</sbcontrib.version>
<findsecbugs.version>1.13.0</findsecbugs.version>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ public final class FindbugsRulesDefinition implements RulesDefinition {

public static final String REPOSITORY_KEY = "findbugs";
public static final String REPOSITORY_NAME = "FindBugs";
public static final int RULE_COUNT = 476;
public static final int RULE_COUNT = 483;
public static final int DEACTIVED_RULE_COUNT = 6;

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1370,6 +1370,27 @@
<Match>
<Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' />
</Match>
<Match>
<Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONEABLE' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONE_METHOD' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_IMPLEMENTS_SERIALIZABLE' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_GETTER_NOT_SYNCHRONIZED' />
</Match>
<Match>
<Bug pattern='SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA' />
</Match>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1370,6 +1370,27 @@
<Match>
<Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' />
</Match>
<Match>
<Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONEABLE' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONE_METHOD' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_IMPLEMENTS_SERIALIZABLE' />
</Match>
<Match>
<Bug pattern='SING_SINGLETON_GETTER_NOT_SYNCHRONIZED' />
</Match>
<Match>
<Bug pattern='SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA' />
</Match>
Expand Down
95 changes: 95 additions & 0 deletions src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4560,6 +4560,13 @@ If the object is, indeed, non-serializable, an error will result.
<description>&lt;p&gt;
This format string includes a newline character (\n). In format strings, it is generally
preferable to use %n, which will produce the platform-specific line separator.

When using text blocks introduced in Java 15, use the &lt;code&gt;\&lt;/code&gt; escape sequence:

&lt;code&gt;String value = """
first line%n\
second line%n\
""";&lt;/code&gt;
&lt;/p&gt;</description>
<tag>bad-practice</tag>
</rule>
Expand Down Expand Up @@ -5651,6 +5658,94 @@ object explicitly.&lt;/p&gt;</description>
&lt;/p&gt;</description>
<tag>malicious-code</tag>
</rule>
<rule key='MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT' priority='INFO'>
<name>Malicious code - An overridable method is called from the readObject method.</name>
<configKey>MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT</configKey>
<description>&lt;p&gt;
The readObject() method must not call any overridable methods. Invoking overridable methods from the readObject()
method can provide the overriding method with access to the object's state before it is fully initialized. This
premature access is possible because, in deserialization, readObject plays the role of object constructor and
therefore object initialization is not complete until readObject exits.&lt;/p&gt;
&lt;p&gt;
&lt;br/&gt;
See SEI CERT rule &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method"&gt;
SER09-J. Do not invoke overridable methods from the readObject() method&lt;/a&gt;.
&lt;/p&gt;</description>
<tag>malicious-code</tag>
</rule>
<rule key='SING_SINGLETON_IMPLEMENTS_CLONEABLE' priority='MAJOR'>
<name>Correctness - Class using singleton design pattern directly implements Cloneable interface.</name>
<configKey>SING_SINGLETON_IMPLEMENTS_CLONEABLE</configKey>
<description>&lt;p&gt;
If a class using singleton design pattern directly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
Therefore, implementing the Cloneable interface should be avoided.&lt;br&gt;&lt;br&gt;

For more information, see: &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt;.
&lt;/p&gt;</description>
<tag>correctness</tag>
<tag>bug</tag>
</rule>
<rule key='SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE' priority='MAJOR'>
<name>Correctness - Class using singleton design pattern indirectly implements Cloneable interface.</name>
<configKey>SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE</configKey>
<description>&lt;p&gt;
If a class using singleton design pattern indirectly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
Therefore, implementing the Cloneable interface should be avoided. If that's not possible because of an extended super-class, the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.&lt;br&gt;&lt;br&gt;

For more information, see: &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt;.
&lt;/p&gt;</description>
<tag>correctness</tag>
<tag>bug</tag>
</rule>
<rule key='SING_SINGLETON_IMPLEMENTS_CLONE_METHOD' priority='MAJOR'>
<name>Correctness - Class using singleton design pattern implements clone() method without being an unconditional CloneNotSupportedException-thrower.</name>
<configKey>SING_SINGLETON_IMPLEMENTS_CLONE_METHOD</configKey>
<description>&lt;p&gt;
This class is using singleton design pattern and does not implement the Cloneable interface, but implements the clone() method without being an unconditional CloneNotSupportedException-thrower.
With that, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
Therefore, implementing the clone method should be avoided, otherwise the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.&lt;br&gt;&lt;br&gt;

For more information, see: &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt;.
&lt;/p&gt;</description>
<tag>correctness</tag>
<tag>bug</tag>
</rule>
<rule key='SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR' priority='MAJOR'>
<name>Correctness - Class using singleton design pattern has non-private constructor.</name>
<configKey>SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR</configKey>
<description>&lt;p&gt;
This class is using singleton design pattern and has non-private constructor (please note that a default constructor might exist which is not private). Given that, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
The easier solution would be making the constructor private.&lt;br&gt;&lt;br&gt;

&lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt; rule
&lt;/p&gt;</description>
<tag>correctness</tag>
<tag>bug</tag>
</rule>
<rule key='SING_SINGLETON_IMPLEMENTS_SERIALIZABLE' priority='MAJOR'>
<name>Correctness - Class using singleton design pattern directly or indirectly implements Serializable interface.</name>
<configKey>SING_SINGLETON_IMPLEMENTS_SERIALIZABLE</configKey>
<description>&lt;p&gt;
This class (using singleton design pattern) directly or indirectly implements the Serializable interface, which allows the class to be serialized.&lt;br&gt;
Deserialization makes multiple instantiation of a singleton class possible, and therefore should be avoided.&lt;br&gt;&lt;br&gt;

&lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt; rule
&lt;/p&gt;</description>
<tag>correctness</tag>
<tag>bug</tag>
</rule>
<rule key='SING_SINGLETON_GETTER_NOT_SYNCHRONIZED' priority='MAJOR'>
<name>Correctness - Instance-getter method of class using singleton design pattern is not synchronized.</name>
<configKey>SING_SINGLETON_GETTER_NOT_SYNCHRONIZED</configKey>
<description>&lt;p&gt;
Instance-getter method of class using singleton design pattern is not synchronized. When this method is invoked by two or more threads simultaneously,
multiple instantiation of a singleton class becomes possible.&lt;br&gt;&lt;br&gt;

&lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt; rule
&lt;/p&gt;</description>
<tag>correctness</tag>
<tag>bug</tag>
</rule>
<rule key='SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA' priority='MAJOR'>
<name>Multi-threading - Instance level lock was used on a shared static data</name>
<configKey>SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA</configKey>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ void shouldImportCategories() {
BuiltInQualityProfile profile = context.profile(Java.KEY, TEST_PROFILE);
Collection<BuiltInActiveRule> results = profile.rules();

assertThat(results).hasSize(153);
assertThat(results).hasSize(159);
assertThat(findActiveRule(profile, FindbugsRulesDefinition.REPOSITORY_KEY, "BC_IMPOSSIBLE_DOWNCAST")).isNotNull();
}

Expand Down Expand Up @@ -182,7 +182,7 @@ void testImportingUncorrectXmlFile() {
@ParameterizedTest
@CsvSource({
"/org/sonar/plugins/findbugs/findbugsXmlWithUnknownRule.xml,1",
"/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCategory.xml,153",
"/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCategory.xml,159",
"/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCode.xml,12"})
void profileImport(String profilePath, int expectedSize) {
NewBuiltInQualityProfile newProfile = context.createBuiltInQualityProfile(TEST_PROFILE, Java.KEY);
Expand Down

0 comments on commit b3b75d8

Please sign in to comment.