diff options
| author | simonbrandhof <simon.brandhof@gmail.com> | 2010-09-06 14:08:06 +0000 |
|---|---|---|
| committer | simonbrandhof <simon.brandhof@gmail.com> | 2010-09-06 14:08:06 +0000 |
| commit | aeadc1f9129274949daaa57738c7c4550bdfbc7b (patch) | |
| tree | 08dadf5ef7474fc41d1d48f74648f1ba8b55f34d /plugins/sonar-findbugs-plugin/src | |
| download | sonarqube-aeadc1f9129274949daaa57738c7c4550bdfbc7b.tar.gz sonarqube-aeadc1f9129274949daaa57738c7c4550bdfbc7b.zip | |
SONAR-236 remove deprecated code from checkstyle plugin + display default value of rule parameters in Q profile console
Diffstat (limited to 'plugins/sonar-findbugs-plugin/src')
37 files changed, 7106 insertions, 0 deletions
diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/Category.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/Category.java new file mode 100644 index 00000000000..f9d5c641ff0 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/Category.java @@ -0,0 +1,44 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import java.util.HashMap; +import java.util.Map; + +public final class Category { + private final static Map<String, String> findbugsToSonar = new HashMap<String, String>(); + + static { + findbugsToSonar.put("BAD_PRACTICE", "Bad practice"); + findbugsToSonar.put("CORRECTNESS", "Correctness"); + findbugsToSonar.put("MT_CORRECTNESS", "Multithreaded correctness"); + findbugsToSonar.put("I18N", "Internationalization"); + findbugsToSonar.put("EXPERIMENTAL", "Experimental"); + findbugsToSonar.put("MALICIOUS_CODE", "Malicious code"); + findbugsToSonar.put("PERFORMANCE", "Performance"); + findbugsToSonar.put("SECURITY", "Security"); + findbugsToSonar.put("STYLE", "Style"); + } + + + public static String findbugsToSonar(String findbugsCategKey) { + return findbugsToSonar.get(findbugsCategKey); + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsAntConverter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsAntConverter.java new file mode 100644 index 00000000000..161938c42a8 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsAntConverter.java @@ -0,0 +1,72 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import org.apache.commons.lang.StringUtils; +import org.sonar.api.resources.Java; + +public final class FindbugsAntConverter { + + private FindbugsAntConverter() { + } + + /** + * Convert the exclusion ant pattern to a java regexp accepted by findbugs + * exclusion file + * + * @param exclusion ant pattern to convert + * @return Exclusion pattern for findbugs + */ + public static String antToJavaRegexpConvertor(String exclusion) { + StringBuilder builder = new StringBuilder("~"); + int offset = 0; + // First **/ or */ is optional + if (exclusion.startsWith("**/")) { + builder.append("(.*\\.)?"); + offset += 3; + } else if (exclusion.startsWith("*/")) { + builder.append("([^\\\\^\\s]*\\.)?"); + offset += 2; + } + for (String suffix : Java.SUFFIXES) { + exclusion = StringUtils.removeEndIgnoreCase(exclusion, "." + suffix); + } + + char[] array = exclusion.toCharArray(); + for (int i = offset; i < array.length; i++) { + char c = array[i]; + if (c == '?') { + builder.append('.'); + } else if (c == '*') { + if (i + 1 < array.length && array[i + 1] == '*') { + builder.append(".*"); + i++; + } else { + builder.append("[^\\\\^\\s]*"); + } + } else if (c == '/') { + builder.append("\\."); + } else { + builder.append(c); + } + } + return builder.toString(); + } +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsMavenPluginHandler.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsMavenPluginHandler.java new file mode 100644 index 00000000000..0e6e9164762 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsMavenPluginHandler.java @@ -0,0 +1,150 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import java.io.File; +import java.io.IOException; + +import org.apache.commons.lang.StringUtils; +import org.sonar.api.CoreProperties; +import org.sonar.api.batch.maven.MavenPlugin; +import org.sonar.api.batch.maven.MavenPluginHandler; +import org.sonar.api.batch.maven.MavenUtils; +import org.sonar.api.profiles.RulesProfile; +import org.sonar.api.resources.Project; +import org.sonar.api.utils.SonarException; +import org.sonar.plugins.findbugs.xml.ClassFilter; +import org.sonar.plugins.findbugs.xml.FindBugsFilter; +import org.sonar.plugins.findbugs.xml.Match; + +public class FindbugsMavenPluginHandler implements MavenPluginHandler { + + private RulesProfile profile; + private FindbugsRulesRepository findbugsRulesRepository; + + public FindbugsMavenPluginHandler(RulesProfile profile, FindbugsRulesRepository findbugsRulesRepository) { + this.profile = profile; + this.findbugsRulesRepository = findbugsRulesRepository; + } + + public String getGroupId() { + return MavenUtils.GROUP_ID_CODEHAUS_MOJO; + } + + public String getArtifactId() { + return "findbugs-maven-plugin"; + } + + public String getVersion() { + // IMPORTANT : the version of the Findbugs lib must be also updated in the pom.xml (property findbugs.version). + return "2.3.1"; + } + + public boolean isFixedVersion() { + return true; + } + + public String[] getGoals() { + return new String[] { "findbugs" }; + } + + public void configure(Project project, MavenPlugin plugin) { + configureClassesDir(project, plugin); + configureBasicParameters(project, plugin); + configureFilters(project, plugin); + } + + private void configureBasicParameters(Project project, MavenPlugin plugin) { + plugin.setParameter("xmlOutput", "true"); + plugin.setParameter("threshold", "Low"); + plugin.setParameter("skip", "false"); + plugin.setParameter("effort", getEffort(project), false); + plugin.setParameter("maxHeap", "" + getMaxHeap(project), false); + String timeout = getTimeout(project); + if (StringUtils.isNotBlank(timeout)) { + plugin.setParameter("timeout", timeout, false); + } + } + + protected void configureFilters(Project project, MavenPlugin plugin) { + try { + String existingIncludeFilterConfig = plugin.getParameter("includeFilterFile"); + String existingExcludeFilterConfig = plugin.getParameter("excludeFilterFile"); + boolean existingConfig = !StringUtils.isBlank(existingIncludeFilterConfig) || !StringUtils.isBlank(existingExcludeFilterConfig); + if ( !project.getReuseExistingRulesConfig() || (project.getReuseExistingRulesConfig() && !existingConfig)) { + File includeXmlFile = saveIncludeConfigXml(project); + plugin.setParameter("includeFilterFile", getPath(includeXmlFile)); + + File excludeXmlFile = saveExcludeConfigXml(project); + plugin.setParameter("excludeFilterFile", getPath(excludeXmlFile)); + } + + } catch (IOException e) { + throw new SonarException("Failed to save the findbugs XML configuration.", e); + } + } + + private String getPath(File file) throws IOException { + // the findbugs maven plugin fails on windows if the path contains backslashes + String path = file.getCanonicalPath(); + return path.replace('\\', '/'); + } + + private void configureClassesDir(Project project, MavenPlugin plugin) { + File classesDir = project.getFileSystem().getBuildOutputDir(); + if (classesDir == null || !classesDir.exists()) { + throw new SonarException("Findbugs needs sources to be compiled. " + + "Please build project or edit pom.xml to set the <outputDirectory> property before executing sonar."); + } + try { + plugin.setParameter("classFilesDirectory", classesDir.getCanonicalPath()); + } catch (Exception e) { + throw new SonarException("Invalid classes directory", e); + } + } + + private File saveIncludeConfigXml(Project project) throws IOException { + String configuration = findbugsRulesRepository.exportConfiguration(profile); + return project.getFileSystem().writeToWorkingDirectory(configuration, "findbugs-include.xml"); + } + + private File saveExcludeConfigXml(Project project) throws IOException { + FindBugsFilter findBugsFilter = new FindBugsFilter(); + if (project.getExclusionPatterns() != null) { + for (String exclusion : project.getExclusionPatterns()) { + ClassFilter classFilter = new ClassFilter(FindbugsAntConverter.antToJavaRegexpConvertor(exclusion)); + findBugsFilter.addMatch(new Match(classFilter)); + } + } + return project.getFileSystem().writeToWorkingDirectory(findBugsFilter.toXml(), "findbugs-exclude.xml"); + } + + private String getEffort(Project project) { + return project.getConfiguration().getString(CoreProperties.FINDBUGS_EFFORT_PROPERTY, CoreProperties.FINDBUGS_EFFORT_DEFAULT_VALUE); + } + + private int getMaxHeap(Project project) { + return project.getConfiguration().getInt(CoreProperties.FINDBUGS_MAXHEAP_PROPERTY, CoreProperties.FINDBUGS_MAXHEAP_DEFAULT_VALUE); + } + + private String getTimeout(Project project) { + return project.getConfiguration().getString(CoreProperties.FINDBUGS_TIMEOUT_PROPERTY); + } +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsPlugin.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsPlugin.java new file mode 100644 index 00000000000..86cf5ea1441 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsPlugin.java @@ -0,0 +1,73 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import org.sonar.api.*; + +import java.util.ArrayList; +import java.util.List; + +@Properties({ + @Property( + key = CoreProperties.FINDBUGS_EFFORT_PROPERTY, + defaultValue = CoreProperties.FINDBUGS_EFFORT_DEFAULT_VALUE, + name = "Effort", + description = "Effort of the bug finders. Valid values are Min, Default and Max. Setting 'Max' increases precision but also increases memory consumption.", + project = true, + module = true, + global = true), + @Property( + key = CoreProperties.FINDBUGS_MAXHEAP_PROPERTY, + defaultValue = CoreProperties.FINDBUGS_MAXHEAP_DEFAULT_VALUE+"", + name = "Max Heap", + description = "Maximum Java heap size in megabytes (default=512).", + project = true, + module = true, + global = true), + @Property( + key = CoreProperties.FINDBUGS_TIMEOUT_PROPERTY, + name = "Timeout", + description = "Specifies the amount of time, in milliseconds, that FindBugs may run before it is assumed to be hung and is terminated. The default is 600,000 milliseconds, which is ten minutes.", + project = true, + module = true, + global = true) +}) +public class FindbugsPlugin implements Plugin { + + public String getKey() { + return CoreProperties.FINDBUGS_PLUGIN; + } + + public String getName() { + return "Findbugs"; + } + + public String getDescription() { + return "FindBugs is a program that uses static analysis to look for bugs in Java code. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods... You can find more by going to the <a href='http://findbugs.sourceforge.net'>Findbugs web site</a>."; + } + + public List<Class<? extends Extension>> getExtensions() { + List<Class<? extends Extension>> list = new ArrayList<Class<? extends Extension>>(); + list.add(FindbugsSensor.class); + list.add(FindbugsMavenPluginHandler.class); + list.add(FindbugsRulesRepository.class); + return list; + } +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsRulePriorityMapper.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsRulePriorityMapper.java new file mode 100644 index 00000000000..47a8fb54120 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsRulePriorityMapper.java @@ -0,0 +1,53 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import org.sonar.api.rules.RulePriority; +import org.sonar.api.rules.RulePriorityMapper; + +public class FindbugsRulePriorityMapper implements RulePriorityMapper<String, String> { + + public RulePriority from(String priority) { + if (priority.equals("1")) { + return RulePriority.BLOCKER; + } + if (priority.equals("2")) { + return RulePriority.MAJOR; + } + if (priority.equals("3")) { + return RulePriority.INFO; + } + throw new IllegalArgumentException("Priority not supported: " + priority); + } + + public String to(RulePriority priority) { + if (priority.equals(RulePriority.BLOCKER) || priority.equals(RulePriority.CRITICAL)) { + return "1"; + } + if (priority.equals(RulePriority.MAJOR)) { + return "2"; + } + if (priority.equals(RulePriority.INFO) || priority.equals(RulePriority.MINOR)) { + return "3"; + } + throw new IllegalArgumentException("Priority not supported: " + priority); + } + +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsRulesRepository.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsRulesRepository.java new file mode 100644 index 00000000000..4113c709536 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsRulesRepository.java @@ -0,0 +1,111 @@ +/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2009 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.plugins.findbugs;
+
+import org.apache.commons.lang.StringUtils;
+import org.sonar.api.CoreProperties;
+import org.sonar.api.profiles.RulesProfile;
+import org.sonar.api.resources.Java;
+import org.sonar.api.rules.*;
+import org.sonar.plugins.findbugs.xml.FindBugsFilter;
+
+import java.util.*;
+
+public class FindbugsRulesRepository extends AbstractRulesRepository<Java, FindbugsRulePriorityMapper> implements ConfigurationImportable, ConfigurationExportable {
+
+ public FindbugsRulesRepository(Java language) {
+ super(language, new FindbugsRulePriorityMapper());
+ }
+
+ @Override
+ public String getRepositoryResourcesBase() {
+ return "org/sonar/plugins/findbugs";
+ }
+
+ @Override
+ public List<Rule> parseReferential(String fileContent) {
+ return new StandardRulesXmlParser().parse(fileContent);
+ }
+
+ public List<RulesProfile> getProvidedProfiles() {
+ RulesProfile profile = new RulesProfile(RulesProfile.SONAR_WAY_FINDBUGS_NAME, Java.KEY);
+ List<Rule> rules = getInitialReferential();
+ ArrayList<ActiveRule> activeRules = new ArrayList<ActiveRule>();
+ for (Rule rule : rules) {
+ activeRules.add(new ActiveRule(profile, rule, null));
+ }
+ profile.setActiveRules(activeRules);
+ return Arrays.asList(profile);
+ }
+
+ public String exportConfiguration(RulesProfile activeProfile) {
+ FindBugsFilter filter = FindBugsFilter.fromActiveRules(activeProfile.getActiveRulesByPlugin(CoreProperties.FINDBUGS_PLUGIN));
+ return addHeaderToXml(filter.toXml());
+ }
+
+ private static String addHeaderToXml(String xmlModules) {
+ return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!-- Generated by Sonar -->\n".concat(xmlModules);
+ }
+
+ public List<ActiveRule> importConfiguration(String xml, List<Rule> rules) {
+ FindBugsFilter filter = FindBugsFilter.fromXml(xml);
+
+ Set<ActiveRule> result = new HashSet<ActiveRule>();
+
+ for (Map.Entry<String, RulePriority> categoryLevel : filter.getCategoryLevels(getRulePriorityMapper()).entrySet()) {
+ completeActiveRulesByCategory(result, rules, categoryLevel.getKey(), categoryLevel.getValue());
+ }
+
+ for (Map.Entry<String, RulePriority> codeLevel : filter.getCodeLevels(getRulePriorityMapper()).entrySet()) {
+ completeActiveRulesByCode(result, rules, codeLevel.getKey(), codeLevel.getValue());
+ }
+
+ for (Map.Entry<String, RulePriority> patternLevel : filter.getPatternLevels(getRulePriorityMapper()).entrySet()) {
+ completeActiveRulesByPattern(result, rules, patternLevel.getKey(), patternLevel.getValue());
+ }
+
+ return new ArrayList<ActiveRule>(result);
+ }
+
+ private void completeActiveRulesByCategory(Set<ActiveRule> result, List<Rule> rules, String findbugsCategory, RulePriority priority) {
+ for (Rule rule : rules) {
+ String sonarCateg = Category.findbugsToSonar(findbugsCategory);
+ if (sonarCateg != null && rule.getName().startsWith(sonarCateg)) {
+ result.add(new ActiveRule(null, rule, priority));
+ }
+ }
+ }
+
+ private void completeActiveRulesByCode(Set<ActiveRule> result, List<Rule> rules, String findbugsCode, RulePriority priority) {
+ for (Rule rule : rules) {
+ if (rule.getKey().equals(findbugsCode) || StringUtils.startsWith(rule.getKey(), findbugsCode + "_")) {
+ result.add(new ActiveRule(null, rule, priority));
+ }
+ }
+ }
+
+ private void completeActiveRulesByPattern(Set<ActiveRule> result, List<Rule> rules, String findbugsPattern, RulePriority priority) {
+ for (Rule rule : rules) {
+ if (rule.getKey().equals(findbugsPattern)) {
+ result.add(new ActiveRule(null, rule, priority));
+ }
+ }
+ }
+}
diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsSensor.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsSensor.java new file mode 100644 index 00000000000..cf31f5a3e55 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsSensor.java @@ -0,0 +1,95 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import java.io.File; +import java.util.List; + +import org.apache.commons.lang.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.sonar.api.CoreProperties; +import org.sonar.api.batch.GeneratesViolations; +import org.sonar.api.batch.Sensor; +import org.sonar.api.batch.SensorContext; +import org.sonar.api.batch.maven.DependsUponMavenPlugin; +import org.sonar.api.batch.maven.MavenPluginHandler; +import org.sonar.api.profiles.RulesProfile; +import org.sonar.api.resources.JavaFile; +import org.sonar.api.resources.Project; +import org.sonar.api.rules.Rule; +import org.sonar.api.rules.RulesManager; +import org.sonar.api.rules.Violation; + +public class FindbugsSensor implements Sensor, DependsUponMavenPlugin, GeneratesViolations { + + private RulesProfile profile; + private RulesManager rulesManager; + private FindbugsMavenPluginHandler pluginHandler; + private static Logger LOG = LoggerFactory.getLogger(FindbugsSensor.class); + + public FindbugsSensor(RulesProfile profile, RulesManager rulesManager, FindbugsMavenPluginHandler pluginHandler) { + this.profile = profile; + this.rulesManager = rulesManager; + this.pluginHandler = pluginHandler; + } + + public void analyse(Project project, SensorContext context) { + File report = getFindbugsReportFile(project); + LOG.info("Findbugs output report: " + report.getAbsolutePath()); + FindbugsXmlReportParser reportParser = new FindbugsXmlReportParser(report); + List<FindbugsXmlReportParser.Violation> fbViolations = reportParser.getViolations(); + for (FindbugsXmlReportParser.Violation fbViolation : fbViolations) { + Rule rule = rulesManager.getPluginRule(CoreProperties.FINDBUGS_PLUGIN, fbViolation.getType()); + JavaFile resource = new JavaFile(fbViolation.getSonarJavaFileKey()); + if (context.getResource(resource) != null) { + Violation violation = new Violation(rule, resource) + .setLineId(fbViolation.getStart()) + .setMessage(fbViolation.getLongMessage()); + context.saveViolation(violation); + } + } + } + + protected final File getFindbugsReportFile(Project project) { + if (project.getConfiguration().getString(CoreProperties.FINDBUGS_REPORT_PATH) != null) { + return new File(project.getConfiguration().getString(CoreProperties.FINDBUGS_REPORT_PATH)); + } + return new File(project.getFileSystem().getBuildDir(), "findbugsXml.xml"); + } + + public boolean shouldExecuteOnProject(Project project) { + return project.getFileSystem().hasJavaSourceFiles() && + ( !profile.getActiveRulesByPlugin(CoreProperties.FINDBUGS_PLUGIN).isEmpty() || project.getReuseExistingRulesConfig()) && + project.getPom() != null && !StringUtils.equalsIgnoreCase(project.getPom().getPackaging(), "ear"); + } + + public MavenPluginHandler getMavenPluginHandler(Project project) { + if (project.getConfiguration().getString(CoreProperties.FINDBUGS_REPORT_PATH) != null) { + return null; + } + return pluginHandler; + } + + @Override + public String toString() { + return getClass().getSimpleName(); + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsXmlReportParser.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsXmlReportParser.java new file mode 100644 index 00000000000..de979170cd3 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/FindbugsXmlReportParser.java @@ -0,0 +1,139 @@ +/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2009 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.plugins.findbugs;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+
+import org.codehaus.staxmate.SMInputFactory;
+import org.codehaus.staxmate.in.SMInputCursor;
+import org.sonar.api.utils.SonarException;
+import org.sonar.api.utils.XmlParserException;
+
+class FindbugsXmlReportParser {
+
+ private final File findbugsXmlReport;
+ private final String findbugsXmlReportPath;
+
+ public FindbugsXmlReportParser(File findbugsXmlReport) {
+ this.findbugsXmlReport = findbugsXmlReport;
+ findbugsXmlReportPath = findbugsXmlReport.getAbsolutePath();
+ if ( !findbugsXmlReport.exists()) {
+ throw new SonarException("The findbugs XML report can't be found at '" + findbugsXmlReportPath + "'");
+ }
+ }
+
+ public List<Violation> getViolations() {
+ List<Violation> violations = new ArrayList<Violation>();
+ try {
+ SMInputFactory inf = new SMInputFactory(XMLInputFactory.newInstance());
+ SMInputCursor cursor = inf.rootElementCursor(findbugsXmlReport).advance();
+ SMInputCursor bugInstanceCursor = cursor.childElementCursor("BugInstance").advance();
+ while (bugInstanceCursor.asEvent() != null) {
+ String type = bugInstanceCursor.getAttrValue("type");
+ String longMessage = "";
+ SMInputCursor bugInstanceChildCursor = bugInstanceCursor.childElementCursor().advance();
+ while (bugInstanceChildCursor.asEvent() != null) {
+ String nodeName = bugInstanceChildCursor.getLocalName();
+ if ("LongMessage".equals(nodeName)) {
+ longMessage = bugInstanceChildCursor.collectDescendantText();
+ } else if ("SourceLine".equals(nodeName)) {
+ Violation fbViolation = new Violation();
+ fbViolation.type = type;
+ fbViolation.longMessage = longMessage;
+ fbViolation.parseStart(bugInstanceChildCursor.getAttrValue("start"));
+ fbViolation.parseEnd(bugInstanceChildCursor.getAttrValue("end"));
+ fbViolation.className = bugInstanceChildCursor.getAttrValue("classname");
+ fbViolation.sourcePath = bugInstanceChildCursor.getAttrValue("sourcepath");
+ violations.add(fbViolation);
+ }
+ bugInstanceChildCursor.advance();
+ }
+ bugInstanceCursor.advance();
+ }
+ cursor.getStreamReader().closeCompletely();
+ } catch (XMLStreamException e) {
+ throw new XmlParserException("Unable to parse the Findbugs XML Report '" + findbugsXmlReportPath + "'", e);
+ }
+ return violations;
+ }
+
+ public static class Violation {
+
+ private String type;
+ private String longMessage;
+ private Integer start;
+ private Integer end;
+ protected String className;
+ protected String sourcePath;
+
+ public String getType() {
+ return type;
+ }
+
+ public void parseStart(String attrValue) {
+ try {
+ start = Integer.parseInt(attrValue);
+ } catch (NumberFormatException e) {
+ start = null;
+ }
+ }
+
+ public void parseEnd(String attrValue) {
+ try {
+ end = Integer.parseInt(attrValue);
+ } catch (NumberFormatException e) {
+ end = null;
+ }
+ }
+
+ public String getLongMessage() {
+ return longMessage;
+ }
+
+ public Integer getStart() {
+ return start;
+ }
+
+ public Integer getEnd() {
+ return end;
+ }
+
+ public String getClassName() {
+ return className;
+ }
+
+ public String getSourcePath() {
+ return sourcePath;
+ }
+
+ public String getSonarJavaFileKey() {
+ if (className.indexOf('$') > -1) {
+ return className.substring(0, className.indexOf('$'));
+ }
+ return className;
+ }
+ }
+
+}
diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Bug.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Bug.java new file mode 100644 index 00000000000..ebc836d8b1f --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Bug.java @@ -0,0 +1,67 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Bug") +public class Bug { + + @XStreamAsAttribute + private String code; + + @XStreamAsAttribute + private String category; + + @XStreamAsAttribute + private String pattern; + + public Bug() { + } + + public Bug(String pattern) { + this.pattern = pattern; + } + + public String getPattern() { + return pattern; + } + + public void setPattern(String pattern) { + this.pattern = pattern; + } + + public String getCode() { + return code; + } + + public void setCode(String code) { + this.code = code; + } + + public String getCategory() { + return category; + } + + public void setCategory(String category) { + this.category = category; + } +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/ClassFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/ClassFilter.java new file mode 100644 index 00000000000..e8b307692c2 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/ClassFilter.java @@ -0,0 +1,45 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Class") +public class ClassFilter { + + @XStreamAsAttribute + private String name; + + public ClassFilter() { + } + + public ClassFilter(String name) { + this.name = name; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/FieldFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/FieldFilter.java new file mode 100644 index 00000000000..384c90c9a39 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/FieldFilter.java @@ -0,0 +1,57 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Field") +public class FieldFilter { + + @XStreamAsAttribute + private String name; + + @XStreamAsAttribute + private String type; + + + public FieldFilter() { + } + + public FieldFilter(String name) { + this.name = name; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public String getType() { + return type; + } + + public void setType(String type) { + this.type = type; + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/FindBugsFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/FindBugsFilter.java new file mode 100644 index 00000000000..bd2f6284aed --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/FindBugsFilter.java @@ -0,0 +1,206 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamImplicit; +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.CharEncoding; +import org.apache.commons.lang.StringUtils; +import org.sonar.api.CoreProperties; +import org.sonar.api.rules.ActiveRule; +import org.sonar.api.rules.RulePriority; +import org.sonar.api.rules.RulePriorityMapper; + +import java.io.IOException; +import java.io.InputStream; +import java.util.*; + +@XStreamAlias("FindBugsFilter") +public class FindBugsFilter { + + private static final String PATTERN_SEPARATOR = ","; + private static final String CODE_SEPARATOR = ","; + private static final String CATEGORY_SEPARATOR = ","; + + @XStreamImplicit + private List<Match> matchs; + + public FindBugsFilter() { + matchs = new ArrayList<Match>(); + } + + public String toXml() { + XStream xstream = createXStream(); + return xstream.toXML(this); + } + + public List<Match> getMatchs() { + return matchs; + } + + public List<Match> getChildren() { + return matchs; + } + + public void setMatchs(List<Match> matchs) { + this.matchs = matchs; + } + + public void addMatch(Match child) { + matchs.add(child); + } + + public Map<String, RulePriority> getPatternLevels(RulePriorityMapper priorityMapper) { + BugInfoSplitter splitter = new BugInfoSplitter() { + public String getSeparator() { + return PATTERN_SEPARATOR; + } + + public String getVar(Bug bug) { + return bug.getPattern(); + } + }; + return processMatches(priorityMapper, splitter); + } + + public Map<String, RulePriority> getCodeLevels(RulePriorityMapper priorityMapper) { + BugInfoSplitter splitter = new BugInfoSplitter() { + public String getSeparator() { + return CODE_SEPARATOR; + } + + public String getVar(Bug bug) { + return bug.getCode(); + } + }; + return processMatches(priorityMapper, splitter); + } + + public Map<String, RulePriority> getCategoryLevels(RulePriorityMapper priorityMapper) { + BugInfoSplitter splitter = new BugInfoSplitter() { + public String getSeparator() { + return CATEGORY_SEPARATOR; + } + + public String getVar(Bug bug) { + return bug.getCategory(); + } + }; + return processMatches(priorityMapper, splitter); + } + + private RulePriority getRulePriority(Priority priority, RulePriorityMapper priorityMapper) { + return priority != null ? priorityMapper.from(priority.getValue()) : null; + } + + private Map<String, RulePriority> processMatches(RulePriorityMapper priorityMapper, BugInfoSplitter splitter) { + Map<String, RulePriority> result = new HashMap<String, RulePriority>(); + for (Match child : getChildren()) { + if (child.getOrs() != null) { + for (OrFilter orFilter : child.getOrs()) { + completeLevels(result, orFilter.getBugs(), child.getPriority(), priorityMapper, splitter); + } + } + if (child.getBug() != null) { + completeLevels(result, Arrays.asList(child.getBug()), child.getPriority(), priorityMapper, splitter); + } + } + return result; + } + + private void completeLevels(Map<String, RulePriority> result, List<Bug> bugs, Priority priority, RulePriorityMapper priorityMapper, BugInfoSplitter splitter) { + if (bugs == null) { + return; + } + RulePriority rulePriority = getRulePriority(priority, priorityMapper); + for (Bug bug : bugs) { + String varToSplit = splitter.getVar(bug); + if (!StringUtils.isBlank(varToSplit)) { + String[] splitted = StringUtils.split(varToSplit, splitter.getSeparator()); + for (String code : splitted) { + mapRulePriority(result, rulePriority, code); + } + } + } + } + + private interface BugInfoSplitter { + String getVar(Bug bug); + + String getSeparator(); + } + + private void mapRulePriority(Map<String, RulePriority> prioritiesByRule, RulePriority priority, String key) { + if (prioritiesByRule.containsKey(key)) { + if (prioritiesByRule.get(key).compareTo(priority) < 0) { + prioritiesByRule.put(key, priority); + } + } else { + prioritiesByRule.put(key, priority); + } + } + + public static XStream createXStream() { + XStream xstream = new XStream(); + xstream.setClassLoader(FindBugsFilter.class.getClassLoader()); + xstream.processAnnotations(FindBugsFilter.class); + xstream.processAnnotations(Match.class); + xstream.processAnnotations(Bug.class); + xstream.processAnnotations(Priority.class); + xstream.processAnnotations(ClassFilter.class); + xstream.processAnnotations(PackageFilter.class); + xstream.processAnnotations(MethodFilter.class); + xstream.processAnnotations(FieldFilter.class); + xstream.processAnnotations(LocalFilter.class); + xstream.processAnnotations(OrFilter.class); + return xstream; + } + + public static FindBugsFilter fromXml(String xml) { + try { + XStream xStream = createXStream(); + InputStream inputStream = IOUtils.toInputStream(xml, CharEncoding.UTF_8); + return (FindBugsFilter) xStream.fromXML(inputStream); + + } catch (IOException e) { + throw new RuntimeException("can't read configuration file", e); + } + } + + public static FindBugsFilter fromActiveRules(List<ActiveRule> activeRules) { + FindBugsFilter root = new FindBugsFilter(); + for (ActiveRule activeRule : activeRules) { + if (CoreProperties.FINDBUGS_PLUGIN.equals(activeRule.getPluginName())) { + Match child = createChild(activeRule); + root.addMatch(child); + } + } + return root; + } + + private static Match createChild(ActiveRule activeRule) { + Match child = new Match(); + child.setBug(new Bug(activeRule.getConfigKey())); + return child; + } + +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/LocalFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/LocalFilter.java new file mode 100644 index 00000000000..af26485cbd7 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/LocalFilter.java @@ -0,0 +1,45 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Local") +public class LocalFilter { + + @XStreamAsAttribute + private String name; + + public LocalFilter() { + } + + public LocalFilter(String name) { + this.name = name; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Match.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Match.java new file mode 100644 index 00000000000..e8fb48778ee --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Match.java @@ -0,0 +1,137 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import java.util.List; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamImplicit; + +@XStreamAlias("Match") +public class Match { + + @XStreamAlias("Bug") + private Bug bug; + + @XStreamAlias("Priority") + private Priority priority; + + @XStreamAlias("Package") + private PackageFilter particularPackage; + + @XStreamAlias("Class") + private ClassFilter particularClass; + + @XStreamAlias("Method") + private MethodFilter particularMethod; + + @XStreamAlias("Field") + private FieldFilter particularField; + + @XStreamAlias("Local") + private LocalFilter particularLocal; + + @XStreamImplicit(itemFieldName = "Or") + private List<OrFilter> ors; + + public Match() { + } + + public Match(Bug bug, Priority priority) { + this.bug = bug; + this.priority = priority; + } + + public Match(Bug bug) { + this.bug = bug; + } + + public Match(ClassFilter particularClass) { + this.particularClass = particularClass; + } + + public Bug getBug() { + return bug; + } + + public void setBug(Bug bug) { + this.bug = bug; + } + + public Priority getPriority() { + return priority; + } + + public void setPriority(Priority priority) { + this.priority = priority; + } + + public PackageFilter getParticularPackage() { + return particularPackage; + } + + public void setParticularPackage(PackageFilter particularPackage) { + this.particularPackage = particularPackage; + } + + public ClassFilter getParticularClass() { + return particularClass; + } + + public void setParticularClass(ClassFilter particularClass) { + this.particularClass = particularClass; + } + + public MethodFilter getParticularMethod() { + return particularMethod; + } + + public void setParticularMethod(MethodFilter particularMethod) { + this.particularMethod = particularMethod; + } + + public FieldFilter getParticularField() { + return particularField; + } + + public void setParticularField(FieldFilter particularField) { + this.particularField = particularField; + } + + public LocalFilter getParticularLocal() { + return particularLocal; + } + + public void setParticularLocal(LocalFilter particularLocal) { + this.particularLocal = particularLocal; + } + + public List<OrFilter> getOrs() { + return ors; + } + + public void setOrs(List<OrFilter> ors) { + this.ors = ors; + } + + public void addDisjunctCombine(OrFilter child) { + ors.add(child); + } +} diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/MethodFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/MethodFilter.java new file mode 100644 index 00000000000..78d353b6653 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/MethodFilter.java @@ -0,0 +1,68 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Method") +public class MethodFilter { + + @XStreamAsAttribute + private String name; + + @XStreamAsAttribute + private String params; + + @XStreamAsAttribute + private String returns; + + + public MethodFilter() { + } + + public MethodFilter(String name) { + this.name = name; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public String getParams() { + return params; + } + + public void setParams(String params) { + this.params = params; + } + + public String getReturns() { + return returns; + } + + public void setReturns(String returns) { + this.returns = returns; + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/OrFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/OrFilter.java new file mode 100644 index 00000000000..1fcdc24cbdf --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/OrFilter.java @@ -0,0 +1,107 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamImplicit; + +import java.util.ArrayList; +import java.util.List; + + +@XStreamAlias("Or") +public class OrFilter { + + @XStreamImplicit(itemFieldName = "Bug") + private List<Bug> bugs; + + @XStreamImplicit(itemFieldName = "Package") + private List<PackageFilter> packages; + + @XStreamImplicit(itemFieldName = "Class") + private List<ClassFilter> classes; + + @XStreamImplicit(itemFieldName = "Method") + private List<MethodFilter> methods; + + @XStreamImplicit(itemFieldName = "Field") + private List<FieldFilter> fields; + + @XStreamImplicit(itemFieldName = "Local") + private List<LocalFilter> locals; + + + public OrFilter() { + bugs = new ArrayList<Bug>(); + packages = new ArrayList<PackageFilter>(); + classes = new ArrayList<ClassFilter>(); + methods = new ArrayList<MethodFilter>(); + fields = new ArrayList<FieldFilter>(); + locals = new ArrayList<LocalFilter>(); + } + + public List<Bug> getBugs() { + return bugs; + } + + public void setBugs(List<Bug> bugs) { + this.bugs = bugs; + } + + public List<PackageFilter> getPackages() { + return packages; + } + + public void setPackages(List<PackageFilter> packages) { + this.packages = packages; + } + + public List<ClassFilter> getClasses() { + return classes; + } + + public void setClasses(List<ClassFilter> classes) { + this.classes = classes; + } + + public List<MethodFilter> getMethods() { + return methods; + } + + public void setMethods(List<MethodFilter> methods) { + this.methods = methods; + } + + public List<FieldFilter> getFields() { + return fields; + } + + public void setFields(List<FieldFilter> fields) { + this.fields = fields; + } + + public List<LocalFilter> getLocals() { + return locals; + } + + public void setLocals(List<LocalFilter> locals) { + this.locals = locals; + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/PackageFilter.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/PackageFilter.java new file mode 100644 index 00000000000..858528fadd7 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/PackageFilter.java @@ -0,0 +1,45 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Package") +public class PackageFilter { + + @XStreamAsAttribute + private String name; + + public PackageFilter() { + } + + public PackageFilter(String name) { + this.name = name; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Priority.java b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Priority.java new file mode 100644 index 00000000000..6541bf3207c --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/java/org/sonar/plugins/findbugs/xml/Priority.java @@ -0,0 +1,46 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.xml; + +import com.thoughtworks.xstream.annotations.XStreamAlias; +import com.thoughtworks.xstream.annotations.XStreamAsAttribute; + +@XStreamAlias("Priority") +public class Priority { + + @XStreamAsAttribute + private String value; + + public Priority() { + } + + public Priority(String value) { + this.value = value; + } + + public String getValue() { + return value; + } + + public void setValue(String value) { + this.value = value; + } + +}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml b/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml new file mode 100644 index 00000000000..ba318a14b34 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/main/resources/org/sonar/plugins/findbugs/rules.xml @@ -0,0 +1,4316 @@ +<rules> + <!-- Findbugs 1.3.9 --> + <rule key="BC_IMPOSSIBLE_DOWNCAST" priority="BLOCKER"> + <name><![CDATA[Correctness - Impossible downcast]]></name> + <configKey><![CDATA[BC_IMPOSSIBLE_DOWNCAST]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[This cast will always throw a ClassCastException. The analysis believes it knows the precise type of the value being cast, and the attempt to downcast it to a subtype will always fail by throwing a ClassCastException.]]></description> + </rule> + <rule key="BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY" priority="BLOCKER"> + <name><![CDATA[Correctness - Impossible downcast of toArray() result]]></name> + <configKey><![CDATA[BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code is casting the result of calling toArray() on a collection to a type more specific than Object[], as in:</p> +<pre> + String[] getAsArray(Collection<String> c) { + return (String[]) c.toArray(); + } +</pre> +<p>This will usually fail by throwing a ClassCastException. The <code>toArray()</code> of almost all collections return an <code>Object[]</code>. They can't really do anything else, since the Collection object has no reference to the declared generic type of the collection.</p> +<p>The correct way to do get an array of a specific type from a collection is to use <code>c.toArray(new String[]);</code> or <code>c.toArray(new String[c.size()]);</code> (the latter is slightly more efficient).</p> +<p>There is one common/known exception exception to this. The toArray() method of lists returned by Arrays.asList(...) will return a covariantly typed array. For example, <code>Arrays.asArray(new String[] { "a" }).toArray()</code> will return a String []. FindBugs attempts to detect and suppress such cases, but may miss some.</p>]]></description> + </rule> + <rule key="EC_INCOMPATIBLE_ARRAY_COMPARE" priority="BLOCKER"> + <name><![CDATA[Correctness - equals(...) used to compare incompatible arrays]]></name> + <configKey><![CDATA[EC_INCOMPATIBLE_ARRAY_COMPARE]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[This method invokes the .equals(Object o) to compare two arrays, but the arrays of of incompatible types (e.g., String[] and StringBuffer[], or String[] and int[]). They will never be equal. In addition, when equals(...) is used to compare arrays it only checks to see if they are the same array, and ignores the contents of the arrays.]]></description> + </rule> + <rule key="EC_INCOMPATIBLE_ARRAY_COMPARE" priority="BLOCKER"> + <name><![CDATA[Correctness - equals(...) used to compare incompatible arrays]]></name> + <configKey><![CDATA[EC_INCOMPATIBLE_ARRAY_COMPARE]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[This method invokes the .equals(Object o) to compare two arrays, but the arrays of of incompatible types (e.g., String[] and StringBuffer[], or String[] and int[]). They will never be equal. In addition, when equals(...) is used to compare arrays it only checks to see if they are the same array, and ignores the contents of the arrays.]]></description> + </rule> + <rule key="LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE" priority="MAJOR"> + <name><![CDATA[Correctness - Potential lost logger changes due to weak reference in OpenJDK ]]></name> + <configKey><![CDATA[LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>OpenJDK introduces a potential incompatibility. In particular, the java.util.logging.Logger behavior has changed. Instead of using strong references, it now uses weak references internally. That's a reasonable change, but unfortunately some code relies on the old behavior - when changing logger configuration, it simply drops the logger reference. That means that the garbage collector is free to reclaim that memory, which means that the logger configuration is lost. For example, consider:</p> +</pre> + public static void initLogging() throws Exception { + Logger logger = Logger.getLogger("edu.umd.cs"); + logger.addHandler(new FileHandler()); // call to change logger configuration + logger.setUseParentHandlers(false); // another call to change logger configuration + } +</pre> +<p>The logger reference is lost at the end of the method (it doesn't escape the method), so if you have a garbage collection cycle just after the call to initLogging, the logger configuration is lost (because Logger only keeps weak references).</p> +<pre> + public static void main(String[] args) throws Exception { + initLogging(); // adds a file handler to the logger + System.gc(); // logger configuration lost + Logger.getLogger("edu.umd.cs").info("Some message"); // this isn't logged to the file as expected + } +</pre> +]]></description> + </rule> + + <rule key="NP_CLOSING_NULL" priority="BLOCKER"> + <name><![CDATA[Correctness - close() invoked on a value that is always null]]></name> + <configKey><![CDATA[NP_CLOSING_NULL]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[close() is being invoked on a value that is always null. If this statement is executed, a null pointer exception will occur. But the big risk here you never close something that should be closed.]]></description> + </rule> + + <rule key="RC_REF_COMPARISON_BAD_PRACTICE" priority="MAJOR"> + <name><![CDATA[Correctness - Suspicious reference comparison to constant]]></name> + <configKey><![CDATA[RC_REF_COMPARISON_BAD_PRACTICE]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[This method compares a reference value to a constant using the == or != operator, where the correct way to compare instances of this type is generally with the equals() method. It is possible to create distinct instances that are equal but do not compare as == since they are different objects. Examples of classes which should generally not be compared by reference are java.lang.Integer, java.lang.Float, etc.]]></description> + </rule> + + <rule key="RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN" priority="MAJOR"> + <name><![CDATA[Correctness - Suspicious reference comparison of Boolean values]]></name> + <configKey><![CDATA[RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[This method compares two Boolean values using the == or != operator. Normally, there are only two Boolean values (Boolean.TRUE and Boolean.FALSE), but it is possible to create other Boolean objects using the new Boolean(b) constructor. It is best to avoid such objects, but if they do exist, then checking Boolean objects for equality using == or != will give results than are different than you would get using .equals(...)]]></description> + </rule> + + <rule key="RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED" priority="MAJOR"> + <name><![CDATA[Correctness - Return value of putIfAbsent ignored, value passed to putIfAbsent reused ]]></name> + <configKey><![CDATA[RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[The putIfAbsent method is typically used to ensure that a single value is associated with a given key (the first value for which put if absent succeeds). If you ignore the return value and retain a reference to the value passed in, you run the risk of retaining a value that is not the one that is associated with the key in the map. If it matters which one you use and you use the one that isn't stored in the map, your program will behave incorrectly.]]></description> + </rule> + + <rule key="SIC_THREADLOCAL_DEADLY_EMBRACE" priority="MAJOR"> + <name><![CDATA[Correctness - Deadly embrace of non-static inner class and thread local]]></name> + <configKey><![CDATA[SIC_THREADLOCAL_DEADLY_EMBRACE]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[This class is an inner class, but should probably be a static inner class. As it is, there is a serious danger of a deadly embrace between the inner class and the thread local in the outer class. Because the inner class isn't static, it retains a reference to the outer class. If the thread local contains a reference to an instance of the inner class, the inner and outer instance will both be reachable and not eligible for garbage collection.]]></description> + </rule> + + <rule key="UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR" priority="MAJOR"> + <name><![CDATA[Correctness - Uninitialized read of field method called from constructor of superclass]]></name> + <configKey><![CDATA[UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This method is invoked in the constructor of of the superclass. At this point, the fields of the class have not yet initialized. To make this more concrete, consider the following classes:</p> +<pre> + abstract class A { + int hashCode; + abstract Object getValue(); + A() { + hashCode = getValue().hashCode(); + } + } + class B extends A { + Object value; + B(Object v) { + this.value = v; + } + Object getValue() { + return value; + } + } +</pre> +<p>When a B is constructed, the constructor for the A class is invoked before the constructor for B sets value. Thus, when the constructor for A invokes getValue, an uninitialized value is read for value.</p>]]></description> + </rule> + + <rule key="VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED" priority="MAJOR"> + <name><![CDATA[Correctness - MessageFormat supplied where printf style format expected ]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[A method is called that expects a Java printf format string and a list of arguments. However, the format string doesn't contain any format specifiers (e.g., %s) but does contain message format elements (e.g., {0}). It is likely that the code is supplying a MessageFormat string when a printf-style format string is required. At runtime, all of the arguments will be ignored and the format string will be returned exactly as provided without any formatting.]]></description> + </rule> + + + <!-- Before Findbugs 1.3.9 --> + <rule key="UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR" priority="MINOR"> + <name><![CDATA[Correctness - Field not initialized in constructor]]></name> + <configKey><![CDATA[UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This field is never initialized within any constructor, and is therefore could be null after the object is constructed. This could be a either an error or a questionable design, since it means a null pointer exception will be generated if that field is dereferenced before being initialized.</p>]]></description> + </rule> + <rule key="NP_UNWRITTEN_FIELD" priority="MAJOR"> + <name><![CDATA[Correctness - Read of unwritten field]]></name> + <configKey><![CDATA[NP_UNWRITTEN_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>The program is dereferencing a field that does not seem to ever have a non-null value written to it. Dereferencing this value will generate a null pointer exception.</p>]]></description> + </rule> + <rule key="UWF_UNWRITTEN_FIELD" priority="MINOR"> + <name><![CDATA[Correctness - Unwritten field]]></name> + <configKey><![CDATA[UWF_UNWRITTEN_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This field is never written. All reads of it will return the default value. Check for errors (should it have been initialized?), or remove it if it is useless.</p>]]></description> + </rule> + + + <rule key="SKIPPED_CLASS_TOO_BIG" priority="MINOR"> + <name><![CDATA[Dodgy - Class too big for analysis]]></name> + <configKey><![CDATA[SKIPPED_CLASS_TOO_BIG]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p>This class is bigger than can be effectively handled, and was not fully analyzed for errors. +</p>]]></description> + </rule> + <rule key="DMI_VACUOUS_CALL_TO_EASYMOCK_METHOD" priority="MINOR"> + <name><![CDATA[Correctness - Useless/vacuous call to EasyMock method]]></name> + <configKey><![CDATA[DMI_VACUOUS_CALL_TO_EASYMOCK_METHOD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This call doesn't pass any objects to the EasyMock method, so the call doesn't do anything. +</p>]]></description> + </rule> + <rule key="DMI_SCHEDULED_THREAD_POOL_EXECUTOR_WITH_ZERO_CORE_THREADS" priority="MINOR"> + <name><![CDATA[Correctness - Creation of ScheduledThreadPoolExecutor with zero core threads]]></name> + <configKey><![CDATA[DMI_SCHEDULED_THREAD_POOL_EXECUTOR_WITH_ZERO_CORE_THREADS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>(<a href="http://java.sun.com/javase/6/docs/api/java/util/concurrent/ScheduledThreadPoolExecutor.html#ScheduledThreadPoolExecutor(int)">Javadoc</a>) +A ScheduledThreadPoolExecutor with zero core threads will never execute anything; changes to the max pool size are ignored. +</p>]]></description> + </rule> + <rule key="DMI_FUTILE_ATTEMPT_TO_CHANGE_MAXPOOL_SIZE_OF_SCHEDULED_THREAD_POOL_EXECUTOR" priority="MINOR"> + <name><![CDATA[Correctness - Futile attempt to change max pool size of ScheduledThreadPoolExecutor]]></name> + <configKey><![CDATA[DMI_FUTILE_ATTEMPT_TO_CHANGE_MAXPOOL_SIZE_OF_SCHEDULED_THREAD_POOL_EXECUTOR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>(<a href="http://java.sun.com/javase/6/docs/api/java/util/concurrent/ScheduledThreadPoolExecutor.html">Javadoc</a>) +While ScheduledThreadPoolExecutor inherits from ThreadPoolExecutor, a few of the inherited tuning methods are not useful for it. In particular, because it acts as a fixed-sized pool using corePoolSize threads and an unbounded queue, adjustments to maximumPoolSize have no useful effect. + </p>]]></description> + </rule> + <rule key="DMI_UNSUPPORTED_METHOD" priority="MAJOR"> + <name><![CDATA[Dodgy - Call to unsupported method]]></name> + <configKey><![CDATA[DMI_UNSUPPORTED_METHOD]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p>All targets of this method invocation throw an UnsupportedOperationException. +</p>]]></description> + </rule> + <rule key="DMI_EMPTY_DB_PASSWORD" priority="CRITICAL"> + <name><![CDATA[Security - Empty database password]]></name> + <configKey><![CDATA[DMI_EMPTY_DB_PASSWORD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code creates a database connect using a blank or empty password. This indicates that the database is not protected by a password. +</p>]]></description> + </rule> + <rule key="DMI_CONSTANT_DB_PASSWORD" priority="BLOCKER"> + <name><![CDATA[Security - Hardcoded constant database password]]></name> + <configKey><![CDATA[DMI_CONSTANT_DB_PASSWORD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can + easily learn the password. +</p>]]></description> + </rule> + <rule key="HRS_REQUEST_PARAMETER_TO_COOKIE" priority="MAJOR"> + <name><![CDATA[Security - HTTP cookie formed from untrusted input]]></name> + <configKey><![CDATA[HRS_REQUEST_PARAMETER_TO_COOKIE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting +vulnerability. See <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">http://en.wikipedia.org/wiki/HTTP_response_splitting</a> +for more information.