From b3b75d8fad95b2e4c11385500a529c162a28093c Mon Sep 17 00:00:00 2001
From: Guillaume Toison <86775455+gtoison@users.noreply.github.com>
Date: Mon, 15 Apr 2024 16:47:26 +0200
Subject: [PATCH] Upgrade SpotBugs to 4.8.4 (#1001)
* deps: Upgraded SpotBugs to 4.8.4, updated profiles and rules count
---
.github/workflows/build.yml | 2 +-
README.md | 4 +-
generate_profiles/BuildXmlFiles.groovy | 4 +-
pom.xml | 2 +-
.../rules/FindbugsRulesDefinition.java | 2 +-
.../profile-findbugs-and-fb-contrib.xml | 21 ++++
.../findbugs/profile-findbugs-only.xml | 21 ++++
.../sonar/plugins/findbugs/rules-findbugs.xml | 95 +++++++++++++++++++
.../findbugs/FindbugsProfileImporterTest.java | 4 +-
9 files changed, 146 insertions(+), 9 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 68dfae7b..77d7f6e2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -126,7 +126,7 @@ jobs:
uses: ./.github/actions/sonar-update-center
with:
prop-file: findbugs.properties
- description: Use SpotBugs 4.8.3, sb-contrib 7.6.4, and findsecbugs 1.13.0
+ description: Use SpotBugs 4.8.4, sb-contrib 7.6.4, and findsecbugs 1.13.0
minimal-supported-sq-version: 9.9
latest-supported-sq-version: LATEST
changelog-url: https://github.com/spotbugs/sonar-findbugs/releases/tag/${{ github.event.release.tag_name }}
diff --git a/README.md b/README.md
index 388f350c..5cbee906 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# SonarQube Spotbugs Plugin
[![.github/workflows/build.yml](https://github.com/spotbugs/sonar-findbugs/actions/workflows/build.yml/badge.svg)](https://github.com/spotbugs/sonar-findbugs/actions/workflows/build.yml)
-![FindBugs Rules](https://img.shields.io/badge/SpotBugs_rules-933-brightgreen.svg?maxAge=2592000)
+![FindBugs Rules](https://img.shields.io/badge/SpotBugs_rules-940-brightgreen.svg?maxAge=2592000)
[![Coverage Status](https://sonarcloud.io/api/project_badges/measure?project=com.github.spotbugs%3Asonar-findbugs-plugin&metric=coverage)](https://sonarcloud.io/component_measures?id=com.github.spotbugs:sonar-findbugs-plugin&metric=coverage)
## Description / Features
@@ -73,4 +73,4 @@ Findbugs Plugin version|Embedded SpotBugs/Findbugs version|Embedded Findsecbugs
4.2.6 | 4.8.2 (SpotBugs) | 1.12.0 | 7.6.2 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4.2.7 | 4.8.3 (SpotBugs) | 1.12.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
4.2.8 | 4.8.3 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
-4.2.9-SNAPSHOT | 4.8.3 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
+4.2.9-SNAPSHOT | 4.8.4 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
diff --git a/generate_profiles/BuildXmlFiles.groovy b/generate_profiles/BuildXmlFiles.groovy
index 5222b035..532331cb 100644
--- a/generate_profiles/BuildXmlFiles.groovy
+++ b/generate_profiles/BuildXmlFiles.groovy
@@ -8,13 +8,13 @@ import groovy.json.JsonSlurper;
@Grapes([
- @Grab(group='com.github.spotbugs', module='spotbugs', version='4.8.3'),
+ @Grab(group='com.github.spotbugs', module='spotbugs', version='4.8.4'),
@Grab(group='com.mebigfatguy.sb-contrib', module='sb-contrib', version='7.6.4'),
@Grab(group='com.h3xstream.findsecbugs' , module='findsecbugs-plugin', version='1.13.0')]
)
-FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.8.3')
+FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.8.4')
CONTRIB = new Plugin(groupId: 'com.mebigfatguy.sb-contrib', artifactId: 'sb-contrib', version: '7.6.4')
FSB = new Plugin(groupId: 'com.h3xstream.findsecbugs', artifactId: 'findsecbugs-plugin', version: '1.13.0')
diff --git a/pom.xml b/pom.xml
index 107fc54a..9726127c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -52,7 +52,7 @@
Also need to update profiles, see ./generate_profiles/README.md for detail.
Update the version table and the rules count badge in README.md
-->
- 4.8.3
+ 4.8.4
7.6.4
1.13.0
diff --git a/src/main/java/org/sonar/plugins/findbugs/rules/FindbugsRulesDefinition.java b/src/main/java/org/sonar/plugins/findbugs/rules/FindbugsRulesDefinition.java
index 0ee96629..4efa2211 100644
--- a/src/main/java/org/sonar/plugins/findbugs/rules/FindbugsRulesDefinition.java
+++ b/src/main/java/org/sonar/plugins/findbugs/rules/FindbugsRulesDefinition.java
@@ -28,7 +28,7 @@ public final class FindbugsRulesDefinition implements RulesDefinition {
public static final String REPOSITORY_KEY = "findbugs";
public static final String REPOSITORY_NAME = "FindBugs";
- public static final int RULE_COUNT = 476;
+ public static final int RULE_COUNT = 483;
public static final int DEACTIVED_RULE_COUNT = 6;
@Override
diff --git a/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml b/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml
index 011d9868..6de24601 100644
--- a/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml
+++ b/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml
@@ -1370,6 +1370,27 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml b/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml
index 34416335..10d666a2 100644
--- a/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml
+++ b/src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml
@@ -1370,6 +1370,27 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml
index fbb9c53e..31993b64 100644
--- a/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml
+++ b/src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml
@@ -4560,6 +4560,13 @@ If the object is, indeed, non-serializable, an error will result.
