From: Evgeny Mandrikov Date: Tue, 7 Aug 2012 17:15:07 +0000 (+0600) Subject: SONAR-3699 Upgrade to FindBugs 2.0.1 X-Git-Tag: 3.3~350 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=2ef978c162f11c5cee5944327568b69bbdea1142;p=sonarqube.git SONAR-3699 Upgrade to FindBugs 2.0.1 New rules: * PT_ABSOLUTE_PATH_TRAVERSAL * PT_RELATIVE_PATH_TRAVERSAL * NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR * MS_SHOULD_BE_REFACTORED_TO_BE_FINAL * BC_UNCONFIRMED_CAST_OF_RETURN_VALUE * TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS --- diff --git a/plugins/sonar-findbugs-plugin/pom.xml b/plugins/sonar-findbugs-plugin/pom.xml index c66633c4e51..0cd10099d69 100644 --- a/plugins/sonar-findbugs-plugin/pom.xml +++ b/plugins/sonar-findbugs-plugin/pom.xml @@ -14,7 +14,7 @@ FindBugs is a program that uses static analysis to look for bugs in Java code. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods. - 2.0.0 + 2.0.1 diff --git a/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/profile-sonar-way-findbugs.xml b/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/profile-sonar-way-findbugs.xml index 1fc95f1a2ec..8fa5a2696f9 100644 --- a/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/profile-sonar-way-findbugs.xml +++ b/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/profile-sonar-way-findbugs.xml @@ -1198,4 +1198,22 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + diff --git a/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml b/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml index 44df2180ea9..ddb0a82bbb1 100644 --- a/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml +++ b/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml @@ -2919,4 +2919,47 @@ + + + MAJOR + + + + + + + MAJOR + + + + + + + CRITICAL + + + + + + + MAJOR + + + + + + + CRITICAL + + + + + + + MAJOR + + + + + diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java index 23251154ab4..6920e086a23 100644 --- a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java @@ -57,7 +57,7 @@ public class FindbugsProfileImporterTest { RulesProfile profile = importer.importProfile(new InputStreamReader(input), ValidationMessages.create()); List results = profile.getActiveRules(); - assertThat(results).hasSize(18); + assertThat(results).hasSize(19); assertThat(profile.getActiveRule(FindbugsConstants.REPOSITORY_KEY, "EC_INCOMPATIBLE_ARRAY_COMPARE")).isNotNull(); assertThat(profile.getActiveRule(FindbugsConstants.REPOSITORY_KEY, "BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY")).isNotNull(); } @@ -135,7 +135,7 @@ public class FindbugsProfileImporterTest { RulesProfile profile = importer.importProfile(new StringReader(uncorrectFindbugsXml), messages); List results = profile.getActiveRules(); - assertThat(results).hasSize(9); + assertThat(results).hasSize(10); assertThat(messages.getWarnings()).hasSize(1); } } diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/SonarWayWithFindbugsProfileTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/SonarWayWithFindbugsProfileTest.java index 6b516576fbb..63bbcae1dc0 100644 --- a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/SonarWayWithFindbugsProfileTest.java +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/SonarWayWithFindbugsProfileTest.java @@ -33,7 +33,7 @@ public class SonarWayWithFindbugsProfileTest { SonarWayWithFindbugsProfile sonarWayWithFindbugs = new SonarWayWithFindbugsProfile(importer); ValidationMessages validation = ValidationMessages.create(); RulesProfile profile = sonarWayWithFindbugs.createProfile(validation); - assertThat(profile.getActiveRulesByRepository(FindbugsConstants.REPOSITORY_KEY)).hasSize(399); + assertThat(profile.getActiveRulesByRepository(FindbugsConstants.REPOSITORY_KEY)).hasSize(405); assertThat(validation.hasErrors()).isFalse(); } diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties index 6b0577b8ca7..a86b043086c 100644 --- a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties @@ -406,3 +406,9 @@ rule.findbugs.UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD.name=Unused public or protect rule.findbugs.UWF_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD.name=Unwritten public or protected field rule.findbugs.VA_FORMAT_STRING_USES_NEWLINE.name=Format string should use %n rather than \\n rule.findbugs.VO_VOLATILE_INCREMENT.name=An increment to a volatile field isn't atomic +rule.findbugs.PT_ABSOLUTE_PATH_TRAVERSAL.name=Absolute path traversal in servlet +rule.findbugs.PT_RELATIVE_PATH_TRAVERSAL.name=Relative path traversal in servlet +rule.findbugs.NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.name=Nonnull field is not initialized +rule.findbugs.MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.name=Field isn't final but should be refactored to be so +rule.findbugs.BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.name=Unchecked/unconfirmed cast of return value from method +rule.findbugs.TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.name=Comparing values with incompatible type qualifiers diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.html new file mode 100644 index 00000000000..6563ad7d4f0 --- /dev/null +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.html @@ -0,0 +1,6 @@ +