</p> +<p>FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. +If FindBugs found <em>any</em>, you <em>almost certainly</em> have more +vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously +consider using a commercial static analysis or pen-testing tool. +</p>]]></description> + </rule> + <rule key="HRS_REQUEST_PARAMETER_TO_HTTP_HEADER" priority="MAJOR"> + <name><![CDATA[Security - HTTP Response splitting vulnerability]]></name> + <configKey><![CDATA[HRS_REQUEST_PARAMETER_TO_HTTP_HEADER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting +vulnerability. See <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">http://en.wikipedia.org/wiki/HTTP_response_splitting</a> +for more information.</p> +<p>FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. +If FindBugs found <em>any</em>, you <em>almost certainly</em> have more +vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously +consider using a commercial static analysis or pen-testing tool. +</p>]]></description> + </rule> + <rule key="XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER" priority="CRITICAL"> + <name><![CDATA[Security - Servlet reflected cross site scripting vulnerability]]></name> + <configKey><![CDATA[XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code directly writes an HTTP parameter to Servlet output, which allows for a reflected cross site scripting +vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> +for more information.</p> +<p>FindBugs looks only for the most blatant, obvious cases of cross site scripting. +If FindBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting +vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously +consider using a commercial static analysis or pen-testing tool. +</p>]]></description> + </rule> + <rule key="XSS_REQUEST_PARAMETER_TO_SEND_ERROR" priority="CRITICAL"> + <name><![CDATA[Security - Servlet reflected cross site scripting vulnerability]]></name> + <configKey><![CDATA[XSS_REQUEST_PARAMETER_TO_SEND_ERROR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code directly writes an HTTP parameter to a Server error page (using HttpServletResponse.sendError). Echoing this untrusted input allows +for a reflected cross site scripting +vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> +for more information.</p> +<p>FindBugs looks only for the most blatant, obvious cases of cross site scripting. +If FindBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting +vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously +consider using a commercial static analysis or pen-testing tool. +</p>]]></description> + </rule> + <rule key="XSS_REQUEST_PARAMETER_TO_JSP_WRITER" priority="CRITICAL"> + <name><![CDATA[Security - JSP reflected cross site scripting vulnerability]]></name> + <configKey><![CDATA[XSS_REQUEST_PARAMETER_TO_JSP_WRITER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting +vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> +for more information.</p> +<p>FindBugs looks only for the most blatant, obvious cases of cross site scripting. +If FindBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting +vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously +consider using a commercial static analysis or pen-testing tool. +</p>]]></description> + </rule> + <rule key="SW_SWING_METHODS_INVOKED_IN_SWING_THREAD" priority="MAJOR"> + <name><![CDATA[Bad practice - Certain swing methods needs to be invoked in Swing thread]]></name> + <configKey><![CDATA[SW_SWING_METHODS_INVOKED_IN_SWING_THREAD]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>(<a href="http://java.sun.com/developer/JDCTechTips/2003/tt1208.html#1">From JDC Tech Tip</a>): The Swing methods +show(), setVisible(), and pack() will create the associated peer for the frame. +With the creation of the peer, the system creates the event dispatch thread. +This makes things problematic because the event dispatch thread could be notifying +listeners while pack and validate are still processing. This situation could result in +two threads going through the Swing component-based GUI -- it's a serious flaw that +could result in deadlocks or other related threading issues. A pack call causes +components to be realized. As they are being realized (that is, not necessarily +visible), they could trigger listener notification on the event dispatch thread.</p>]]></description> + </rule> + <rule key="IL_INFINITE_LOOP" priority="CRITICAL"> + <name><![CDATA[Correctness - An apparent infinite loop]]></name> + <configKey><![CDATA[IL_INFINITE_LOOP]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This loop doesn't seem to have a way to terminate (other than by perhaps +throwing an exception).</p>]]></description> + </rule> + <rule key="IL_INFINITE_RECURSIVE_LOOP" priority="CRITICAL"> + <name><![CDATA[Correctness - An apparent infinite recursive loop]]></name> + <configKey><![CDATA[IL_INFINITE_RECURSIVE_LOOP]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This method unconditionally invokes itself. This would seem to indicate +an infinite recursive loop that will result in a stack overflow.</p>]]></description> + </rule> + <rule key="IL_CONTAINER_ADDED_TO_ITSELF" priority="CRITICAL"> + <name><![CDATA[Correctness - A collection is added to itself]]></name> + <configKey><![CDATA[IL_CONTAINER_ADDED_TO_ITSELF]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>A collection is added to itself. As a result, computing the hashCode of this +set will throw a StackOverflowException. +</p>]]></description> + </rule> + <rule key="VO_VOLATILE_REFERENCE_TO_ARRAY" priority="MAJOR"> + <name> + <![CDATA[Multithreaded correctness - A volatile reference to an array doesn't treat the array elements as volatile]]></name> + <configKey><![CDATA[VO_VOLATILE_REFERENCE_TO_ARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This declares a volatile reference to an array, which might not be what +you want. With a volatile reference to an array, reads and writes of +the reference to the array are treated as volatile, but the array elements +are non-volatile. To get volatile array elements, you will need to use +one of the atomic array classes in java.util.concurrent (provided +in Java 5.0).</p>]]></description> + </rule> + <rule key="UI_INHERITANCE_UNSAFE_GETRESOURCE" priority="MAJOR"> + <name><![CDATA[Bad practice - Usage of GetResource may be unsafe if class is extended]]></name> + <configKey><![CDATA[UI_INHERITANCE_UNSAFE_GETRESOURCE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>Calling <code>this.getClass().getResource(...)</code> could give +results other than expected if this class is extended by a class in +another package.</p>]]></description> + </rule> + <rule key="NP_BOOLEAN_RETURN_NULL" priority="MAJOR"> + <name><![CDATA[Bad practice - Method with Boolean return type returns explicit null]]></name> + <configKey><![CDATA[NP_BOOLEAN_RETURN_NULL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> + A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen. + This method can be invoked as though it returned a value of type boolean, and + the compiler will insert automatic unboxing of the Boolean value. If a null value is returned, + this will result in a NullPointerException. + </p>]]></description> + </rule> + <rule key="NP_SYNC_AND_NULL_CHECK_FIELD" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Synchronize and null check on the same field.]]></name> + <configKey><![CDATA[NP_SYNC_AND_NULL_CHECK_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>Since the field is synchronized on, it seems not likely to be null. +If it is null and then synchronized on a NullPointerException will be +thrown and the check would be pointless. Better to synchronize on +another field.</p>]]></description> + </rule> + <rule key="RpC_REPEATED_CONDITIONAL_TEST" priority="MAJOR"> + <name><![CDATA[Correctness - Repeated conditional tests]]></name> + <configKey><![CDATA[RpC_REPEATED_CONDITIONAL_TEST]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>The code contains a conditional test is performed twice, one right after the other +(e.g., <code>x == 0 || x == 0</code>). Perhaps the second occurrence is intended to be something else +(e.g., <code>x == 0 || y == 0</code>). +</p>]]></description> + </rule> + <rule key="AM_CREATES_EMPTY_ZIP_FILE_ENTRY" priority="MAJOR"> + <name><![CDATA[Bad practice - Creates an empty zip file entry]]></name> + <configKey><![CDATA[AM_CREATES_EMPTY_ZIP_FILE_ENTRY]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>The code calls <code>putNextEntry()</code>, immediately +followed by a call to <code>closeEntry()</code>. This results +in an empty ZipFile entry. The contents of the entry +should be written to the ZipFile between the calls to +<code>putNextEntry()</code> and +<code>closeEntry()</code>.</p>]]></description> + </rule> + <rule key="AM_CREATES_EMPTY_JAR_FILE_ENTRY" priority="MAJOR"> + <name><![CDATA[Bad practice - Creates an empty jar file entry]]></name> + <configKey><![CDATA[AM_CREATES_EMPTY_JAR_FILE_ENTRY]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>The code calls <code>putNextEntry()</code>, immediately +followed by a call to <code>closeEntry()</code>. This results +in an empty JarFile entry. The contents of the entry +should be written to the JarFile between the calls to +<code>putNextEntry()</code> and +<code>closeEntry()</code>.</p>]]></description> + </rule> + <rule key="IMSE_DONT_CATCH_IMSE" priority="MAJOR"> + <name><![CDATA[Bad practice - Dubious catching of IllegalMonitorStateException]]></name> + <configKey><![CDATA[IMSE_DONT_CATCH_IMSE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>IllegalMonitorStateException is generally only + thrown in case of a design flaw in your code (calling wait or + notify on an object you do not hold a lock on).</p>]]></description> + </rule> + <rule key="FL_MATH_USING_FLOAT_PRECISION" priority="CRITICAL"> + <name><![CDATA[Correctness - Method performs math using floating point precision]]></name> + <configKey><![CDATA[FL_MATH_USING_FLOAT_PRECISION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + The method performs math operations using floating point precision. + Floating point precision is very imprecise. For example, + 16777216.0f + 1.0f = 16777216.0f. Consider using double math instead.</p>]]></description> + </rule> + <rule key="CN_IDIOM" priority="MAJOR"> + <name><![CDATA[Bad practice - Class implements Cloneable but does not define or use clone method]]></name> + <configKey><![CDATA[CN_IDIOM]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> + Class implements Cloneable but does not define or + use the clone method.</p>]]></description> + </rule> + <rule key="CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE" priority="MAJOR"> + <name><![CDATA[Bad practice - Class defines clone() but doesn't implement Cloneable]]></name> + <configKey><![CDATA[CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a clone() method but the class doesn't implement Cloneable. +There are some situations in which this is OK (e.g., you want to control how subclasses +can clone themselves), but just make sure that this is what you intended. +</p>]]></description> + </rule> + <rule key="CN_IDIOM_NO_SUPER_CALL" priority="MAJOR"> + <name><![CDATA[Bad practice - clone method does not call super.clone()]]></name> + <configKey><![CDATA[CN_IDIOM_NO_SUPER_CALL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This non-final class defines a clone() method that does not call super.clone(). +If this class ("<i>A</i>") is extended by a subclass ("<i>B</i>"), +and the subclass <i>B</i> calls super.clone(), then it is likely that +<i>B</i>'s clone() method will return an object of type <i>A</i>, +which violates the standard contract for clone().</p> + +<p> If all clone() methods call super.clone(), then they are guaranteed +to use Object.clone(), which always returns an object of the correct type.</p>]]></description> + </rule> + <rule key="NM_FUTURE_KEYWORD_USED_AS_IDENTIFIER" priority="MAJOR"> + <name><![CDATA[Bad practice - Use of identifier that is a keyword in later versions of Java]]></name> + <configKey><![CDATA[NM_FUTURE_KEYWORD_USED_AS_IDENTIFIER]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>The identifier is a word that is reserved as a keyword in later versions of Java, and your code will need to be changed +in order to compile it in later versions of Java.</p>]]></description> + </rule> + <rule key="NM_FUTURE_KEYWORD_USED_AS_MEMBER_IDENTIFIER" priority="MAJOR"> + <name><![CDATA[Bad practice - Use of identifier that is a keyword in later versions of Java]]></name> + <configKey><![CDATA[NM_FUTURE_KEYWORD_USED_AS_MEMBER_IDENTIFIER]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>This identifier is used as a keyword in later versions of Java. This code, and +any code that references this API, +will need to be changed in order to compile it in later versions of Java.</p>]]></description> + </rule> + <rule key="DE_MIGHT_DROP" priority="MAJOR"> + <name><![CDATA[Bad practice - Method might drop exception]]></name> + <configKey><![CDATA[DE_MIGHT_DROP]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method might drop an exception. In general, exceptions + should be handled or reported in some way, or they should be thrown + out of the method.</p>]]></description> + </rule> + <rule key="DE_MIGHT_IGNORE" priority="MAJOR"> + <name><![CDATA[Bad practice - Method might ignore exception]]></name> + <configKey><![CDATA[DE_MIGHT_IGNORE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method might ignore an exception. In general, exceptions + should be handled or reported in some way, or they should be thrown + out of the method.</p>]]></description> + </rule> + <rule key="DP_DO_INSIDE_DO_PRIVILEGED" priority="MAJOR"> + <name><![CDATA[Bad practice - Method invoked that should be only be invoked inside a doPrivileged block]]></name> + <configKey><![CDATA[DP_DO_INSIDE_DO_PRIVILEGED]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This code invokes a method that requires a security permission check. + If this code will be granted security permissions, but might be invoked by code that does not + have security permissions, then the invocation needs to occur inside a doPrivileged block.</p>]]></description> + </rule> + <rule key="DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED" priority="MAJOR"> + <name><![CDATA[Bad practice - Classloaders should only be created inside doPrivileged block]]></name> + <configKey><![CDATA[DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This code creates a classloader, which requires a security manager. + If this code will be granted security permissions, but might be invoked by code that does not + have security permissions, then the classloader creation needs to occur inside a doPrivileged block.</p>]]></description> + </rule> + <rule key="JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS" priority="MINOR"> + <name><![CDATA[Bad practice - Fields of immutable classes should be final]]></name> + <configKey><![CDATA[JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The class is annotated with net.jcip.annotations.Immutable, and the rules for that annotation require +that all fields are final. + .</p>]]></description> + </rule> + <rule key="DMI_THREAD_PASSED_WHERE_RUNNABLE_EXPECTED" priority="MAJOR"> + <name><![CDATA[Dodgy - Thread passed where Runnable expected]]></name> + <configKey><![CDATA[DMI_THREAD_PASSED_WHERE_RUNNABLE_EXPECTED]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> A Thread object is passed as a parameter to a method where +a Runnable is expected. This is rather unusual, and may indicate a logic error +or cause unexpected behavior. + </p>]]></description> + </rule> + <rule key="DMI_COLLECTION_OF_URLS" priority="BLOCKER"> + <name><![CDATA[Performance - Maps and sets of URLs can be performance hogs]]></name> + <configKey><![CDATA[DMI_COLLECTION_OF_URLS]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This method or field is or uses a Map or Set of URLs. Since both the equals and hashCode +method of URL perform domain name resolution, this can result in a big performance hit. +See <a href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html</a> for more information. +Consider using <code>java.net.URI</code> instead. + </p>]]></description> + </rule> + <rule key="DMI_BLOCKING_METHODS_ON_URL" priority="BLOCKER"> + <name><![CDATA[Performance - The equals and hashCode methods of URL are blocking]]></name> + <configKey><![CDATA[DMI_BLOCKING_METHODS_ON_URL]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> The equals and hashCode +method of URL perform domain name resolution, this can result in a big performance hit. +See <a href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html</a> for more information. +Consider using <code>java.net.URI</code> instead. + </p>]]></description> + </rule> + <rule key="DMI_ANNOTATION_IS_NOT_VISIBLE_TO_REFLECTION" priority="MAJOR"> + <name> + <![CDATA[Correctness - Can't use reflection to check for presence of annotation without runtime retention]]></name> + <configKey><![CDATA[DMI_ANNOTATION_IS_NOT_VISIBLE_TO_REFLECTION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Unless an annotation has itself been annotated with @Retention(RetentionPolicy.RUNTIME), the annotation can't be observed using reflection +(e.g., by using the isAnnotationPresent method). + .</p>]]></description> + </rule> + <rule key="DM_EXIT" priority="MAJOR"> + <name><![CDATA[Bad practice - Method invokes System.exit(...)]]></name> + <configKey><![CDATA[DM_EXIT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> Invoking System.exit shuts down the entire Java virtual machine. This + should only been done when it is appropriate. Such calls make it + hard or impossible for your code to be invoked by other code. + Consider throwing a RuntimeException instead.</p>]]></description> + </rule> + <rule key="DM_RUN_FINALIZERS_ON_EXIT" priority="MAJOR"> + <name><![CDATA[Bad practice - Method invokes dangerous method runFinalizersOnExit]]></name> + <configKey><![CDATA[DM_RUN_FINALIZERS_ON_EXIT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> <em>Never call System.runFinalizersOnExit +or Runtime.runFinalizersOnExit for any reason: they are among the most +dangerous methods in the Java libraries.</em> -- Joshua Bloch</p>]]></description> + </rule> + <rule key="DM_STRING_CTOR" priority="MAJOR"> + <name><![CDATA[Performance - Method invokes inefficient new String(String) constructor]]></name> + <configKey><![CDATA[DM_STRING_CTOR]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> Using the <code>java.lang.String(String)</code> constructor wastes memory + because the object so constructed will be functionally indistinguishable + from the <code>String</code> passed as a parameter. Just use the + argument <code>String</code> directly.</p>]]></description> + </rule> + <rule key="DM_STRING_VOID_CTOR" priority="MAJOR"> + <name><![CDATA[Performance - Method invokes inefficient new String() constructor]]></name> + <configKey><![CDATA[DM_STRING_VOID_CTOR]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> Creating a new <code>java.lang.String</code> object using the + no-argument constructor wastes memory because the object so created will + be functionally indistinguishable from the empty string constant + <code>""</code>. Java guarantees that identical string constants + will be represented by the same <code>String</code> object. Therefore, + you should just use the empty string constant directly.</p>]]></description> + </rule> + <rule key="DM_STRING_TOSTRING" priority="INFO"> + <name><![CDATA[Performance - Method invokes toString() method on a String]]></name> + <configKey><![CDATA[DM_STRING_TOSTRING]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> Calling <code>String.toString()</code> is just a redundant operation. + Just use the String.</p>]]></description> + </rule> + <rule key="DM_GC" priority="MAJOR"> + <name><![CDATA[Performance - Explicit garbage collection; extremely dubious except in benchmarking code]]></name> + <configKey><![CDATA[DM_GC]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> Code explicitly invokes garbage collection. + Except for specific use in benchmarking, this is very dubious.</p> + <p>In the past, situations where people have explicitly invoked + the garbage collector in routines such as close or finalize methods + has led to huge performance black holes. Garbage collection + can be expensive. Any situation that forces hundreds or thousands + of garbage collections will bring the machine to a crawl.</p>]]></description> + </rule> + <rule key="DM_BOOLEAN_CTOR" priority="MAJOR"> + <name> + <![CDATA[Performance - Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead]]></name> + <configKey><![CDATA[DM_BOOLEAN_CTOR]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> Creating new instances of <code>java.lang.Boolean</code> wastes + memory, since <code>Boolean</code> objects are immutable and there are + only two useful values of this type. Use the <code>Boolean.valueOf()</code> + method (or Java 1.5 autoboxing) to create <code>Boolean</code> objects instead.</p>]]></description> + </rule> + <rule key="DM_NUMBER_CTOR" priority="CRITICAL"> + <name><![CDATA[Performance - Method invokes inefficient Number constructor; use static valueOf instead]]></name> + <configKey><![CDATA[DM_NUMBER_CTOR]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> + Using <code>new Integer(int)</code> is guaranteed to always result in a new object whereas + <code>Integer.valueOf(int)</code> allows caching of values to be done by the compiler, class library, or JVM. + Using of cached values avoids object allocation and the code will be faster. + </p> + <p> + Values between -128 and 127 are guaranteed to have corresponding cached instances + and using <code>valueOf</code> is approximately 3.5 times faster than using constructor. + For values outside the constant range the performance of both styles is the same. + </p> + <p> + Unless the class must be compatible with JVMs predating Java 1.5, + use either autoboxing or the <code>valueOf()</code> method when creating instances of + <code>Long</code>, <code>Integer</code>, <code>Short</code>, <code>Character</code>, and <code>Byte</code>. + </p>]]></description> + </rule> + <rule key="DM_FP_NUMBER_CTOR" priority="MAJOR"> + <name> + <![CDATA[Performance - Method invokes inefficient floating-point Number constructor; use static valueOf instead]]></name> + <configKey><![CDATA[DM_FP_NUMBER_CTOR]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> + Using <code>new Double(double)</code> is guaranteed to always result in a new object whereas + <code>Double.valueOf(double)</code> allows caching of values to be done by the compiler, class library, or JVM. + Using of cached values avoids object allocation and the code will be faster. + </p> + <p> + Unless the class must be compatible with JVMs predating Java 1.5, + use either autoboxing or the <code>valueOf()</code> method when creating instances of <code>Double</code> and <code>Float</code>. + </p>]]></description> + </rule> + <rule key="DM_CONVERT_CASE" priority="INFO"> + <name><![CDATA[Internationalization - Consider using Locale parameterized version of invoked method]]></name> + <configKey><![CDATA[DM_CONVERT_CASE]]></configKey> + <category name="Portability"/> + <description><![CDATA[<p> A String is being converted to upper or lowercase, using the platform's default encoding. This may + result in improper conversions when used with international characters. Use the </p> + <table><tr><td>String.toUpperCase( Locale l )</td></tr><tr><td>String.toLowerCase( Locale l )</td></tr></table> + <p>versions instead.