<p>
This format string includes a newline character (\n). In format strings, it is generally
preferable to use %n, which will produce the platform-specific line separator.
+
+ When using text blocks introduced in Java 15, use the <code>\</code> escape sequence:
+
+<code>String value = """
+ first line%n\
+ second line%n\
+ """;</code>
</p>
bad-practice
@@ -5651,6 +5658,94 @@ object explicitly.</p>
</p>
malicious-code
+
+ Malicious code - An overridable method is called from the readObject method.
+ MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT
+ <p>
+ The readObject() method must not call any overridable methods. Invoking overridable methods from the readObject()
+ method can provide the overriding method with access to the object's state before it is fully initialized. This
+ premature access is possible because, in deserialization, readObject plays the role of object constructor and
+ therefore object initialization is not complete until readObject exits.</p>
+ <p>
+ <br/>
+ See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method">
+ SER09-J. Do not invoke overridable methods from the readObject() method</a>.
+ </p>
+ malicious-code
+
+
+ Correctness - Class using singleton design pattern directly implements Cloneable interface.
+ SING_SINGLETON_IMPLEMENTS_CLONEABLE
+ <p>
+ If a class using singleton design pattern directly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.<br>
+ Therefore, implementing the Cloneable interface should be avoided.<br><br>
+
+ For more information, see: <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a>.
+ </p>
+ correctness
+ bug
+
+
+ Correctness - Class using singleton design pattern indirectly implements Cloneable interface.
+ SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE
+ <p>
+ If a class using singleton design pattern indirectly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.<br>
+ Therefore, implementing the Cloneable interface should be avoided. If that's not possible because of an extended super-class, the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.<br><br>
+
+ For more information, see: <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a>.
+ </p>
+ correctness
+ bug
+
+
+ Correctness - Class using singleton design pattern implements clone() method without being an unconditional CloneNotSupportedException-thrower.
+ SING_SINGLETON_IMPLEMENTS_CLONE_METHOD
+ <p>
+ This class is using singleton design pattern and does not implement the Cloneable interface, but implements the clone() method without being an unconditional CloneNotSupportedException-thrower.
+ With that, it is possible to create a copy of the object, thus violating the singleton pattern.<br>
+ Therefore, implementing the clone method should be avoided, otherwise the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.<br><br>
+
+ For more information, see: <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a>.
+ </p>
+ correctness
+ bug
+
+
+ Correctness - Class using singleton design pattern has non-private constructor.
+ SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR
+ <p>
+ This class is using singleton design pattern and has non-private constructor (please note that a default constructor might exist which is not private). Given that, it is possible to create a copy of the object, thus violating the singleton pattern.<br>
+ The easier solution would be making the constructor private.<br><br>
+
+ <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a> rule
+ </p>
+ correctness
+ bug
+
+
+ Correctness - Class using singleton design pattern directly or indirectly implements Serializable interface.
+ SING_SINGLETON_IMPLEMENTS_SERIALIZABLE
+ <p>
+ This class (using singleton design pattern) directly or indirectly implements the Serializable interface, which allows the class to be serialized.<br>
+ Deserialization makes multiple instantiation of a singleton class possible, and therefore should be avoided.<br><br>
+
+ <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a> rule
+ </p>
+ correctness
+ bug
+
+
+ Correctness - Instance-getter method of class using singleton design pattern is not synchronized.
+ SING_SINGLETON_GETTER_NOT_SYNCHRONIZED
+ <p>
+ Instance-getter method of class using singleton design pattern is not synchronized. When this method is invoked by two or more threads simultaneously,
+ multiple instantiation of a singleton class becomes possible.<br><br>
+
+ <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a> rule
+ </p>
+ correctness
+ bug
+
Multi-threading - Instance level lock was used on a shared static data
SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA
diff --git a/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java b/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java
index 7cdb7611..7153591b 100644
--- a/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java
+++ b/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java
@@ -132,7 +132,7 @@ void shouldImportCategories() {
BuiltInQualityProfile profile = context.profile(Java.KEY, TEST_PROFILE);
Collection results = profile.rules();
- assertThat(results).hasSize(153);
+ assertThat(results).hasSize(159);
assertThat(findActiveRule(profile, FindbugsRulesDefinition.REPOSITORY_KEY, "BC_IMPOSSIBLE_DOWNCAST")).isNotNull();
}
@@ -182,7 +182,7 @@ void testImportingUncorrectXmlFile() {
@ParameterizedTest
@CsvSource({
"/org/sonar/plugins/findbugs/findbugsXmlWithUnknownRule.xml,1",
- "/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCategory.xml,153",
+ "/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCategory.xml,159",
"/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCode.xml,12"})
void profileImport(String profilePath, int expectedSize) {
NewBuiltInQualityProfile newProfile = context.createBuiltInQualityProfile(TEST_PROFILE, Java.KEY);