+This code performs an unchecked cast of the return value of a method. +The code might be calling the method in such a way that the cast is guaranteed to be +safe, but FindBugs is unable to verify that the cast is safe. Check that your program logic ensures that this +cast will not fail. +

diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.html new file mode 100644 index 00000000000..f0007009f78 --- /dev/null +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.html @@ -0,0 +1,8 @@ +

+This static field public but not final, and +could be changed by malicious code or +by accident from another package. +The field could be made final to avoid +this vulnerability. However, the static initializer contains more than one write +to the field, so doing so will require some refactoring. +

diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.html new file mode 100644 index 00000000000..f4b822805ea --- /dev/null +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.html @@ -0,0 +1,5 @@ +

+The field is marked as nonnull, but isn't written to by the constructor. +The field might be initialized elsewhere during constructor, or might always +be initialized before use. +

diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_ABSOLUTE_PATH_TRAVERSAL.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_ABSOLUTE_PATH_TRAVERSAL.html new file mode 100644 index 00000000000..148eeb2a4d6 --- /dev/null +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_ABSOLUTE_PATH_TRAVERSAL.html @@ -0,0 +1,13 @@ +

+The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, +but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. + +See http://cwe.mitre.org/data/definitions/36.html for more information. +

+ +

+FindBugs looks only for the most blatant, obvious cases of absolute path traversal. +If FindBugs found any, you almost certainly have more +vulnerabilities that FindBugs doesn't report. If you are concerned about absolute path traversal, you should seriously +consider using a commercial static analysis or pen-testing tool. +

diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_RELATIVE_PATH_TRAVERSAL.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_RELATIVE_PATH_TRAVERSAL.html new file mode 100644 index 00000000000..de134d8d60b --- /dev/null +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_RELATIVE_PATH_TRAVERSAL.html @@ -0,0 +1,12 @@ +

+The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, +but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. + +See http://cwe.mitre.org/data/definitions/23.html for more information.

+ +

+FindBugs looks only for the most blatant, obvious cases of relative path traversal. +If FindBugs found any, you almost certainly have more +vulnerabilities that FindBugs doesn't report. If you are concerned about relative path traversal, you should seriously +consider using a commercial static analysis or pen-testing tool. +

diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.html new file mode 100644 index 00000000000..43dd5c46acd --- /dev/null +++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.html @@ -0,0 +1,22 @@ +

+A value specified as carrying a type qualifier annotation is +compared with a value that doesn't ever carry that qualifier. +

+ +

+More precisely, a value annotated with a type qualifier specifying when=ALWAYS +is compared with a value that where the same type qualifier specifies when=NEVER. +

+ +

+For example, say that @NonNegative is a nickname for +the type qualifier annotation @Negative(when=When.NEVER). +The following code will generate this warning because +the return statement requires a @NonNegative value, +but receives one that is marked as @Negative. +

+
+public boolean example(@Negative Integer value1, @NonNegative Integer value2) {
+  return value1.equals(value2);
+}
+