</p>]]></description> + </rule> + <rule key="BX_UNBOXED_AND_COERCED_FOR_TERNARY_OPERATOR" priority="MAJOR"> + <name><![CDATA[Correctness - Primitive value is unboxed and coerced for ternary operator]]></name> + <configKey><![CDATA[BX_UNBOXED_AND_COERCED_FOR_TERNARY_OPERATOR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>A wrapped primitive value is unboxed and converted to another primitive type as part of the +evaluation of a conditional ternary operator (the <code> b ? e1 : e2</code> operator). The +semantics of Java mandate that if <code>e1</code> and <code>e2</code> are wrapped +numeric values, the values are unboxed and converted/coerced to their common type (e.g, +if <code>e1</code> is of type <code>Integer</code> +and <code>e2</code> is of type <code>Float</code>, then <code>e1</code> is unboxed, +converted to a floating point value, and boxed. See JLS Section 15.25. +</p>]]></description> + </rule> + <rule key="BX_BOXING_IMMEDIATELY_UNBOXED" priority="MAJOR"> + <name><![CDATA[Performance - Primitive value is boxed and then immediately unboxed]]></name> + <configKey><![CDATA[BX_BOXING_IMMEDIATELY_UNBOXED]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p>A primitive is boxed, and then immediately unboxed. This probably is due to a manual + boxing in a place where an unboxed value is required, thus forcing the compiler +to immediately undo the work of the boxing. +</p>]]></description> + </rule> + <rule key="BX_BOXING_IMMEDIATELY_UNBOXED_TO_PERFORM_COERCION" priority="MAJOR"> + <name><![CDATA[Performance - Primitive value is boxed then unboxed to perform primitive coercion]]></name> + <configKey><![CDATA[BX_BOXING_IMMEDIATELY_UNBOXED_TO_PERFORM_COERCION]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p>A primitive boxed value constructed and then immediately converted into a different primitive type +(e.g., <code>new Double(d).intValue()</code>). Just perform direct primitive coercion (e.g., <code>(int) d</code>).</p>]]></description> + </rule> + <rule key="DM_BOXED_PRIMITIVE_TOSTRING" priority="MAJOR"> + <name><![CDATA[Performance - Method allocates a boxed primitive just to call toString]]></name> + <configKey><![CDATA[DM_BOXED_PRIMITIVE_TOSTRING]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p>A boxed primitive is allocated just to call toString(). It is more effective to just use the static + form of toString which takes the primitive value. So,</p> + <table> + <tr><th>Replace...</th><th>With this...</th></tr> + <tr><td>new Integer(1).toString()</td><td>Integer.toString(1)</td></tr> + <tr><td>new Long(1).toString()</td><td>Long.toString(1)</td></tr> + <tr><td>new Float(1.0).toString()</td><td>Float.toString(1.0)</td></tr> + <tr><td>new Double(1.0).toString()</td><td>Double.toString(1.0)</td></tr> + <tr><td>new Byte(1).toString()</td><td>Byte.toString(1)</td></tr> + <tr><td>new Short(1).toString()</td><td>Short.toString(1)</td></tr> + <tr><td>new Boolean(true).toString()</td><td>Boolean.toString(true)</td></tr> + </table>]]></description> + </rule> + <rule key="DM_NEW_FOR_GETCLASS" priority="MAJOR"> + <name><![CDATA[Performance - Method allocates an object, only to get the class object]]></name> + <configKey><![CDATA[DM_NEW_FOR_GETCLASS]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p>This method allocates an object just to call getClass() on it, in order to + retrieve the Class object for it. It is simpler to just access the .class property of the class.</p>]]></description> + </rule> + <rule key="DM_MONITOR_WAIT_ON_CONDITION" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Monitor wait() called on Condition]]></name> + <configKey><![CDATA[DM_MONITOR_WAIT_ON_CONDITION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method calls <code>wait()</code> on a + <code>java.util.concurrent.locks.Condition</code> object. + Waiting for a <code>Condition</code> should be done using one of the <code>await()</code> + methods defined by the <code>Condition</code> interface. + </p>]]></description> + </rule> + <rule key="RV_01_TO_INT" priority="MAJOR"> + <name><![CDATA[Correctness - Random value from 0 to 1 is coerced to the integer 0]]></name> + <configKey><![CDATA[RV_01_TO_INT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>A random value from 0 to 1 is being coerced to the integer value 0. You probably +want to multiple the random value by something else before coercing it to an integer, or use the <code>Random.nextInt(n)</code> method. +</p>]]></description> + </rule> + <rule key="DM_NEXTINT_VIA_NEXTDOUBLE" priority="MAJOR"> + <name> + <![CDATA[Performance - Use the nextInt method of Random rather than nextDouble to generate a random integer]]></name> + <configKey><![CDATA[DM_NEXTINT_VIA_NEXTDOUBLE]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p>If <code>r</code> is a <code>java.util.Random</code>, you can generate a random number from <code>0</code> to <code>n-1</code> +using <code>r.nextInt(n)</code>, rather than using <code>(int)(r.nextDouble() * n)</code>. +</p>]]></description> + </rule> + <rule key="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE" priority="CRITICAL"> + <name><![CDATA[Security - Nonconstant string passed to execute method on an SQL statement]]></name> + <configKey><![CDATA[SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>The method invokes the execute method on an SQL statement with a String that seems +to be dynamically generated. Consider using +a prepared statement instead. It is more efficient and less vulnerable to +SQL injection attacks. +</p>]]></description> + </rule> + <rule key="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" priority="CRITICAL"> + <name><![CDATA[Security - A prepared statement is generated from a nonconstant String]]></name> + <configKey><![CDATA[SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>The code creates an SQL prepared statement from a nonconstant String. +If unchecked, tainted data from a user is used in building this String, SQL injection could +be used to make the prepared statement do something unexpected and undesirable. +</p>]]></description> + </rule> + <rule key="DM_USELESS_THREAD" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - A thread was created using the default empty run method]]></name> + <configKey><![CDATA[DM_USELESS_THREAD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>This method creates a thread without specifying a run method either by deriving from the Thread class, or + by passing a Runnable object. This thread, then, does nothing but waste time. +</p>]]></description> + </rule> + <rule key="DC_DOUBLECHECK" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Possible double check of field]]></name> + <configKey><![CDATA[DC_DOUBLECHECK]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method may contain an instance of double-checked locking. + This idiom is not correct according to the semantics of the Java memory + model. For more information, see the web page + <a href="http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html" + >http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html</a>.</p>]]></description> + </rule> + <rule key="FI_FINALIZER_NULLS_FIELDS" priority="MAJOR"> + <name><![CDATA[Bad practice - Finalizer nulls fields]]></name> + <configKey><![CDATA[FI_FINALIZER_NULLS_FIELDS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This finalizer nulls out fields. This is usually an error, as it does not aid garbage collection, + and the object is going to be garbage collected anyway.]]></description> + </rule> + <rule key="FI_FINALIZER_ONLY_NULLS_FIELDS" priority="MAJOR"> + <name><![CDATA[Bad practice - Finalizer only nulls fields]]></name> + <configKey><![CDATA[FI_FINALIZER_ONLY_NULLS_FIELDS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This finalizer does nothing except null out fields. This is completely pointless, and requires that +the object be garbage collected, finalized, and then garbage collected again. You should just remove the finalize +method.]]></description> + </rule> + <rule key="FI_PUBLIC_SHOULD_BE_PROTECTED" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Finalizer should be protected, not public]]></name> + <configKey><![CDATA[FI_PUBLIC_SHOULD_BE_PROTECTED]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A class's <code>finalize()</code> method should have protected access, + not public.</p>]]></description> + </rule> + <rule key="FI_EMPTY" priority="MAJOR"> + <name><![CDATA[Bad practice - Empty finalizer should be deleted]]></name> + <configKey><![CDATA[FI_EMPTY]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> Empty <code>finalize()</code> methods are useless, so they should + be deleted.</p>]]></description> + </rule> + <rule key="FI_NULLIFY_SUPER" priority="CRITICAL"> + <name><![CDATA[Bad practice - Finalizer nullifies superclass finalizer]]></name> + <configKey><![CDATA[FI_NULLIFY_SUPER]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This empty <code>finalize()</code> method explicitly negates the + effect of any finalizer defined by its superclass. Any finalizer + actions defined for the superclass will not be performed. + Unless this is intended, delete this method.</p>]]></description> + </rule> + <rule key="FI_USELESS" priority="MINOR"> + <name><![CDATA[Bad practice - Finalizer does nothing but call superclass finalizer]]></name> + <configKey><![CDATA[FI_USELESS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The only thing this <code>finalize()</code> method does is call + the superclass's <code>finalize()</code> method, making it + redundant. Delete it.</p>]]></description> + </rule> + <rule key="FI_MISSING_SUPER_CALL" priority="MAJOR"> + <name><![CDATA[Bad practice - Finalizer does not call superclass finalizer]]></name> + <configKey><![CDATA[FI_MISSING_SUPER_CALL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This <code>finalize()</code> method does not make a call to its + superclass's <code>finalize()</code> method. So, any finalizer + actions defined for the superclass will not be performed. + Add a call to <code>super.finalize()</code>.</p>]]></description> + </rule> + <rule key="FI_EXPLICIT_INVOCATION" priority="MAJOR"> + <name><![CDATA[Bad practice - Explicit invocation of finalizer]]></name> + <configKey><![CDATA[FI_EXPLICIT_INVOCATION]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method contains an explicit invocation of the <code>finalize()</code> + method on an object. Because finalizer methods are supposed to be + executed once, and only by the VM, this is a bad idea.</p> +<p>If a connected set of objects beings finalizable, then the VM will invoke the +finalize method on all the finalizable object, possibly at the same time in different threads. +Thus, it is a particularly bad idea, in the finalize method for a class X, invoke finalize +on objects referenced by X, because they may already be getting finalized in a separate thread.]]></description> + </rule> + <rule key="EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS" priority="MAJOR"> + <name><![CDATA[Bad practice - Equals checks for noncompatible operand]]></name> + <configKey><![CDATA[EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This equals method is checking to see if the argument is some incompatible type +(i.e., a class that is neither a supertype nor subtype of the class that defines +the equals method). For example, the Foo class might have an equals method +that looks like: + +<p><code><pre> +public boolean equals(Object o) { + if (o instanceof Foo) + return name.equals(((Foo)o).name); + else if (o instanceof String) + return name.equals(o); + else return false; +</pre></code></p> + +<p>This is considered bad practice, as it makes it very hard to implement an equals method that +is symmetric and transitive. Without those properties, very unexpected behavoirs are possible. +</p>]]></description> + </rule> + <rule key="EQ_DONT_DEFINE_EQUALS_FOR_ENUM" priority="MAJOR"> + <name><![CDATA[Correctness - Covariant equals() method defined for enum]]></name> + <configKey><![CDATA[EQ_DONT_DEFINE_EQUALS_FOR_ENUM]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines an enumeration, and equality on enumerations are defined +using object identity. Defining a covariant equals method for an enumeration +value is exceptionally bad practice, since it would likely result +in having two different enumeration values that compare as equals using +the covariant enum method, and as not equal when compared normally. +Don't do it. +</p>]]></description> + </rule> + <rule key="EQ_SELF_USE_OBJECT" priority="MAJOR"> + <name><![CDATA[Correctness - Covariant equals() method defined, Object.equals(Object) inherited]]></name> + <configKey><![CDATA[EQ_SELF_USE_OBJECT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines a covariant version of the <code>equals()</code> + method, but inherits the normal <code>equals(Object)</code> method + defined in the base <code>java.lang.Object</code> class. + The class should probably define a <code>boolean equals(Object)</code> method. + </p>]]></description> + </rule> + <rule key="EQ_OTHER_USE_OBJECT" priority="MAJOR"> + <name><![CDATA[Correctness - equals() method defined that doesn't override Object.equals(Object)]]></name> + <configKey><![CDATA[EQ_OTHER_USE_OBJECT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines an <code>equals()</code> + method, that doesn't override the normal <code>equals(Object)</code> method + defined in the base <code>java.lang.Object</code> class. + The class should probably define a <code>boolean equals(Object)</code> method. + </p>]]></description> + </rule> + <rule key="EQ_OTHER_NO_OBJECT" priority="MAJOR"> + <name><![CDATA[Correctness - equals() method defined that doesn't override equals(Object)]]></name> + <configKey><![CDATA[EQ_OTHER_NO_OBJECT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines an <code>equals()</code> + method, that doesn't override the normal <code>equals(Object)</code> method + defined in the base <code>java.lang.Object</code> class. Instead, it + inherits an <code>equals(Object)</code> method from a superclass. + The class should probably define a <code>boolean equals(Object)</code> method. + </p>]]></description> + </rule> + + <!-- deactivated : http://sourceforge.net/tracker/?func=detail&aid=2786054&group_id=96405&atid=614693 --> + <!--<rule key="EQ_DOESNT_OVERRIDE_EQUALS"> + <name><![CDATA[Dodgy - Class doesn't override equals in superclass]]></name> + <configKey><![CDATA[EQ_DOESNT_OVERRIDE_EQUALS]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This class extends a class that defines an equals method and adds fields, but doesn't +define an equals method itself. Thus, equality on instances of this class will +ignore the identity of the subclass and the added fields. Be sure this is what is intended, +and that you don't need to override the equals method. Even if you don't need to override +the equals method, consider overriding it anyway to document the fact +that the equals method for the subclass just return the result of +invoking super.equals(o). + </p>]]></description> + </rule>--> + <rule key="EQ_SELF_NO_OBJECT" priority="MAJOR"> + <name><![CDATA[Bad practice - Covariant equals() method defined]]></name> + <configKey><![CDATA[EQ_SELF_NO_OBJECT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a covariant version of <code>equals()</code>. + To correctly override the <code>equals()</code> method in + <code>java.lang.Object</code>, the parameter of <code>equals()</code> + must have type <code>java.lang.Object</code>.</p>]]></description> + </rule> + <rule key="EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC" priority="MAJOR"> + <name><![CDATA[Correctness - equals method overrides equals in superclass and may not be symmetric]]></name> + <configKey><![CDATA[EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines an equals method that overrides an equals method in a superclass. Both equals methods +methods use <code>instanceof</code> in the determination of whether two objects are equal. This is fraught with peril, +since it is important that the equals method is symmetrical (in other words, <code>a.equals(b) == b.equals(a)</code>). +If B is a subtype of A, and A's equals method checks that the argument is an instanceof A, and B's equals method +checks that the argument is an instanceof B, it is quite likely that the equivalence relation defined by these +methods is not symmetric. +</p>]]></description> + </rule> + <rule key="EQ_GETCLASS_AND_CLASS_CONSTANT" priority="CRITICAL"> + <name><![CDATA[Bad practice - equals method fails for subtypes]]></name> + <configKey><![CDATA[EQ_GETCLASS_AND_CLASS_CONSTANT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class has an equals method that will be broken if it is inherited by subclasses. +It compares a class literal with the class of the argument (e.g., in class <code>Foo</code> +it might check if <code>Foo.class == o.getClass()</code>). +It is better to check if <code>this.getClass() == o.getClass()</code>. +</p>]]></description> + </rule> + <rule key="EQ_UNUSUAL" priority="MINOR"> + <name><![CDATA[Dodgy - Unusual equals method ]]></name> + <configKey><![CDATA[EQ_UNUSUAL]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This class doesn't do any of the patterns we recognize for checking that the type of the argument +is compatible with the type of the <code>this</code> object. There might not be anything wrong with +this code, but it is worth reviewing. +</p>]]></description> + </rule> + <rule key="EQ_COMPARING_CLASS_NAMES" priority="MAJOR"> + <name><![CDATA[Correctness - equals method compares class names rather than class objects]]></name> + <configKey><![CDATA[EQ_COMPARING_CLASS_NAMES]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method checks to see if two objects are the same class by checking to see if the names +of their classes are equal. You can have different classes with the same name if they are loaded by +different class loaders. Just check to see if the class objects are the same. +</p>]]></description> + </rule> + <rule key="EQ_ALWAYS_TRUE" priority="BLOCKER"> + <name><![CDATA[Correctness - equals method always returns true]]></name> + <configKey><![CDATA[EQ_ALWAYS_TRUE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines an equals method that always returns true. This is imaginative, but not very smart. +Plus, it means that the equals method is not symmetric. +</p>]]></description> + </rule> + <rule key="EQ_ALWAYS_FALSE" priority="BLOCKER"> + <name><![CDATA[Correctness - equals method always returns false]]></name> + <configKey><![CDATA[EQ_ALWAYS_FALSE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines an equals method that always returns false. This means that an object is not equal to itself, and it is impossible to create useful Maps or Sets of this class. More fundamentally, it means +that equals is not reflexive, one of the requirements of the equals method.</p> +<p>The likely intended semantics are object identity: that an object is equal to itself. This is the behavior inherited from class <code>Object</code>. If you need to override an equals inherited from a different +superclass, you can use use: +<pre> +public boolean equals(Object o) { return this == o; } +</pre> +</p>]]></description> + </rule> + <rule key="HSC_HUGE_SHARED_STRING_CONSTANT" priority="CRITICAL"> + <name><![CDATA[Performance - Huge string constants is duplicated across multiple class files]]></name> + <configKey><![CDATA[HSC_HUGE_SHARED_STRING_CONSTANT]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> + A large String constant is duplicated across multiple class files. + This is likely because a final field is initialized to a String constant, and the Java language + mandates that all references to a final field from other classes be inlined into +that classfile. See <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6447475">JDK bug 6447475</a> + for a description of an occurrence of this bug in the JDK and how resolving it reduced + the size of the JDK by 1 megabyte. +</p>]]></description> + </rule> + <rule key="NP_ARGUMENT_MIGHT_BE_NULL" priority="MAJOR"> + <name><![CDATA[Correctness - Method does not check for null argument]]></name> + <configKey><![CDATA[NP_ARGUMENT_MIGHT_BE_NULL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A parameter to this method has been identified as a value that should + always be checked to see whether or not it is null, but it is being dereferenced + without a preceding null check. + </p>]]></description> + </rule> + <rule key="NP_EQUALS_SHOULD_HANDLE_NULL_ARGUMENT" priority="CRITICAL"> + <name><![CDATA[Bad practice - equals() method does not check for null argument]]></name> + <configKey><![CDATA[NP_EQUALS_SHOULD_HANDLE_NULL_ARGUMENT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> + This implementation of equals(Object) violates the contract defined + by java.lang.Object.equals() because it does not check for null + being passed as the argument. All equals() methods should return + false if passed a null value. + </p>]]></description> + </rule> + <rule key="CO_SELF_NO_OBJECT" priority="MAJOR"> + <name><![CDATA[Bad practice - Covariant compareTo() method defined]]></name> + <configKey><![CDATA[CO_SELF_NO_OBJECT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a covariant version of <code>compareTo()</code>. + To correctly override the <code>compareTo()</code> method in the + <code>Comparable</code> interface, the parameter of <code>compareTo()</code> + must have type <code>java.lang.Object</code>.</p>]]></description> + </rule> + <rule key="HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS" priority="CRITICAL"> + <name><![CDATA[Correctness - Signature declares use of unhashable class in hashed construct]]></name> + <configKey><![CDATA[HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A method, field or class declares a generic signature where a non-hashable class +is used in context where a hashable class is required. +A class that declares an equals method but inherits a hashCode() method +from Object is unhashable, since it doesn't fulfill the requirement that +equal objects have equal hashCodes. +</p>]]></description> + </rule> + <rule key="HE_USE_OF_UNHASHABLE_CLASS" priority="CRITICAL"> + <name><![CDATA[Correctness - Use of class without a hashCode() method in a hashed data structure]]></name> + <configKey><![CDATA[HE_USE_OF_UNHASHABLE_CLASS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A class defines an equals(Object) method but not a hashCode() method, +and thus doesn't fulfill the requirement that equal objects have equal hashCodes. +An instance of this class is used in a hash data structure, making the need to +fix this problem of highest importance.]]></description> + </rule> + <rule key="HE_HASHCODE_USE_OBJECT_EQUALS" priority="CRITICAL"> + <name><![CDATA[Bad practice - Class defines hashCode() and uses Object.equals()]]></name> + <configKey><![CDATA[HE_HASHCODE_USE_OBJECT_EQUALS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a <code>hashCode()</code> method but inherits its + <code>equals()</code> method from <code>java.lang.Object</code> + (which defines equality by comparing object references). Although + this will probably satisfy the contract that equal objects must have + equal hashcodes, it is probably not what was intended by overriding + the <code>hashCode()</code> method. (Overriding <code>hashCode()</code> + implies that the object's identity is based on criteria more complicated + than simple reference equality.)</p> +<p>If you don't think instances of this class will ever be inserted into a HashMap/HashTable, +the recommended <code>hashCode</code> implementation to use is:</p> +<p><pre>public int hashCode() { + assert false : "hashCode not designed"; + return 42; // any arbitrary constant will do + }</pre></p>]]></description> + </rule> + <rule key="EQ_COMPARETO_USE_OBJECT_EQUALS" priority="CRITICAL"> + <name><![CDATA[Bad practice - Class defines compareTo(...) and uses Object.equals()]]></name> + <configKey><![CDATA[EQ_COMPARETO_USE_OBJECT_EQUALS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a <code>compareTo(...)</code> method but inherits its + <code>equals()</code> method from <code>java.lang.Object</code>. + Generally, the value of compareTo should return zero if and only if + equals returns true. If this is violated, weird and unpredictable + failures will occur in classes such as PriorityQueue. + In Java 5 the PriorityQueue.remove method uses the compareTo method, + while in Java 6 it uses the equals method. + +<p>From the JavaDoc for the compareTo method in the Comparable interface: +<blockquote> +It is strongly recommended, but not strictly required that <code>(x.compareTo(y)==0) == (x.equals(y))</code>. +Generally speaking, any class that implements the Comparable interface and violates this condition +should clearly indicate this fact. The recommended language +is "Note: this class has a natural ordering that is inconsistent with equals." +</blockquote>]]></description> + </rule> + <rule key="HE_HASHCODE_NO_EQUALS" priority="CRITICAL"> + <name><![CDATA[Bad practice - Class defines hashCode() but not equals()]]></name> + <configKey><![CDATA[HE_HASHCODE_NO_EQUALS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a <code>hashCode()</code> method but not an + <code>equals()</code> method. Therefore, the class may + violate the invariant that equal objects must have equal hashcodes.</p>]]></description> + </rule> + <rule key="HE_EQUALS_USE_HASHCODE" priority="CRITICAL"> + <name><![CDATA[Bad practice - Class defines equals() and uses Object.hashCode()]]></name> + <configKey><![CDATA[HE_EQUALS_USE_HASHCODE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class overrides <code>equals(Object)</code>, but does not + override <code>hashCode()</code>, and inherits the implementation of + <code>hashCode()</code> from <code>java.lang.Object</code> (which returns + the identity hash code, an arbitrary value assigned to the object + by the VM). Therefore, the class is very likely to violate the + invariant that equal objects must have equal hashcodes.</p> + +<p>If you don't think instances of this class will ever be inserted into a HashMap/HashTable, +the recommended <code>hashCode</code> implementation to use is:</p> +<pre>public int hashCode() { + assert false : "hashCode not designed"; + return 42; // any arbitrary constant will do + }</pre>]]></description> + </rule> + <rule key="HE_INHERITS_EQUALS_USE_HASHCODE" priority="CRITICAL"> + <name><![CDATA[Bad practice - Class inherits equals() and uses Object.hashCode()]]></name> + <configKey><![CDATA[HE_INHERITS_EQUALS_USE_HASHCODE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class inherits <code>equals(Object)</code> from an abstract + superclass, and <code>hashCode()</code> from +<code>java.lang.Object</code> (which returns + the identity hash code, an arbitrary value assigned to the object + by the VM). Therefore, the class is very likely to violate the + invariant that equal objects must have equal hashcodes.</p> + + <p>If you don't want to define a hashCode method, and/or don't + believe the object will ever be put into a HashMap/Hashtable, + define the <code>hashCode()</code> method + to throw <code>UnsupportedOperationException</code>.</p>]]></description> + </rule> + <rule key="HE_EQUALS_NO_HASHCODE" priority="MAJOR"> + <name><![CDATA[Bad practice - Class defines equals() but not hashCode()]]></name> + <configKey><![CDATA[HE_EQUALS_NO_HASHCODE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class overrides <code>equals(Object)</code>, but does not + override <code>hashCode()</code>. Therefore, the class may violate the + invariant that equal objects must have equal hashcodes.</p>]]></description> + </rule> + <rule key="EQ_ABSTRACT_SELF" priority="MAJOR"> + <name><![CDATA[Bad practice - Abstract class defines covariant equals() method]]></name> + <configKey><![CDATA[EQ_ABSTRACT_SELF]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a covariant version of <code>equals()</code>. + To correctly override the <code>equals()</code> method in + <code>java.lang.Object</code>, the parameter of <code>equals()</code> + must have type <code>java.lang.Object</code>.</p>]]></description> + </rule> + <rule key="ES_COMPARING_STRINGS_WITH_EQ" priority="MAJOR"> + <name><![CDATA[Bad practice - Comparison of String objects using == or !=]]></name> + <configKey><![CDATA[ES_COMPARING_STRINGS_WITH_EQ]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>This code compares <code>java.lang.String</code> objects for reference +equality using the == or != operators. +Unless both strings are either constants in a source file, or have been +interned using the <code>String.intern()</code> method, the same string +value may be represented by two different String objects. Consider +using the <code>equals(Object)</code> method instead.</p>]]></description> + </rule> + <rule key="ES_COMPARING_PARAMETER_STRING_WITH_EQ" priority="MAJOR"> + <name><![CDATA[Bad practice - Comparison of String parameter using == or !=]]></name> + <configKey><![CDATA[ES_COMPARING_PARAMETER_STRING_WITH_EQ]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p>This code compares a <code>java.lang.String</code> parameter for reference +equality using the == or != operators. Requiring callers to +pass only String constants or interned strings to a method is unnecessarily +fragile, and rarely leads to measurable performance gains. Consider +using the <code>equals(Object)</code> method instead.</p>]]></description> + </rule> + <rule key="CO_ABSTRACT_SELF" priority="MAJOR"> + <name><![CDATA[Bad practice - Abstract class defines covariant compareTo() method]]></name> + <configKey><![CDATA[CO_ABSTRACT_SELF]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a covariant version of <code>compareTo()</code>. + To correctly override the <code>compareTo()</code> method in the + <code>Comparable</code> interface, the parameter of <code>compareTo()</code> + must have type <code>java.lang.Object</code>.</p>]]></description> + </rule> + <rule key="IS_FIELD_NOT_GUARDED" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Field not guarded against concurrent access]]></name> + <configKey><![CDATA[IS_FIELD_NOT_GUARDED]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This field is annotated with net.jcip.annotations.GuardedBy, +but can be accessed in a way that seems to violate the annotation.</p>]]></description> + </rule> + <rule key="MSF_MUTABLE_SERVLET_FIELD" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Mutable servlet field]]></name> + <configKey><![CDATA[MSF_MUTABLE_SERVLET_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>A web server generally only creates one instance of servlet or jsp class (i.e., treats +the class as a Singleton), +and will +have multiple threads invoke methods on that instance to service multiple +simultaneous requests. +Thus, having a mutable instance field generally creates race conditions.]]></description> + </rule> + <rule key="IS2_INCONSISTENT_SYNC" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Inconsistent synchronization]]></name> + <configKey><![CDATA[IS2_INCONSISTENT_SYNC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The fields of this class appear to be accessed inconsistently with respect + to synchronization. This bug report indicates that the bug pattern detector + judged that + </p> + <ol> + <li> The class contains a mix of locked and unlocked accesses,</li> + <li> At least one locked access was performed by one of the class's own methods, and</li> + <li> The number of unsynchronized field accesses (reads and writes) was no more than + one third of all accesses, with writes being weighed twice as high as reads</li> + </ol> + + <p> A typical bug matching this bug pattern is forgetting to synchronize + one of the methods in a class that is intended to be thread-safe.</p> + + <p> You can select the nodes labeled "Unsynchronized access" to show the + code locations where the detector believed that a field was accessed + without synchronization.</p> + + <p> Note that there are various sources of inaccuracy in this detector; + for example, the detector cannot statically detect all situations in which + a lock is held. Also, even when the detector is accurate in + distinguishing locked vs. unlocked accesses, the code in question may still + be correct.</p>]]></description> + </rule> + <rule key="NN_NAKED_NOTIFY" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Naked notify]]></name> + <configKey><![CDATA[NN_NAKED_NOTIFY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A call to <code>notify()</code> or <code>notifyAll()</code> + was made without any (apparent) accompanying + modification to mutable object state. In general, calling a notify + method on a monitor is done because some condition another thread is + waiting for has become true. However, for the condition to be meaningful, + it must involve a heap object that is visible to both threads.</p> + + <p> This bug does not necessarily indicate an error, since the change to + mutable object state may have taken place in a method which then called + the method containing the notification.</p>]]></description> + </rule> + <rule key="MS_EXPOSE_REP" priority="CRITICAL"> + <name> + <![CDATA[Malicious code vulnerability - Public static method may expose internal representation by returning array]]></name> + <configKey><![CDATA[MS_EXPOSE_REP]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A public static method returns a reference to + an array that is part of the static state of the class. + Any code that calls this method can freely modify + the underlying array. + One fix is to return a copy of the array.</p>]]></description> + </rule> + <rule key="EI_EXPOSE_REP" priority="MAJOR"> + <name> + <![CDATA[Malicious code vulnerability - May expose internal representation by returning reference to mutable object]]></name> + <configKey><![CDATA[EI_EXPOSE_REP]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Returning a reference to a mutable object value stored in one of the object's fields + exposes the internal representation of the object. + If instances + are accessed by untrusted code, and unchecked changes to + the mutable object would compromise security or other + important properties, you will need to do something different. + Returning a new copy of the object is better approach in many situations.</p>]]></description> + </rule> + <rule key="EI_EXPOSE_REP2" priority="MAJOR"> + <name> + <![CDATA[Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object]]></name> + <configKey><![CDATA[EI_EXPOSE_REP2]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This code stores a reference to an externally mutable object into the + internal representation of the object. + If instances + are accessed by untrusted code, and unchecked changes to + the mutable object would compromise security or other + important properties, you will need to do something different. + Storing a copy of the object is better approach in many situations.</p>]]></description> + </rule> + <rule key="EI_EXPOSE_STATIC_REP2" priority="MAJOR"> + <name> + <![CDATA[Malicious code vulnerability - May expose internal static state by storing a mutable object into a static field]]></name> + <configKey><![CDATA[EI_EXPOSE_STATIC_REP2]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This code stores a reference to an externally mutable object into a static + field. + If unchecked changes to + the mutable object would compromise security or other + important properties, you will need to do something different. + Storing a copy of the object is better approach in many situations.</p>]]></description> + </rule> + <rule key="RU_INVOKE_RUN" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Invokes run on a thread (did you mean to start it instead?)]]></name> + <configKey><![CDATA[RU_INVOKE_RUN]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method explicitly invokes <code>run()</code> on an object. + In general, classes implement the <code>Runnable</code> interface because + they are going to have their <code>run()</code> method invoked in a new thread, + in which case <code>Thread.start()</code> is the right method to call.</p>]]></description> + </rule> + <rule key="SP_SPIN_ON_FIELD" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Method spins on field]]></name> + <configKey><![CDATA[SP_SPIN_ON_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method spins in a loop which reads a field. The compiler + may legally hoist the read out of the loop, turning the code into an + infinite loop. The class should be changed so it uses proper + synchronization (including wait and notify calls).</p>]]></description> + </rule> + <rule key="NS_DANGEROUS_NON_SHORT_CIRCUIT" priority="CRITICAL"> + <name><![CDATA[Dodgy - Potentially dangerous use of non-short-circuit logic]]></name> + <configKey><![CDATA[NS_DANGEROUS_NON_SHORT_CIRCUIT]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This code seems to be using non-short-circuit logic (e.g., & +or |) +rather than short-circuit logic (&& or ||). In addition, +it seem possible that, depending on the value of the left hand side, you might not +want to evaluate the right hand side (because it would have side effects, could cause an exception +or could be expensive.</p> +<p> +Non-short-circuit logic causes both sides of the expression +to be evaluated even when the result can be inferred from +knowing the left-hand side. This can be less efficient and +can result in errors if the left-hand side guards cases +when evaluating the right-hand side can generate an error. +</p> + +<p>See <a href="http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.22.2">the Java +Language Specification</a> for details + +</p>]]></description> + </rule> + <rule key="NS_NON_SHORT_CIRCUIT" priority="MAJOR"> + <name><![CDATA[Dodgy - Questionable use of non-short-circuit logic]]></name> + <configKey><![CDATA[NS_NON_SHORT_CIRCUIT]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This code seems to be using non-short-circuit logic (e.g., & +or |) +rather than short-circuit logic (&& or ||). +Non-short-circuit logic causes both sides of the expression +to be evaluated even when the result can be inferred from +knowing the left-hand side. This can be less efficient and +can result in errors if the left-hand side guards cases +when evaluating the right-hand side can generate an error. + +<p>See <a href="http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.22.2">the Java +Language Specification</a> for details + +</p>]]></description> + </rule> + <rule key="TLW_TWO_LOCK_WAIT" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Wait with two locks held]]></name> + <configKey><![CDATA[TLW_TWO_LOCK_WAIT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Waiting on a monitor while two locks are held may cause + deadlock. + + Performing a wait only releases the lock on the object + being waited on, not any other locks. + +This not necessarily a bug, but is worth examining + closely.</p>]]></description> + </rule> + <rule key="UW_UNCOND_WAIT" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Unconditional wait]]></name> + <configKey><![CDATA[UW_UNCOND_WAIT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains a call to <code>java.lang.Object.wait()</code> which + is not guarded by conditional control flow. The code should + verify that condition it intends to wait for is not already satisfied + before calling wait; any previous notifications will be ignored. + </p>]]></description> + </rule> + <rule key="UR_UNINIT_READ" priority="MAJOR"> + <name><![CDATA[Correctness - Uninitialized read of field in constructor]]></name> + <configKey><![CDATA[UR_UNINIT_READ]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This constructor reads a field which has not yet been assigned a value. + This is often caused when the programmer mistakenly uses the field instead + of one of the constructor's parameters.</p>]]></description> + </rule> + <rule key="UG_SYNC_SET_UNSYNC_GET" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Unsynchronized get method, synchronized set method]]></name> + <configKey><![CDATA[UG_SYNC_SET_UNSYNC_GET]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class contains similarly-named get and set + methods where the set method is synchronized and the get method is not. + This may result in incorrect behavior at runtime, as callers of the get + method will not necessarily see a consistent state for the object. + The get method should be made synchronized.</p>]]></description> + </rule> + <rule key="IC_INIT_CIRCULARITY" priority="CRITICAL"> + <name><![CDATA[Dodgy - Initialization circularity]]></name> + <configKey><![CDATA[IC_INIT_CIRCULARITY]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> A circularity was detected in the static initializers of the two + classes referenced by the bug instance. Many kinds of unexpected + behavior may arise from such circularity.</p>]]></description> + </rule> + <rule key="IC_SUPERCLASS_USES_SUBCLASS_DURING_INITIALIZATION" priority="MAJOR"> + <name><![CDATA[Bad practice - Superclass uses subclass during initialization]]></name> + <configKey><![CDATA[IC_SUPERCLASS_USES_SUBCLASS_DURING_INITIALIZATION]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> During the initialization of a class, the class makes an active use of a subclass. +That subclass will not yet be initialized at the time of this use. +For example, in the following code, <code>foo</code> will be null.</p> + +<pre> +public class CircularClassInitialization { + static class InnerClassSingleton extends CircularClassInitialization { + static InnerClassSingleton singleton = new InnerClassSingleton(); + } + + static CircularClassInitialization foo = InnerClassSingleton.singleton; +} +</pre>]]></description> + </rule> + <rule key="IT_NO_SUCH_ELEMENT" priority="MINOR"> + <name><![CDATA[Bad practice - Iterator next() method can't throw NoSuchElementException]]></name> + <configKey><![CDATA[IT_NO_SUCH_ELEMENT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class implements the <code>java.util.Iterator</code> interface. + However, its <code>next()</code> method is not capable of throwing + <code>java.util.NoSuchElementException</code>. The <code>next()</code> + method should be changed so it throws <code>NoSuchElementException</code> + if is called when there are no more elements to return.</p>]]></description> + </rule> + <rule key="DL_SYNCHRONIZATION_ON_SHARED_CONSTANT" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Synchronization on interned String could lead to deadlock]]></name> + <configKey><![CDATA[DL_SYNCHRONIZATION_ON_SHARED_CONSTANT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The code synchronizes on interned String. +<pre> +private static String LOCK = "LOCK"; +... + synchronized(LOCK) { ...} +... +</pre> +</p> +<p>Constant Strings are interned and shared across all other classes loaded by the JVM. Thus, this could +is locking on something that other code might also be locking. This could result in very strange and hard to diagnose +blocking and deadlock behavior. See <a href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a> and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>. +</p>]]></description> + </rule> + <rule key="DL_SYNCHRONIZATION_ON_BOOLEAN" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Synchronization on Boolean could lead to deadlock]]></name> + <configKey><![CDATA[DL_SYNCHRONIZATION_ON_BOOLEAN]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The code synchronizes on a boxed primitive constant, such as an Boolean. +<pre> +private static Boolean inited = Boolean.FALSE; +... + synchronized(inited) { + if (!inited) { + init(); + inited = Boolean.TRUE; + } + } +... +</pre> +</p> +<p>Since there normally exist only two Boolean objects, this code could be synchronizing on the same object as other, unrelated code, leading to unresponsiveness +and possible deadlock</p>]]></description> + </rule> + <rule key="DL_SYNCHRONIZATION_ON_UNSHARED_BOXED_PRIMITIVE" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Synchronization on boxed primitive values]]></name> + <configKey><![CDATA[DL_SYNCHRONIZATION_ON_UNSHARED_BOXED_PRIMITIVE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The code synchronizes on an apparently unshared boxed primitive, +such as an Integer. +<pre> +private static final Integer fileLock = new Integer(1); +... + synchronized(fileLock) { + .. do something .. + } +... +</pre> +</p> +<p>It would be much better, in this code, to redeclare fileLock as +<pre> +private static final Object fileLock = new Object(); +</pre> +The existing code might be OK, but it is confusing and a +future refactoring, such as the "Remove Boxing" refactoring in IntelliJ, +might replace this with the use of an interned Integer object shared +throughout the JVM, leading to very confusing behavior and potential deadlock. +</p>]]></description> + </rule> + <rule key="DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Synchronization on boxed primitive could lead to deadlock]]></name> + <configKey><![CDATA[DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The code synchronizes on a boxed primitive constant, such as an Integer. +<pre> +private static Integer count = 0; +... + synchronized(count) { + count++; + } +... +</pre> +</p> +<p>Since Integer objects can be cached and shared, +this code could be synchronizing on the same object as other, unrelated code, leading to unresponsiveness +and possible deadlock</p>]]></description> + </rule> + <rule key="ESync_EMPTY_SYNC" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Empty synchronized block]]></name> + <configKey><![CDATA[ESync_EMPTY_SYNC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The code contains an empty synchronized block:</p> +<pre> +synchronized() {} +</pre> +<p>Empty synchronized blocks are far more subtle and hard to use correctly +than most people recognize, and empty synchronized blocks +are almost never a better solution +than less contrived solutions. +</p>]]></description> + </rule> + <rule key="IS_INCONSISTENT_SYNC" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Inconsistent synchronization]]></name> + <configKey><![CDATA[IS_INCONSISTENT_SYNC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The fields of this class appear to be accessed inconsistently with respect + to synchronization. This bug report indicates that the bug pattern detector + judged that + </p> + <ol> + <li> The class contains a mix of locked and unlocked accesses,</li> + <li> At least one locked access was performed by one of the class's own methods, and</li> + <li> The number of unsynchronized field accesses (reads and writes) was no more than + one third of all accesses, with writes being weighed twice as high as reads</li> + </ol> + + <p> A typical bug matching this bug pattern is forgetting to synchronize + one of the methods in a class that is intended to be thread-safe.</p> + + <p> Note that there are various sources of inaccuracy in this detector; + for example, the detector cannot statically detect all situations in which + a lock is held. Also, even when the detector is accurate in + distinguishing locked vs. unlocked accesses, the code in question may still + be correct.</p>]]></description> + </rule> + <rule key="ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Synchronization on field in futile attempt to guard that field]]></name> + <configKey><![CDATA[ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method synchronizes on a field in what appears to be an attempt +to guard against simultaneous updates to that field. But guarding a field +gets a lock on the referenced object, not on the field. This may not +provide the mutual exclusion you need, and other threads might +be obtaining locks on the referenced objects (for other purposes). An example +of this pattern would be: + +<p><pre> +private Long myNtfSeqNbrCounter = new Long(0); +private Long getNotificationSequenceNumber() { + Long result = null; + synchronized(myNtfSeqNbrCounter) { + result = new Long(myNtfSeqNbrCounter.longValue() + 1); + myNtfSeqNbrCounter = new Long(result.longValue()); + } + return result; + } +</pre> + + +</p>]]></description> + </rule> + <rule key="ML_SYNC_ON_UPDATED_FIELD" priority="MAJOR"> + <name><![CDATA[Multithreaded correctness - Method synchronizes on an updated field]]></name> + <configKey><![CDATA[ML_SYNC_ON_UPDATED_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method synchronizes on an object + referenced from a mutable field. + This is unlikely to have useful semantics, since different +threads may be synchronizing on different objects.</p>]]></description> + </rule> + <rule key="MS_OOI_PKGPROTECT" priority="MAJOR"> + <name> + <![CDATA[Malicious code vulnerability - Field should be moved out of an interface and made package protected]]></name> + <configKey><![CDATA[MS_OOI_PKGPROTECT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A final static field that is +defined in an interface references a mutable + object such as an array or hashtable. + This mutable object could + be changed by malicious code or + by accident from another package. + To solve this, the field needs to be moved to a class + and made package protected + to avoid + this vulnerability.</p>]]></description> + </rule> + <rule key="MS_FINAL_PKGPROTECT" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Field should be both final and package protected]]></name> + <configKey><![CDATA[MS_FINAL_PKGPROTECT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A mutable static field could be changed by malicious code or + by accident from another package. + The field could be made package protected and/or made final + to avoid + this vulnerability.</p>]]></description> + </rule> + <rule key="MS_SHOULD_BE_FINAL" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Field isn't final but should be]]></name> + <configKey><![CDATA[MS_SHOULD_BE_FINAL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A mutable static field could be changed by malicious code or + by accident from another package. + The field could be made final to avoid + this vulnerability.</p>]]></description> + </rule> + <rule key="MS_PKGPROTECT" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Field should be package protected]]></name> + <configKey><![CDATA[MS_PKGPROTECT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A mutable static field could be changed by malicious code or + by accident. + The field could be made package protected to avoid + this vulnerability.</p>]]></description> + </rule> + <rule key="MS_MUTABLE_HASHTABLE" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Field is a mutable Hashtable]]></name> + <configKey><![CDATA[MS_MUTABLE_HASHTABLE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>A final static field references a Hashtable + and can be accessed by malicious code or + by accident from another package. + This code can freely modify the contents of the Hashtable.</p>]]></description> + </rule> + <rule key="MS_MUTABLE_ARRAY" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Field is a mutable array]]></name> + <configKey><![CDATA[MS_MUTABLE_ARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A final static field references an array + and can be accessed by malicious code or + by accident from another package. + This code can freely modify the contents of the array.</p>]]></description> + </rule> + <rule key="MS_CANNOT_BE_FINAL" priority="MAJOR"> + <name><![CDATA[Malicious code vulnerability - Field isn't final and can't be protected from malicious code]]></name> + <configKey><![CDATA[MS_CANNOT_BE_FINAL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A mutable static field could be changed by malicious code or + by accident from another package. + Unfortunately, the way the field is used doesn't allow + any easy fix to this problem.</p>]]></description> + </rule> + <rule key="IA_AMBIGUOUS_INVOCATION_OF_INHERITED_OR_OUTER_METHOD" priority="MAJOR"> + <name><![CDATA[Dodgy - Ambiguous invocation of either an inherited or outer method]]></name> + <configKey><![CDATA[IA_AMBIGUOUS_INVOCATION_OF_INHERITED_OR_OUTER_METHOD]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> An inner class is invoking a method that could be resolved to either a inherited method or a method defined in an outer class. By the Java semantics, +it will be resolved to invoke the inherited method, but this may not be want +you intend. If you really intend to invoke the inherited method, +invoke it by invoking the method on super (e.g., invoke super.foo(17)), and +thus it will be clear to other readers of your code and to FindBugs +that you want to invoke the inherited method, not the method in the outer class. +</p>]]></description> + </rule> + <rule key="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS" priority="MAJOR"> + <name><![CDATA[Bad practice - Class names shouldn't shadow simple name of superclass]]></name> + <configKey><![CDATA[NM_SAME_SIMPLE_NAME_AS_SUPERCLASS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class has a simple name that is identical to that of its superclass, except +that its superclass is in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>). +This can be exceptionally confusing, create lots of situations in which you have to look at import statements +to resolve references and creates many +opportunities to accidently define methods that do not override methods in their superclasses. +</p>]]></description> + </rule> + <rule key="NM_SAME_SIMPLE_NAME_AS_INTERFACE" priority="MAJOR"> + <name><![CDATA[Bad practice - Class names shouldn't shadow simple name of implemented interface]]></name> + <configKey><![CDATA[NM_SAME_SIMPLE_NAME_AS_INTERFACE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class/interface has a simple name that is identical to that of an implemented/extended interface, except +that the interface is in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>). +This can be exceptionally confusing, create lots of situations in which you have to look at import statements +to resolve references and creates many +opportunities to accidently define methods that do not override methods in their superclasses. +</p>]]></description> + </rule> + <rule key="NM_VERY_CONFUSING" priority="MAJOR"> + <name><![CDATA[Correctness - Very confusing method names]]></name> + <configKey><![CDATA[NM_VERY_CONFUSING]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The referenced methods have names that differ only by capitalization. +This is very confusing because if the capitalization were +identical then one of the methods would override the other. +</p>]]></description> + </rule> + <rule key="NM_VERY_CONFUSING_INTENTIONAL" priority="MAJOR"> + <name><![CDATA[Bad practice - Very confusing method names (but perhaps intentional)]]></name> + <configKey><![CDATA[NM_VERY_CONFUSING_INTENTIONAL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The referenced methods have names that differ only by capitalization. +This is very confusing because if the capitalization were +identical then one of the methods would override the other. From the existence of other methods, it +seems that the existence of both of these methods is intentional, but is sure is confusing. +You should try hard to eliminate one of them, unless you are forced to have both due to frozen APIs. +</p>]]></description> + </rule> + <rule key="NM_WRONG_PACKAGE" priority="MAJOR"> + <name> + <![CDATA[Correctness - Method doesn't override method in superclass due to wrong package for parameter]]></name> + <configKey><![CDATA[NM_WRONG_PACKAGE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The method in the subclass doesn't override a similar method in a superclass because the type of a parameter doesn't exactly match +the type of the corresponding parameter in the superclass. For example, if you have:</p> + +<blockquote> +<pre> +import alpha.Foo; +public class A { + public int f(Foo x) { return 17; } +} +---- +import beta.Foo; +public class B extends A { + public int f(Foo x) { return 42; } +} +</pre> +</blockquote> + +<p>The <code>f(Foo)</code> method defined in class <code>B</code> doesn't +override the +<code>f(Foo)</code> method defined in class <code>A</code>, because the argument +types are <code>Foo</code>'s from different packages. +</p>]]></description> + </rule> + <rule key="NM_WRONG_PACKAGE_INTENTIONAL" priority="MAJOR"> + <name> + <![CDATA[Bad practice - Method doesn't override method in superclass due to wrong package for parameter]]></name> + <configKey><![CDATA[NM_WRONG_PACKAGE_INTENTIONAL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The method in the subclass doesn't override a similar method in a superclass because the type of a parameter doesn't exactly match +the type of the corresponding parameter in the superclass. For example, if you have:</p> + +<blockquote> +<pre> +import alpha.Foo; +public class A { + public int f(Foo x) { return 17; } +} +---- +import beta.Foo; +public class B extends A { + public int f(Foo x) { return 42; } + public int f(alpha.Foo x) { return 27; } +} +</pre> +</blockquote> + +<p>The <code>f(Foo)</code> method defined in class <code>B</code> doesn't +override the +<code>f(Foo)</code> method defined in class <code>A</code>, because the argument +types are <code>Foo</code>'s from different packages. +</p> + +<p>In this case, the subclass does define a method with a signature identical to the method in the superclass, +so this is presumably understood. However, such methods are exceptionally confusing. You should strongly consider +removing or deprecating the method with the similar but not identical signature. +</p>]]></description> + </rule> + <rule key="NM_CONFUSING" priority="MAJOR"> + <name><![CDATA[Bad practice - Confusing method names]]></name> + <configKey><![CDATA[NM_CONFUSING]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The referenced methods have names that differ only by capitalization.</p>]]></description> + </rule> + <rule key="NM_METHOD_CONSTRUCTOR_CONFUSION" priority="MAJOR"> + <name><![CDATA[Correctness - Apparent method/constructor confusion]]></name> + <configKey><![CDATA[NM_METHOD_CONSTRUCTOR_CONFUSION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This regular method has the same name as the class it is defined in. It is likely that this was intended to be a constructor. + If it was intended to be a constructor, remove the declaration of a void return value. + If you had accidently defined this method, realized the mistake, defined a proper constructor + but can't get rid of this method due to backwards compatibility, deprecate the method. +</p>]]></description> + </rule> + <rule key="NM_CLASS_NOT_EXCEPTION" priority="MAJOR"> + <name><![CDATA[Bad practice - Class is not derived from an Exception, even though it is named as such]]></name> + <configKey><![CDATA[NM_CLASS_NOT_EXCEPTION]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class is not derived from another exception, but ends with 'Exception'. This will +be confusing to users of this class.</p>]]></description> + </rule> + <rule key="RR_NOT_CHECKED" priority="MAJOR"> + <name><![CDATA[Bad practice - Method ignores results of InputStream.read()]]></name> + <configKey><![CDATA[RR_NOT_CHECKED]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method ignores the return value of one of the variants of + <code>java.io.InputStream.read()</code> which can return multiple bytes. + If the return value is not checked, the caller will not be able to correctly + handle the case where fewer bytes were read than the caller requested. + This is a particularly insidious kind of bug, because in many programs, + reads from input streams usually do read the full amount of data requested, + causing the program to fail only sporadically.</p>]]></description> + </rule> + <rule key="SR_NOT_CHECKED" priority="MAJOR"> + <name><![CDATA[Bad practice - Method ignores results of InputStream.skip()]]></name> + <configKey><![CDATA[SR_NOT_CHECKED]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method ignores the return value of + <code>java.io.InputStream.skip()</code> which can skip multiple bytes. + If the return value is not checked, the caller will not be able to correctly + handle the case where fewer bytes were skipped than the caller requested. + This is a particularly insidious kind of bug, because in many programs, + skips from input streams usually do skip the full amount of data requested, + causing the program to fail only sporadically. With Buffered streams, however, + skip() will only skip data in the buffer, and will routinely fail to skip the + requested number of bytes.</p>]]></description> + </rule> + <rule key="SE_READ_RESOLVE_IS_STATIC" priority="MAJOR"> + <name><![CDATA[Correctness - The readResolve method must not be declared as a static method. ]]></name> + <configKey><![CDATA[SE_READ_RESOLVE_IS_STATIC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> In order for the readResolve method to be recognized by the serialization +mechanism, it must not be declared as a static method. +</p>]]></description> + </rule> + <rule key="SE_PRIVATE_READ_RESOLVE_NOT_INHERITED" priority="MAJOR"> + <name><![CDATA[Dodgy - private readResolve method not inherited by subclasses]]></name> + <configKey><![CDATA[SE_PRIVATE_READ_RESOLVE_NOT_INHERITED]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This class defines a private readResolve method. Since it is private, it won't be inherited by subclasses. +This might be intentional and OK, but should be reviewed to ensure it is what is intended. +</p>]]></description> + </rule> + <rule key="SE_READ_RESOLVE_MUST_RETURN_OBJECT" priority="MAJOR"> + <name><![CDATA[Bad practice - The readResolve method must be declared with a return type of Object. ]]></name> + <configKey><![CDATA[SE_READ_RESOLVE_MUST_RETURN_OBJECT]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> In order for the readResolve method to be recognized by the serialization +mechanism, it must be declared to have a return type of Object. +</p>]]></description> + </rule> + <rule key="SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS" priority="MAJOR"> + <name><![CDATA[Dodgy - Transient field of class that isn't Serializable. ]]></name> + <configKey><![CDATA[SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The field is marked as transient, but the class isn't Serializable, so marking it as transient +has absolutely no effect. +This may be leftover marking from a previous version of the code in which the class was transient, or +it may indicate a misunderstanding of how serialization works. +</p>]]></description> + </rule> + <rule key="SE_TRANSIENT_FIELD_NOT_RESTORED" priority="MAJOR"> + <name><![CDATA[Bad practice - Transient field that isn't set by deserialization. ]]></name> + <configKey><![CDATA[SE_TRANSIENT_FIELD_NOT_RESTORED]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class contains a field that is updated at multiple places in the class, thus it seems to be part of the state of the class. However, since the field is marked as transient and not set in readObject or readResolve, it will contain the default value in any +deserialized instance of the class. +</p>]]></description> + </rule> + <rule key="SE_METHOD_MUST_BE_PRIVATE" priority="MAJOR"> + <name><![CDATA[Correctness - Method must be private in order for serialization to work]]></name> + <configKey><![CDATA[SE_METHOD_MUST_BE_PRIVATE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class implements the <code>Serializable</code> interface, and defines a method + for custom serialization/deserialization. But since that method isn't declared private, + it will be silently ignored by the serialization/deserialization API.</p>]]></description> + </rule> + <rule key="SE_NO_SUITABLE_CONSTRUCTOR_FOR_EXTERNALIZATION" priority="MAJOR"> + <name><![CDATA[Bad practice - Class is Externalizable but doesn't define a void constructor]]></name> + <configKey><![CDATA[SE_NO_SUITABLE_CONSTRUCTOR_FOR_EXTERNALIZATION]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class implements the <code>Externalizable</code> interface, but does + not define a void constructor. When Externalizable objects are deserialized, + they first need to be constructed by invoking the void + constructor. Since this class does not have one, + serialization and deserialization will fail at runtime.</p>]]></description> + </rule> + <rule key="SE_NO_SUITABLE_CONSTRUCTOR" priority="MAJOR"> + <name><![CDATA[Bad practice - Class is Serializable but its superclass doesn't define a void constructor]]></name> + <configKey><![CDATA[SE_NO_SUITABLE_CONSTRUCTOR]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class implements the <code>Serializable</code> interface + and its superclass does not. When such an object is deserialized, + the fields of the superclass need to be initialized by + invoking the void constructor of the superclass. + Since the superclass does not have one, + serialization and deserialization will fail at runtime.</p>]]></description> + </rule> + <rule key="SE_NO_SERIALVERSIONID" priority="MAJOR"> + <name><![CDATA[Bad practice - Class is Serializable, but doesn't define serialVersionUID]]></name> + <configKey><![CDATA[SE_NO_SERIALVERSIONID]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class implements the <code>Serializable</code> interface, but does + not define a <code>serialVersionUID</code> field. + A change as simple as adding a reference to a .class object + will add synthetic fields to the class, + which will unfortunately change the implicit + serialVersionUID (e.g., adding a reference to <code>String.class</code> + will generate a static field <code>class$java$lang$String</code>). + Also, different source code to bytecode compilers may use different + naming conventions for synthetic variables generated for + references to class objects or inner classes. + To ensure interoperability of Serializable across versions, + consider adding an explicit serialVersionUID.</p>]]></description> + </rule> + <rule key="SE_COMPARATOR_SHOULD_BE_SERIALIZABLE" priority="MAJOR"> + <name><![CDATA[Bad practice - Comparator doesn't implement Serializable]]></name> + <configKey><![CDATA[SE_COMPARATOR_SHOULD_BE_SERIALIZABLE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class implements the <code>Comparator</code> interface. You +should consider whether or not it should also implement the <code>Serializable</code> +interface. If a comparator is used to construct an ordered collection +such as a <code>TreeMap</code>, then the <code>TreeMap</code> +will be serializable only if the comparator is also serializable. +As most comparators have little or no state, making them serializable +is generally easy and good defensive programming. +</p>]]></description> + </rule> + <rule key="WS_WRITEOBJECT_SYNC" priority="CRITICAL"> + <name> + <![CDATA[Multithreaded correctness - Class's writeObject() method is synchronized but nothing else is]]></name> + <configKey><![CDATA[WS_WRITEOBJECT_SYNC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class has a <code>writeObject()</code> method which is synchronized; + however, no other method of the class is synchronized.</p>]]></description> + </rule> + <rule key="RS_READOBJECT_SYNC" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Class's readObject() method is synchronized]]></name> + <configKey><![CDATA[RS_READOBJECT_SYNC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This serializable class defines a <code>readObject()</code> which is + synchronized. By definition, an object created by deserialization + is only reachable by one thread, and thus there is no need for + <code>readObject()</code> to be synchronized. If the <code>readObject()</code> + method itself is causing the object to become visible to another thread, + that is an example of very dubious coding style.</p>]]></description> + </rule> + <rule key="SE_NONSTATIC_SERIALVERSIONID" priority="MAJOR"> + <name><![CDATA[Bad practice - serialVersionUID isn't static]]></name> + <configKey><![CDATA[SE_NONSTATIC_SERIALVERSIONID]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a <code>serialVersionUID</code> field that is not static. + The field should be made static + if it is intended to specify + the version UID for purposes of serialization.</p>]]></description> + </rule> + <rule key="SE_NONFINAL_SERIALVERSIONID" priority="CRITICAL"> + <name><![CDATA[Bad practice - serialVersionUID isn't final]]></name> + <configKey><![CDATA[SE_NONFINAL_SERIALVERSIONID]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a <code>serialVersionUID</code> field that is not final. + The field should be made final + if it is intended to specify + the version UID for purposes of serialization.</p>]]></description> + </rule> + <rule key="SE_NONLONG_SERIALVERSIONID" priority="MAJOR"> + <name><![CDATA[Bad practice - serialVersionUID isn't long]]></name> + <configKey><![CDATA[SE_NONLONG_SERIALVERSIONID]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class defines a <code>serialVersionUID</code> field that is not long. + The field should be made long + if it is intended to specify + the version UID for purposes of serialization.</p>]]></description> + </rule> + <rule key="SE_BAD_FIELD_INNER_CLASS" priority="MINOR"> + <name><![CDATA[Bad practice - Non-serializable class has a serializable inner class]]></name> + <configKey><![CDATA[SE_BAD_FIELD_INNER_CLASS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This Serializable class is an inner class of a non-serializable class. +Thus, attempts to serialize it will also attempt to associate instance of the outer +class with which it is associated, leading to a runtime error. +</p> +<p>If possible, making the inner class a static inner class should solve the +problem. Making the outer class serializable might also work, but that would +mean serializing an instance of the inner class would always also serialize the instance +of the outer class, which it often not what you really want.]]></description> + </rule> + <rule key="SE_INNER_CLASS" priority="MAJOR"> + <name><![CDATA[Bad practice - Serializable inner class]]></name> + <configKey><![CDATA[SE_INNER_CLASS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This Serializable class is an inner class. Any attempt to serialize +it will also serialize the associated outer instance. The outer instance is serializable, +so this won't fail, but it might serialize a lot more data than intended. +If possible, making the inner class a static inner class (also known as a nested class) should solve the +problem.]]></description> + </rule> + <rule key="SE_BAD_FIELD_STORE" priority="CRITICAL"> + <name><![CDATA[Bad practice - Non-serializable value stored into instance field of a serializable class]]></name> + <configKey><![CDATA[SE_BAD_FIELD_STORE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> A non-serializable value is stored into a non-transient field +of a serializable class.</p>]]></description> + </rule> + <rule key="SC_START_IN_CTOR" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Constructor invokes Thread.start()]]></name> + <configKey><![CDATA[SC_START_IN_CTOR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The constructor starts a thread. This is likely to be wrong if + the class is ever extended/subclassed, since the thread will be started + before the subclass constructor is started.</p>]]></description> + </rule> + <rule key="SS_SHOULD_BE_STATIC" priority="MAJOR"> + <name><![CDATA[Performance - Unread field: should this field be static?]]></name> + <configKey><![CDATA[SS_SHOULD_BE_STATIC]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This class contains an instance final field that + is initialized to a compile-time static value. + Consider making the field static.</p>]]></description> + </rule> + <rule key="UUF_UNUSED_FIELD" priority="MAJOR"> + <name><![CDATA[Performance - Unused field]]></name> + <configKey><![CDATA[UUF_UNUSED_FIELD]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This field is never used. Consider removing it from the class.</p>]]></description> + </rule> + <rule key="URF_UNREAD_FIELD" priority="MAJOR"> + <name><![CDATA[Performance - Unread field]]></name> + <configKey><![CDATA[URF_UNREAD_FIELD]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This field is never read. Consider removing it from the class.</p>]]></description> + </rule> + <rule key="QF_QUESTIONABLE_FOR_LOOP" priority="CRITICAL"> + <name><![CDATA[Dodgy - Complicated, subtle or wrong increment in for-loop ]]></name> + <configKey><![CDATA[QF_QUESTIONABLE_FOR_LOOP]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p>Are you sure this for loop is incrementing the correct variable? + It appears that another variable is being initialized and checked + by the for loop. +</p>]]></description> + </rule> + <rule key="UWF_NULL_FIELD" priority="CRITICAL"> + <name><![CDATA[Correctness - Field only ever set to null]]></name> + <configKey><![CDATA[UWF_NULL_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> All writes to this field are of the constant value null, and thus +all reads of the field will return null. +Check for errors, or remove it if it is useless.</p>]]></description> + </rule> + <rule key="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD" priority="CRITICAL"> + <name><![CDATA[Dodgy - Write to static field from instance method]]></name> + <configKey><![CDATA[ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This instance method writes to a static field. This is tricky to get +correct if multiple instances are being manipulated, +and generally bad practice. +</p>]]></description> + </rule> + <rule key="NP_LOAD_OF_KNOWN_NULL_VALUE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Load of known null value]]></name> + <configKey><![CDATA[NP_LOAD_OF_KNOWN_NULL_VALUE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The variable referenced at this point is known to be null due to an earlier + check against null. Although this is valid, it might be a mistake (perhaps you +intended to refer to a different variable, or perhaps the earlier check to see if the +variable is null should have been a check to see if it was nonnull). +</p>]]></description> + </rule> + <rule key="NP_DEREFERENCE_OF_READLINE_VALUE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Dereference of the result of readLine() without nullcheck]]></name> + <configKey><![CDATA[NP_DEREFERENCE_OF_READLINE_VALUE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The result of invoking readLine() is dereferenced without checking to see if the result is null. If there are no more lines of text +to read, readLine() will return null and dereferencing that will generate a null pointer exception. +</p>]]></description> + </rule> + <rule key="NP_IMMEDIATE_DEREFERENCE_OF_READLINE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Immediate dereference of the result of readLine()]]></name> + <configKey><![CDATA[NP_IMMEDIATE_DEREFERENCE_OF_READLINE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The result of invoking readLine() is immediately dereferenced. If there are no more lines of text +to read, readLine() will return null and dereferencing that will generate a null pointer exception. +</p>]]></description> + </rule> + <rule key="SIC_INNER_SHOULD_BE_STATIC" priority="MAJOR"> + <name><![CDATA[Performance - Should be a static inner class]]></name> + <configKey><![CDATA[SIC_INNER_SHOULD_BE_STATIC]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This class is an inner class, but does not use its embedded reference + to the object which created it. This reference makes the instances + of the class larger, and may keep the reference to the creator object + alive longer than necessary. If possible, the class should be + made static. +</p>]]></description> + </rule> + <rule key="SIC_INNER_SHOULD_BE_STATIC_ANON" priority="MAJOR"> + <name><![CDATA[Performance - Could be refactored into a named static inner class]]></name> + <configKey><![CDATA[SIC_INNER_SHOULD_BE_STATIC_ANON]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This class is an inner class, but does not use its embedded reference + to the object which created it. This reference makes the instances + of the class larger, and may keep the reference to the creator object + alive longer than necessary. If possible, the class should be + made into a <em>static</em> inner class. Since anonymous inner +classes cannot be marked as static, doing this will require refactoring +the inner class so that it is a named inner class.</p>]]></description> + </rule> + <rule key="SIC_INNER_SHOULD_BE_STATIC_NEEDS_THIS" priority="MAJOR"> + <name><![CDATA[Performance - Could be refactored into a static inner class]]></name> + <configKey><![CDATA[SIC_INNER_SHOULD_BE_STATIC_NEEDS_THIS]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This class is an inner class, but does not use its embedded reference + to the object which created it except during construction of the +inner object. This reference makes the instances + of the class larger, and may keep the reference to the creator object + alive longer than necessary. If possible, the class should be + made into a <em>static</em> inner class. Since the reference to the + outer object is required during construction of the inner instance, + the inner class will need to be refactored so as to + pass a reference to the outer instance to the constructor + for the inner class.</p>]]></description> + </rule> + <rule key="WA_NOT_IN_LOOP" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Wait not in loop ]]></name> + <configKey><![CDATA[WA_NOT_IN_LOOP]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains a call to <code>java.lang.Object.wait()</code> + which is not in a loop. If the monitor is used for multiple conditions, + the condition the caller intended to wait for might not be the one + that actually occurred.</p>]]></description> + </rule> + <rule key="WA_AWAIT_NOT_IN_LOOP" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Condition.await() not in loop ]]></name> + <configKey><![CDATA[WA_AWAIT_NOT_IN_LOOP]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains a call to <code>java.util.concurrent.await()</code> + (or variants) + which is not in a loop. If the object is used for multiple conditions, + the condition the caller intended to wait for might not be the one + that actually occurred.</p>]]></description> + </rule> + <rule key="NO_NOTIFY_NOT_NOTIFYALL" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Using notify() rather than notifyAll()]]></name> + <configKey><![CDATA[NO_NOTIFY_NOT_NOTIFYALL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method calls <code>notify()</code> rather than <code>notifyAll()</code>. + Java monitors are often used for multiple conditions. Calling <code>notify()</code> + only wakes up one thread, meaning that the thread woken up might not be the + one waiting for the condition that the caller just satisfied.</p>]]></description> + </rule> + <rule key="RV_CHECK_FOR_POSITIVE_INDEXOF" priority="MINOR"> + <name><![CDATA[Dodgy - Method checks to see if result of String.indexOf is positive]]></name> + <configKey><![CDATA[RV_CHECK_FOR_POSITIVE_INDEXOF]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The method invokes String.indexOf and checks to see if the result is positive or non-positive. + It is much more typical to check to see if the result is negative or non-negative. It is + positive only if the substring checked for occurs at some place other than at the beginning of + the String.</p>]]></description> + </rule> + <rule key="RV_DONT_JUST_NULL_CHECK_READLINE" priority="MAJOR"> + <name><![CDATA[Dodgy - Method discards result of readLine after checking if it is nonnull]]></name> + <configKey><![CDATA[RV_DONT_JUST_NULL_CHECK_READLINE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The value returned by readLine is discarded after checking to see if the return +value is non-null. In almost all situations, if the result is non-null, you will want +to use that non-null value. Calling readLine again will give you a different line.</p>]]></description> + </rule> + <rule key="RV_RETURN_VALUE_IGNORED" priority="MINOR"> + <name><![CDATA[Correctness - Method ignores return value]]></name> + <configKey><![CDATA[RV_RETURN_VALUE_IGNORED]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The return value of this method should be checked. One common +cause of this warning is to invoke a method on an immutable object, +thinking that it updates the object. For example, in the following code +fragment,</p> +<blockquote> +<pre> +String dateString = getHeaderField(name); +dateString.trim(); +</pre> +</blockquote> +<p>the programmer seems to be thinking that the trim() method will update +the String referenced by dateString. But since Strings are immutable, the trim() +function returns a new String value, which is being ignored here. The code +should be corrected to: </p> +<blockquote> +<pre> +String dateString = getHeaderField(name); +dateString = dateString.trim(); +</pre> +</blockquote>]]></description> + </rule> + <rule key="RV_RETURN_VALUE_IGNORED_BAD_PRACTICE" priority="MAJOR"> + <name><![CDATA[Bad practice - Method ignores exceptional return value]]></name> + <configKey><![CDATA[RV_RETURN_VALUE_IGNORED_BAD_PRACTICE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method returns a value that is not checked. The return value should be checked +since it can indicate an unusual or unexpected function execution. For +example, the <code>File.delete()</code> method returns false +if the file could not be successfully deleted (rather than +throwing an Exception). +If you don't check the result, you won't notice if the method invocation +signals unexpected behavior by returning an atypical return value. +</p>]]></description> + </rule> + <rule key="RV_EXCEPTION_NOT_THROWN" priority="CRITICAL"> + <name><![CDATA[Correctness - Exception created and dropped rather than thrown]]></name> + <configKey><![CDATA[RV_EXCEPTION_NOT_THROWN]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This code creates an exception (or error) object, but doesn't do anything with it. For example, +something like </p> +<blockquote> +<pre> +if (x < 0) + new IllegalArgumentException("x must be nonnegative"); +</pre> +</blockquote> +<p>It was probably the intent of the programmer to throw the created exception:</p> +<blockquote> +<pre> +if (x < 0) + throw new IllegalArgumentException("x must be nonnegative"); +</pre> +</blockquote>]]></description> + </rule> + <rule key="RV_RETURN_VALUE_IGNORED2" priority="MAJOR"> + <name><![CDATA[Correctness - Method ignores return value]]></name> + <configKey><![CDATA[RV_RETURN_VALUE_IGNORED2]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The return value of this method should be checked. One common +cause of this warning is to invoke a method on an immutable object, +thinking that it updates the object. For example, in the following code +fragment,</p> +<blockquote> +<pre> +String dateString = getHeaderField(name); +dateString.trim(); +</pre> +</blockquote> +<p>the programmer seems to be thinking that the trim() method will update +the String referenced by dateString. But since Strings are immutable, the trim() +function returns a new String value, which is being ignored here. The code +should be corrected to: </p> +<blockquote> +<pre> +String dateString = getHeaderField(name); +dateString = dateString.trim(); +</pre> +</blockquote>]]></description> + </rule> + <rule key="NP_ALWAYS_NULL" priority="CRITICAL"> + <name><![CDATA[Correctness - Null pointer dereference]]></name> + <configKey><![CDATA[NP_ALWAYS_NULL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A null pointer is dereferenced here. This will lead to a +<code>NullPointerException</code> when the code is executed.</p>]]></description> + </rule> + <rule key="NP_STORE_INTO_NONNULL_FIELD" priority="CRITICAL"> + <name><![CDATA[Correctness - Store of null value into field annotated NonNull]]></name> + <configKey><![CDATA[NP_STORE_INTO_NONNULL_FIELD]]></configKey> + <category name="Reliability"/> + <description> + <![CDATA[<p> A value that could be null is stored into a field that has been annotated as NonNull. </p>]]></description> + </rule> + <rule key="NP_ALWAYS_NULL_EXCEPTION" priority="CRITICAL"> + <name><![CDATA[Correctness - Null pointer dereference in method on exception path]]></name> + <configKey><![CDATA[NP_ALWAYS_NULL_EXCEPTION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A pointer which is null on an exception path is dereferenced here. +This will lead to a <code>NullPointerException</code> when the code is executed. +Note that because FindBugs currently does not prune infeasible exception paths, +this may be a false warning.</p> + +<p> Also note that FindBugs considers the default case of a switch statement to +be an exception path, since the default case is often infeasible.</p>]]></description> + </rule> + <rule key="NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Parameter must be nonnull but is marked as nullable]]></name> + <configKey><![CDATA[NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This parameter is always used in a way that requires it to be nonnull, +but the parameter is explicitly annotated as being Nullable. Either the use +of the parameter or the annotation is wrong. +</p>]]></description> + </rule> + <rule key="NP_NULL_ON_SOME_PATH" priority="CRITICAL"> + <name><![CDATA[Correctness - Possible null pointer dereference]]></name> + <configKey><![CDATA[NP_NULL_ON_SOME_PATH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> There is a branch of statement that, <em>if executed,</em> guarantees that +a null value will be dereferenced, which +would generate a <code>NullPointerException</code> when the code is executed. +Of course, the problem might be that the branch or statement is infeasible and that +the null pointer exception can't ever be executed; deciding that is beyond the ability of FindBugs. +</p>]]></description> + </rule> + <rule key="NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Possible null pointer dereference on path that might be infeasible]]></name> + <configKey><![CDATA[NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> There is a branch of statement that, <em>if executed,</em> guarantees that +a null value will be dereferenced, which +would generate a <code>NullPointerException</code> when the code is executed. +Of course, the problem might be that the branch or statement is infeasible and that +the null pointer exception can't ever be executed; deciding that is beyond the ability of FindBugs. +Due to the fact that this value had been previously tested for nullness, this is a definite possibility. +</p>]]></description> + </rule> + <rule key="NP_NULL_ON_SOME_PATH_EXCEPTION" priority="CRITICAL"> + <name><![CDATA[Correctness - Possible null pointer dereference in method on exception path]]></name> + <configKey><![CDATA[NP_NULL_ON_SOME_PATH_EXCEPTION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A reference value which is null on some exception control path is +dereferenced here. This may lead to a <code>NullPointerException</code> +when the code is executed. +Note that because FindBugs currently does not prune infeasible exception paths, +this may be a false warning.</p> + +<p> Also note that FindBugs considers the default case of a switch statement to +be an exception path, since the default case is often infeasible.</p>]]></description> + </rule> + <rule key="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Possible null pointer dereference due to return value of called method]]></name> + <configKey><![CDATA[NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> The return value from a method is dereferenced without a null check, +and the return value of that method is one that should generally be checked +for null. This may lead to a <code>NullPointerException</code> when the code is executed. +</p>]]></description> + </rule> + <rule key="NP_NULL_PARAM_DEREF_NONVIRTUAL" priority="CRITICAL"> + <name><![CDATA[Correctness - Non-virtual method call passes null for nonnull parameter]]></name> + <configKey><![CDATA[NP_NULL_PARAM_DEREF_NONVIRTUAL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A possibly-null value is passed to a nonnull method parameter. + Either the parameter is annotated as a parameter that should + always be nonnull, or analysis has shown that it will always be + dereferenced. + </p>]]></description> + </rule> + <rule key="NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS" priority="CRITICAL"> + <name><![CDATA[Correctness - Method call passes null for nonnull parameter]]></name> + <configKey><![CDATA[NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A possibly-null value is passed at a call site where all known + target methods require the parameter to be nonnull. + Either the parameter is annotated as a parameter that should + always be nonnull, or analysis has shown that it will always be + dereferenced. + </p>]]></description> + </rule> + <rule key="NP_NULL_PARAM_DEREF" priority="CRITICAL"> + <name><![CDATA[Correctness - Method call passes null for nonnull parameter]]></name> + <configKey><![CDATA[NP_NULL_PARAM_DEREF]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method call passes a null value for a nonnull method parameter. + Either the parameter is annotated as a parameter that should + always be nonnull, or analysis has shown that it will always be + dereferenced. + </p>]]></description> + </rule> + <rule key="NP_NONNULL_PARAM_VIOLATION" priority="CRITICAL"> + <name><![CDATA[Correctness - Method call passes null to a nonnull parameter ]]></name> + <configKey><![CDATA[NP_NONNULL_PARAM_VIOLATION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method passes a null value as the parameter of a method which + must be nonnull. Either this parameter has been explicitly marked + as @Nonnull, or analysis has determined that this parameter is + always dereferenced. + </p>]]></description> + </rule> + <rule key="NP_NONNULL_RETURN_VIOLATION" priority="CRITICAL"> + <name><![CDATA[Correctness - Method may return null, but is declared @NonNull]]></name> + <configKey><![CDATA[NP_NONNULL_RETURN_VIOLATION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method may return a null value, but the method (or a superclass method + which it overrides) is declared to return @NonNull. + </p>]]></description> + </rule> + <rule key="NP_CLONE_COULD_RETURN_NULL" priority="CRITICAL"> + <name><![CDATA[Bad practice - Clone method may return null]]></name> + <configKey><![CDATA[NP_CLONE_COULD_RETURN_NULL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> + This clone method seems to return null in some circumstances, but clone is never + allowed to return a null value. If you are convinced this path is unreachable, throw an AssertionError + instead. + </p>]]></description> + </rule> + <rule key="NP_TOSTRING_COULD_RETURN_NULL" priority="CRITICAL"> + <name><![CDATA[Bad practice - toString method may return null]]></name> + <configKey><![CDATA[NP_TOSTRING_COULD_RETURN_NULL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> + This toString method seems to return null in some circumstances. A liberal reading of the + spec could be interpreted as allowing this, but it is probably a bad idea and could cause + other code to break. Return the empty string or some other appropriate string rather than null. + </p>]]></description> + </rule> + <rule key="NP_GUARANTEED_DEREF" priority="BLOCKER"> + <name><![CDATA[Correctness - Null value is guaranteed to be dereferenced]]></name> + <configKey><![CDATA[NP_GUARANTEED_DEREF]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + There is a statement or branch that if executed guarantees that + a value is null at this point, and that + value that is guaranteed to be dereferenced + (except on forward paths involving runtime exceptions). + </p>]]></description> + </rule> + <rule key="NP_GUARANTEED_DEREF_ON_EXCEPTION_PATH" priority="CRITICAL"> + <name><![CDATA[Correctness - Value is null and guaranteed to be dereferenced on exception path]]></name> + <configKey><![CDATA[NP_GUARANTEED_DEREF_ON_EXCEPTION_PATH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + There is a statement or branch on an exception path + that if executed guarantees that + a value is null at this point, and that + value that is guaranteed to be dereferenced + (except on forward paths involving runtime exceptions). + </p>]]></description> + </rule> + <rule key="SI_INSTANCE_BEFORE_FINALS_ASSIGNED" priority="CRITICAL"> + <name><![CDATA[Bad practice - Static initializer creates instance before all static final fields assigned]]></name> + <configKey><![CDATA[SI_INSTANCE_BEFORE_FINALS_ASSIGNED]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The class's static initializer creates an instance of the class +before all of the static final fields are assigned.</p>]]></description> + </rule> + <rule key="OS_OPEN_STREAM" priority="CRITICAL"> + <name><![CDATA[Bad practice - Method may fail to close stream]]></name> + <configKey><![CDATA[OS_OPEN_STREAM]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The method creates an IO stream object, does not assign it to any +fields, pass it to other methods that might close it, +or return it, and does not appear to close +the stream on all paths out of the method. This may result in +a file descriptor leak. It is generally a good +idea to use a <code>finally</code> block to ensure that streams are +closed.</p>]]></description> + </rule> + <rule key="OS_OPEN_STREAM_EXCEPTION_PATH" priority="CRITICAL"> + <name><![CDATA[Bad practice - Method may fail to close stream on exception]]></name> + <configKey><![CDATA[OS_OPEN_STREAM_EXCEPTION_PATH]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The method creates an IO stream object, does not assign it to any +fields, pass it to other methods, or return it, and does not appear to close +it on all possible exception paths out of the method. +This may result in a file descriptor leak. It is generally a good +idea to use a <code>finally</code> block to ensure that streams are +closed.</p>]]></description> + </rule> + <rule key="PZLA_PREFER_ZERO_LENGTH_ARRAYS" priority="MAJOR"> + <name><![CDATA[Dodgy - Consider returning a zero length array rather than null]]></name> + <configKey><![CDATA[PZLA_PREFER_ZERO_LENGTH_ARRAYS]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> It is often a better design to +return a length zero array rather than a null reference to indicate that there +are no results (i.e., an empty list of results). +This way, no explicit check for null is needed by clients of the method.</p> + +<p>On the other hand, using null to indicate +"there is no answer to this question" is probably appropriate. +For example, <code>File.listFiles()</code> returns an empty list +if given a directory containing no files, and returns null if the file +is not a directory.</p>]]></description> + </rule> + <rule key="UCF_USELESS_CONTROL_FLOW" priority="CRITICAL"> + <name><![CDATA[Dodgy - Useless control flow]]></name> + <configKey><![CDATA[UCF_USELESS_CONTROL_FLOW]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a useless control flow statement, where +control flow continues onto the same place regardless of whether or not +the branch is taken. For example, +this is caused by having an empty statement +block for an <code>if</code> statement:</p> +<pre> + if (argv.length == 0) { + // TODO: handle this case + } +</pre>]]></description> + </rule> + <rule key="UCF_USELESS_CONTROL_FLOW_NEXT_LINE" priority="CRITICAL"> + <name><![CDATA[Correctness - Useless control flow to next line]]></name> + <configKey><![CDATA[UCF_USELESS_CONTROL_FLOW_NEXT_LINE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains a useless control flow statement in which control +flow follows to the same or following line regardless of whether or not +the branch is taken. +Often, this is caused by inadvertently using an empty statement as the +body of an <code>if</code> statement, e.g.:</p> +<pre> + if (argv.length == 1); + System.out.println("Hello, " + argv[0]); +</pre>]]></description> + </rule> + <rule key="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE" priority="CRITICAL"> + <name><![CDATA[Correctness - Nullcheck of value previously dereferenced]]></name> + <configKey><![CDATA[RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A value is checked here to see whether it is null, but this value can't +be null because it was previously dereferenced and if it were null a null pointer +exception would have occurred at the earlier dereference. +Essentially, this code and the previous dereference +disagree as to whether this value is allowed to be null. Either the check is redundant +or the previous dereference is erroneous.</p>]]></description> + </rule> + <rule key="RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Redundant nullcheck of value known to be null]]></name> + <configKey><![CDATA[RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a redundant check of a known null value against +the constant null.</p>]]></description> + </rule> + <rule key="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Redundant nullcheck of value known to be non-null]]></name> + <configKey><![CDATA[RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a redundant check of a known non-null value against +the constant null.</p>]]></description> + </rule> + <rule key="RCN_REDUNDANT_COMPARISON_TWO_NULL_VALUES" priority="CRITICAL"> + <name><![CDATA[Dodgy - Redundant comparison of two null values]]></name> + <configKey><![CDATA[RCN_REDUNDANT_COMPARISON_TWO_NULL_VALUES]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a redundant comparison of two references known to +both be definitely null.</p>]]></description> + </rule> + <rule key="RCN_REDUNDANT_COMPARISON_OF_NULL_AND_NONNULL_VALUE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Redundant comparison of non-null value to null]]></name> + <configKey><![CDATA[RCN_REDUNDANT_COMPARISON_OF_NULL_AND_NONNULL_VALUE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a reference known to be non-null with another reference +known to be null.</p>]]></description> + </rule> + <rule key="UL_UNRELEASED_LOCK" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Method does not release lock on all paths]]></name> + <configKey><![CDATA[UL_UNRELEASED_LOCK]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method acquires a JSR-166 (<code>java.util.concurrent</code>) lock, +but does not release it on all paths out of the method. In general, the correct idiom +for using a JSR-166 lock is: +</p> +<pre> + Lock l = ...; + l.lock(); + try { + // do something + } finally { + l.unlock(); + } +</pre>]]></description> + </rule> + <rule key="UL_UNRELEASED_LOCK_EXCEPTION_PATH" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Method does not release lock on all exception paths]]></name> + <configKey><![CDATA[UL_UNRELEASED_LOCK_EXCEPTION_PATH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method acquires a JSR-166 (<code>java.util.concurrent</code>) lock, +but does not release it on all exception paths out of the method. In general, the correct idiom +for using a JSR-166 lock is: +</p> +<pre> + Lock l = ...; + l.lock(); + try { + // do something + } finally { + l.unlock(); + } +</pre>]]></description> + </rule> + <rule key="RC_REF_COMPARISON" priority="CRITICAL"> + <name><![CDATA[Bad practice - Suspicious reference comparison]]></name> + <configKey><![CDATA[RC_REF_COMPARISON]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method compares two reference values using the == or != operator, +where the correct way to compare instances of this type is generally +with the equals() method. Examples of classes which should generally +not be compared by reference are java.lang.Integer, java.lang.Float, etc.</p>]]></description> + </rule> + <rule key="EC_UNRELATED_TYPES_USING_POINTER_EQUALITY" priority="CRITICAL"> + <name><![CDATA[Correctness - Using pointer equality to compare different types]]></name> + <configKey><![CDATA[EC_UNRELATED_TYPES_USING_POINTER_EQUALITY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method uses using pointer equality to compare two references that seem to be of +different types. The result of this comparison will always be false at runtime. +</p>]]></description> + </rule> + <rule key="EC_UNRELATED_TYPES" priority="CRITICAL"> + <name><![CDATA[Correctness - Call to equals() comparing different types]]></name> + <configKey><![CDATA[EC_UNRELATED_TYPES]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method calls equals(Object) on two references of different +class types with no common subclasses. +Therefore, the objects being compared +are unlikely to be members of the same class at runtime +(unless some application classes were not analyzed, or dynamic class +loading can occur at runtime). +According to the contract of equals(), +objects of different +classes should always compare as unequal; therefore, according to the +contract defined by java.lang.Object.equals(Object), +the result of this comparison will always be false at runtime. +</p>]]></description> + </rule> + <rule key="EC_UNRELATED_INTERFACES" priority="CRITICAL"> + <name><![CDATA[Correctness - Call to equals() comparing different interface types]]></name> + <configKey><![CDATA[EC_UNRELATED_INTERFACES]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method calls equals(Object) on two references of unrelated +interface types, where neither is a subtype of the other, +and there are no known non-abstract classes which implement both interfaces. +Therefore, the objects being compared +are unlikely to be members of the same class at runtime +(unless some application classes were not analyzed, or dynamic class +loading can occur at runtime). +According to the contract of equals(), +objects of different +classes should always compare as unequal; therefore, according to the +contract defined by java.lang.Object.equals(Object), +the result of this comparison will always be false at runtime. +</p>]]></description> + </rule> + <rule key="EC_UNRELATED_CLASS_AND_INTERFACE" priority="CRITICAL"> + <name><![CDATA[Correctness - Call to equals() comparing unrelated class and interface]]></name> + <configKey><![CDATA[EC_UNRELATED_CLASS_AND_INTERFACE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This method calls equals(Object) on two references, one of which is a class +and the other an interface, where neither the class nor any of its +non-abstract subclasses implement the interface. +Therefore, the objects being compared +are unlikely to be members of the same class at runtime +(unless some application classes were not analyzed, or dynamic class +loading can occur at runtime). +According to the contract of equals(), +objects of different +classes should always compare as unequal; therefore, according to the +contract defined by java.lang.Object.equals(Object), +the result of this comparison will always be false at runtime. +</p>]]></description> + </rule> + <rule key="EC_NULL_ARG" priority="CRITICAL"> + <name><![CDATA[Correctness - Call to equals() with null argument]]></name> + <configKey><![CDATA[EC_NULL_ARG]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method calls equals(Object), passing a null value as +the argument. According to the contract of the equals() method, +this call should always return <code>false</code>.</p>]]></description> + </rule> + <rule key="MWN_MISMATCHED_WAIT" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Mismatched wait()]]></name> + <configKey><![CDATA[MWN_MISMATCHED_WAIT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method calls Object.wait() without obviously holding a lock +on the object. Calling wait() without a lock held will result in +an <code>IllegalMonitorStateException</code> being thrown.</p>]]></description> + </rule> + <rule key="MWN_MISMATCHED_NOTIFY" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Mismatched notify()]]></name> + <configKey><![CDATA[MWN_MISMATCHED_NOTIFY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method calls Object.notify() or Object.notifyAll() without obviously holding a lock +on the object. Calling notify() or notifyAll() without a lock held will result in +an <code>IllegalMonitorStateException</code> being thrown.</p>]]></description> + </rule> + <rule key="SA_LOCAL_SELF_ASSIGNMENT" priority="CRITICAL"> + <name><![CDATA[Dodgy - Self assignment of local variable]]></name> + <configKey><![CDATA[SA_LOCAL_SELF_ASSIGNMENT]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a self assignment of a local variable; e.g.</p> +<pre> + public void foo() { + int x = 3; + x = x; + } +</pre> +<p> +Such assignments are useless, and may indicate a logic error or typo. +</p>]]></description> + </rule> + <rule key="SA_FIELD_SELF_ASSIGNMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - Self assignment of field]]></name> + <configKey><![CDATA[SA_FIELD_SELF_ASSIGNMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains a self assignment of a field; e.g. +</p> +<pre> + int x; + public void foo() { + x = x; + } +</pre> +<p>Such assignments are useless, and may indicate a logic error or typo.</p>]]></description> + </rule> + <rule key="SA_FIELD_DOUBLE_ASSIGNMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - Double assignment of field]]></name> + <configKey><![CDATA[SA_FIELD_DOUBLE_ASSIGNMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains a double assignment of a field; e.g. +</p> +<pre> + int x,y; + public void foo() { + x = x = 17; + } +</pre> +<p>Assigning to a field twice is useless, and may indicate a logic error or typo.</p>]]></description> + </rule> + <rule key="SA_LOCAL_DOUBLE_ASSIGNMENT" priority="CRITICAL"> + <name><![CDATA[Dodgy - Double assignment of local variable ]]></name> + <configKey><![CDATA[SA_LOCAL_DOUBLE_ASSIGNMENT]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This method contains a double assignment of a local variable; e.g. +</p> +<pre> + public void foo() { + int x,y; + x = x = 17; + } +</pre> +<p>Assigning the same value to a variable twice is useless, and may indicate a logic error or typo.</p>]]></description> + </rule> + <rule key="SA_FIELD_SELF_COMPUTATION" priority="CRITICAL"> + <name><![CDATA[Correctness - Nonsensical self computation involving a field (e.g., x & x)]]></name> + <configKey><![CDATA[SA_FIELD_SELF_COMPUTATION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method performs a nonsensical computation of a field with another +reference to the same field (e.g., x&x or x-x). Because of the nature +of the computation, this operation doesn't seem to make sense, +and may indicate a typo or +a logic error. Double check the computation. +</p>]]></description> + </rule> + <rule key="SA_LOCAL_SELF_COMPUTATION" priority="CRITICAL"> + <name><![CDATA[Correctness - Nonsensical self computation involving a variable (e.g., x & x)]]></name> + <configKey><![CDATA[SA_LOCAL_SELF_COMPUTATION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method performs a nonsensical computation of a local variable with another +reference to the same variable (e.g., x&x or x-x). Because of the nature +of the computation, this operation doesn't seem to make sense, +and may indicate a typo or +a logic error. Double check the computation. +</p>]]></description> + </rule> + <rule key="SA_FIELD_SELF_COMPARISON" priority="CRITICAL"> + <name><![CDATA[Correctness - Self comparison of field with itself]]></name> + <configKey><![CDATA[SA_FIELD_SELF_COMPARISON]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method compares a field with itself, and may indicate a typo or +a logic error. Make sure that you are comparing the right things. +</p>]]></description> + </rule> + <rule key="SA_LOCAL_SELF_COMPARISON" priority="CRITICAL"> + <name><![CDATA[Correctness - Self comparison of value with itself]]></name> + <configKey><![CDATA[SA_LOCAL_SELF_COMPARISON]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method compares a local variable with itself, and may indicate a typo or +a logic error. Make sure that you are comparing the right things. +</p>]]></description> + </rule> + <rule key="DMI_LONG_BITS_TO_DOUBLE_INVOKED_ON_INT" priority="CRITICAL"> + <name><![CDATA[Correctness - Double.longBitsToDouble invoked on an int]]></name> + <configKey><![CDATA[DMI_LONG_BITS_TO_DOUBLE_INVOKED_ON_INT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> The Double.longBitsToDouble method is invoked, but a 32 bit int value is passed + as an argument. This almostly certainly is not intended and is unlikely + to give the intended result. +</p>]]></description> + </rule> + <rule key="DMI_RANDOM_USED_ONLY_ONCE" priority="CRITICAL"> + <name><![CDATA[Bad practice - Random object created and used only once]]></name> + <configKey><![CDATA[DMI_RANDOM_USED_ONLY_ONCE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This code creates a java.util.Random object, uses it to generate one random number, and then discards +the Random object. This produces mediocre quality random numbers and is inefficient. +If possible, rewrite the code so that the Random object is created once and saved, and each time a new random number +is required invoke a method on the existing Random object to obtain it. +</p> + +<p>If it is important that the generated Random numbers not be guessable, you <em>must</em> not create a new Random for each random +number; the values are too easily guessable. You should strongly consider using a java.security.SecureRandom instead +(and avoid allocating a new SecureRandom for each random number needed). +</p>]]></description> + </rule> + <rule key="RV_ABSOLUTE_VALUE_OF_RANDOM_INT" priority="CRITICAL"> + <name><![CDATA[Correctness - Bad attempt to compute absolute value of signed 32-bit random integer]]></name> + <configKey><![CDATA[RV_ABSOLUTE_VALUE_OF_RANDOM_INT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This code generates a random signed integer and then computes +the absolute value of that random integer. If the number returned by the random number +generator is <code>Integer.MIN_VALUE</code>, then the result will be negative as well (since +<code>Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE</code>). +</p>]]></description> + </rule> + <rule key="RV_ABSOLUTE_VALUE_OF_HASHCODE" priority="CRITICAL"> + <name><![CDATA[Correctness - Bad attempt to compute absolute value of signed 32-bit hashcode ]]></name> + <configKey><![CDATA[RV_ABSOLUTE_VALUE_OF_HASHCODE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This code generates a hashcode and then computes +the absolute value of that hashcode. If the hashcode +is <code>Integer.MIN_VALUE</code>, then the result will be negative as well (since +<code>Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE</code>). +</p>]]></description> + </rule> + <rule key="RV_REM_OF_RANDOM_INT" priority="CRITICAL"> + <name><![CDATA[Dodgy - Remainder of 32-bit signed random integer]]></name> + <configKey><![CDATA[RV_REM_OF_RANDOM_INT]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This code generates a random signed integer and then computes +the remainder of that value modulo another value. Since the random +number can be negative, the result of the remainder operation +can also be negative. Be sure this is intended, and strongly +consider using the Random.nextInt(int) method instead. +</p>]]></description> + </rule> + <rule key="RV_REM_OF_HASHCODE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Remainder of hashCode could be negative]]></name> + <configKey><![CDATA[RV_REM_OF_HASHCODE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This code computes a hashCode, and then computes +the remainder of that value modulo another value. Since the hashCode +can be negative, the result of the remainder operation +can also be negative. </p> +<p> Assuming you want to ensure that the result of your computation is nonnegative, +you may need to change your code. +If you know the divisor is a power of 2, +you can use a bitwise and operator instead (i.e., instead of +using <code>x.hashCode()%n</code>, use <code>x.hashCode()&(n-1)</code>. +This is probably faster than computing the remainder as well. +If you don't know that the divisor is a power of 2, take the absolute +value of the result of the remainder operation (i.e., use +<code>Math.abs(x.hashCode()%n)</code> +</p>]]></description> + </rule> + <rule key="INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE" priority="CRITICAL"> + <name><![CDATA[Correctness - Bad comparison of nonnegative value with negative constant]]></name> + <configKey><![CDATA[INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This code compares a value that is guaranteed to be non-negative with a negative constant. +</p>]]></description> + </rule> + <rule key="INT_BAD_COMPARISON_WITH_SIGNED_BYTE" priority="CRITICAL"> + <name><![CDATA[Correctness - Bad comparison of signed byte]]></name> + <configKey><![CDATA[INT_BAD_COMPARISON_WITH_SIGNED_BYTE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Signed bytes can only have a value in the range -128 to 127. Comparing +a signed byte with a value outside that range is vacuous and likely to be incorrect. +To convert a signed byte <code>b</code> to an unsigned value in the range 0..255, +use <code>0xff & b</code> +</p>]]></description> + </rule> + <rule key="INT_VACUOUS_BIT_OPERATION" priority="CRITICAL"> + <name><![CDATA[Dodgy - Vacuous bit mask operation on integer value]]></name> + <configKey><![CDATA[INT_VACUOUS_BIT_OPERATION]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> This is an integer bit operation (and, or, or exclusive or) that doesn't do any useful work +(e.g., <code>v & 0xffffffff</code>). + +</p>]]></description> + </rule> + <rule key="INT_VACUOUS_COMPARISON" priority="CRITICAL"> + <name><![CDATA[Dodgy - Vacuous comparison of integer value]]></name> + <configKey><![CDATA[INT_VACUOUS_COMPARISON]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> There is an integer comparison that always returns +the same value (e.g., x <= Integer.MAX_VALUE). +</p>]]></description> + </rule> + <rule key="INT_BAD_REM_BY_1" priority="CRITICAL"> + <name><![CDATA[Correctness - Integer remainder modulo 1]]></name> + <configKey><![CDATA[INT_BAD_REM_BY_1]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Any expression (exp % 1) is guaranteed to always return zero. +Did you mean (exp & 1) or (exp % 2) instead? +</p>]]></description> + </rule> + <rule key="BIT_IOR_OF_SIGNED_BYTE" priority="CRITICAL"> + <name><![CDATA[Correctness - Bitwise OR of signed byte value]]></name> + <configKey><![CDATA[BIT_IOR_OF_SIGNED_BYTE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Loads a value from a byte array and performs a bitwise OR with +that value. Values loaded from a byte array are sign extended to 32 bits +before any any bitwise operations are performed on the value. +Thus, if <code>b[0]</code> contains the value <code>0xff</code>, and +<code>x</code> is initially 0, then the code +<code>((x << 8) | b[0])</code> will sign extend <code>0xff</code> +to get <code>0xffffffff</code>, and thus give the value +<code>0xffffffff</code> as the result. +</p> + +<p>In particular, the following code for packing a byte array into an int is badly wrong: </p> +<pre> +int result = 0; +for(int i = 0; i < 4; i++) + result = ((result << 8) | b[i]); +</pre> + +<p>The following idiom will work instead: </p> +<pre> +int result = 0; +for(int i = 0; i < 4; i++) + result = ((result << 8) | (b[i] & 0xff)); +</pre>]]></description> + </rule> + <rule key="BIT_ADD_OF_SIGNED_BYTE" priority="CRITICAL"> + <name><![CDATA[Correctness - Bitwise add of signed byte value]]></name> + <configKey><![CDATA[BIT_ADD_OF_SIGNED_BYTE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Adds a byte value and a value which is known to the 8 lower bits clear. +Values loaded from a byte array are sign extended to 32 bits +before any any bitwise operations are performed on the value. +Thus, if <code>b[0]</code> contains the value <code>0xff</code>, and +<code>x</code> is initially 0, then the code +<code>((x << 8) + b[0])</code> will sign extend <code>0xff</code> +to get <code>0xffffffff</code>, and thus give the value +<code>0xffffffff</code> as the result. +</p> + +<p>In particular, the following code for packing a byte array into an int is badly wrong: </p> +<pre> +int result = 0; +for(int i = 0; i < 4; i++) + result = ((result << 8) + b[i]); +</pre> + +<p>The following idiom will work instead: </p> +<pre> +int result = 0; +for(int i = 0; i < 4; i++) + result = ((result << 8) + (b[i] & 0xff)); +</pre>]]></description> + </rule> + <rule key="BIT_AND" priority="CRITICAL"> + <name><![CDATA[Correctness - Incompatible bit masks]]></name> + <configKey><![CDATA[BIT_AND]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method compares an expression of the form (e & C) to D, +which will always compare unequal +due to the specific values of constants C and D. +This may indicate a logic error or typo.</p>]]></description> + </rule> + <rule key="BIT_SIGNED_CHECK" priority="CRITICAL"> + <name><![CDATA[Bad practice - Check for sign of bitwise operation]]></name> + <configKey><![CDATA[BIT_SIGNED_CHECK]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This method compares an expression such as +<pre>((event.detail & SWT.SELECTED) > 0)</pre>. +Using bit arithmetic and then comparing with the greater than operator can +lead to unexpected results (of course depending on the value of +SWT.SELECTED). If SWT.SELECTED is a negative number, this is a candidate +for a bug. Even when SWT.SELECTED is not negative, it seems good practice +to use '!= 0' instead of '> 0'. +</p> +<p> +<em>Boris Bokowski</em> +</p>]]></description> + </rule> + <rule key="BIT_SIGNED_CHECK_HIGH_BIT" priority="CRITICAL"> + <name><![CDATA[Correctness - Check for sign of bitwise operation]]></name> + <configKey><![CDATA[BIT_SIGNED_CHECK_HIGH_BIT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method compares an expression such as +<pre>((event.detail & SWT.SELECTED) > 0)</pre>. +Using bit arithmetic and then comparing with the greater than operator can +lead to unexpected results (of course depending on the value of +SWT.SELECTED). If SWT.SELECTED is a negative number, this is a candidate +for a bug. Even when SWT.SELECTED is not negative, it seems good practice +to use '!= 0' instead of '> 0'. +</p> +<p> +<em>Boris Bokowski</em> +</p>]]></description> + </rule> + <rule key="BIT_AND_ZZ" priority="CRITICAL"> + <name><![CDATA[Correctness - Check to see if ((...) & 0) == 0]]></name> + <configKey><![CDATA[BIT_AND_ZZ]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method compares an expression of the form (e & 0) to 0, +which will always compare equal. +This may indicate a logic error or typo.</p>]]></description> + </rule> + <rule key="BIT_IOR" priority="CRITICAL"> + <name><![CDATA[Correctness - Incompatible bit masks]]></name> + <configKey><![CDATA[BIT_IOR]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method compares an expression of the form (e | C) to D. +which will always compare unequal +due to the specific values of constants C and D. +This may indicate a logic error or typo.</p> + +<p> Typically, this bug occurs because the code wants to perform +a membership test in a bit set, but uses the bitwise OR +operator ("|") instead of bitwise AND ("&").</p>]]></description> + </rule> + <rule key="LI_LAZY_INIT_STATIC" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Incorrect lazy initialization of static field]]></name> + <configKey><![CDATA[LI_LAZY_INIT_STATIC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains an unsynchronized lazy initialization of a non-volatile static field. +Because the compiler or processor may reorder instructions, +threads are not guaranteed to see a completely initialized object, +<em>if the method can be called by multiple threads</em>. +You can make the field volatile to correct the problem. +For more information, see the +<a href="http://www.cs.umd.edu/~pugh/java/memoryModel/">Java Memory Model web site</a>. +</p>]]></description> + </rule> + <rule key="LI_LAZY_INIT_UPDATE_STATIC" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Incorrect lazy initialization and update of static field]]></name> + <configKey><![CDATA[LI_LAZY_INIT_UPDATE_STATIC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method contains an unsynchronized lazy initialization of a static field. +After the field is set, the object stored into that location is further accessed. +The setting of the field is visible to other threads as soon as it is set. If the +futher accesses in the method that set the field serve to initialize the object, then +you have a <em>very serious</em> multithreading bug, unless something else prevents +any other thread from accessing the stored object until it is fully initialized. +</p>]]></description> + </rule> + <rule key="JLM_JSR166_LOCK_MONITORENTER" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Synchronization performed on java.util.concurrent Lock]]></name> + <configKey><![CDATA[JLM_JSR166_LOCK_MONITORENTER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method performs synchronization on an implementation of +<code>java.util.concurrent.locks.Lock</code>. You should use +the <code>lock()</code> and <code>unlock()</code> methods instead. +</p>]]></description> + </rule> + <rule key="UPM_UNCALLED_PRIVATE_METHOD" priority="CRITICAL"> + <name><![CDATA[Performance - Private method is never called]]></name> + <configKey><![CDATA[UPM_UNCALLED_PRIVATE_METHOD]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This private method is never called. Although it is +possible that the method will be invoked through reflection, +it is more likely that the method is never used, and should be +removed. +</p>]]></description> + </rule> + <rule key="UMAC_UNCALLABLE_METHOD_OF_ANONYMOUS_CLASS" priority="CRITICAL"> + <name><![CDATA[Correctness - Uncallable method defined in anonymous class]]></name> + <configKey><![CDATA[UMAC_UNCALLABLE_METHOD_OF_ANONYMOUS_CLASS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This anonymous class defined a method that is not directly invoked and does not override +a method in a superclass. Since methods in other classes cannot directly invoke methods +declared in an anonymous class, it seems that this method is uncallable. The method +might simply be dead code, but it is also possible that the method is intended to +override a method declared in a superclass, and due to an typo or other error the method does not, +in fact, override the method it is intended to. +</p>]]></description> + </rule> + <rule key="ODR_OPEN_DATABASE_RESOURCE" priority="CRITICAL"> + <name><![CDATA[Bad practice - Method may fail to close database resource]]></name> + <configKey><![CDATA[ODR_OPEN_DATABASE_RESOURCE]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The method creates a database resource (such as a database connection +or row set), does not assign it to any +fields, pass it to other methods, or return it, and does not appear to close +the object on all paths out of the method. Failure to +close database resources on all paths out of a method may +result in poor performance, and could cause the application to +have problems communicating with the database. +</p>]]></description> + </rule> + <rule key="ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH" priority="CRITICAL"> + <name><![CDATA[Bad practice - Method may fail to close database resource on exception]]></name> + <configKey><![CDATA[ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> The method creates a database resource (such as a database connection +or row set), does not assign it to any +fields, pass it to other methods, or return it, and does not appear to close +the object on all exception paths out of the method. Failure to +close database resources on all paths out of a method may +result in poor performance, and could cause the application to +have problems communicating with the database.</p>]]></description> + </rule> + <rule key="SBSC_USE_STRINGBUFFER_CONCATENATION" priority="CRITICAL"> + <name><![CDATA[Performance - Method concatenates strings using + in a loop]]></name> + <configKey><![CDATA[SBSC_USE_STRINGBUFFER_CONCATENATION]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> The method seems to be building a String using concatenation in a loop. +In each iteration, the String is converted to a StringBuffer/StringBuilder, + appended to, and converted back to a String. + This can lead to a cost quadratic in the number of iterations, + as the growing string is recopied in each iteration. </p> + +<p>Better performance can be obtained by using +a StringBuffer (or StringBuilder in Java 1.5) explicitly.</p> + +<p> For example:</p> +<pre> + // This is bad + String s = ""; + for (int i = 0; i < field.length; ++i) { + s = s + field[i]; + } + + // This is better + StringBuffer buf = new StringBuffer(); + for (int i = 0; i < field.length; ++i) { + buf.append(field[i]); + } + String s = buf.toString(); +</pre>]]></description> + </rule> + <rule key="ITA_INEFFICIENT_TO_ARRAY" priority="CRITICAL"> + <name><![CDATA[Performance - Method uses toArray() with zero-length array argument]]></name> + <configKey><![CDATA[ITA_INEFFICIENT_TO_ARRAY]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This method uses the toArray() method of a collection derived class, and passes +in a zero-length prototype array argument. It is more efficient to use +<code>myCollection.toArray(new Foo[myCollection.size()])</code> +If the array passed in is big enough to store all of the +elements of the collection, then it is populated and returned +directly. This avoids the need to create a second array +(by reflection) to return as the result.</p>]]></description> + </rule> + <rule key="IJU_ASSERT_METHOD_INVOKED_FROM_RUN_METHOD" priority="CRITICAL"> + <name><![CDATA[Correctness - JUnit assertion in run method will not be noticed by JUnit]]></name> + <configKey><![CDATA[IJU_ASSERT_METHOD_INVOKED_FROM_RUN_METHOD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A JUnit assertion is performed in a run method. Failed JUnit assertions +just result in exceptions being thrown. +Thus, if this exception occurs in a thread other than the thread that invokes +the test method, the exception will terminate the thread but not result +in the test failing. +</p>]]></description> + </rule> + <rule key="IJU_SETUP_NO_SUPER" priority="CRITICAL"> + <name><![CDATA[Correctness - TestCase defines setUp that doesn't call super.setUp()]]></name> + <configKey><![CDATA[IJU_SETUP_NO_SUPER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Class is a JUnit TestCase and implements the setUp method. The setUp method should call +super.setUp(), but doesn't.</p>]]></description> + </rule> + <rule key="IJU_TEARDOWN_NO_SUPER" priority="CRITICAL"> + <name><![CDATA[Correctness - TestCase defines tearDown that doesn't call super.tearDown()]]></name> + <configKey><![CDATA[IJU_TEARDOWN_NO_SUPER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Class is a JUnit TestCase and implements the tearDown method. The tearDown method should call +super.tearDown(), but doesn't.</p>]]></description> + </rule> + <rule key="IJU_SUITE_NOT_STATIC" priority="CRITICAL"> + <name><![CDATA[Correctness - TestCase implements a non-static suite method ]]></name> + <configKey><![CDATA[IJU_SUITE_NOT_STATIC]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Class is a JUnit TestCase and implements the suite() method. + The suite method should be declared as being static, but isn't.</p>]]></description> + </rule> + <rule key="IJU_BAD_SUITE_METHOD" priority="CRITICAL"> + <name><![CDATA[Correctness - TestCase declares a bad suite method ]]></name> + <configKey><![CDATA[IJU_BAD_SUITE_METHOD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Class is a JUnit TestCase and defines a suite() method. +However, the suite method needs to be declared as either +<pre>public static junit.framework.Test suite()</pre> +or +<pre>public static junit.framework.TestSuite suite()</pre> +</p>]]></description> + </rule> + <rule key="IJU_NO_TESTS" priority="CRITICAL"> + <name><![CDATA[Correctness - TestCase has no tests]]></name> + <configKey><![CDATA[IJU_NO_TESTS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Class is a JUnit TestCase but has not implemented any test methods</p>]]></description> + </rule> + <rule key="BOA_BADLY_OVERRIDDEN_ADAPTER" priority="CRITICAL"> + <name><![CDATA[Correctness - Class overrides a method implemented in super class Adapter wrongly]]></name> + <configKey><![CDATA[BOA_BADLY_OVERRIDDEN_ADAPTER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method overrides a method found in a parent class, where that class is an Adapter that implements +a listener defined in the java.awt.event or javax.swing.event package. As a result, this method will not +get called when the event occurs.</p>]]></description> + </rule> + <rule key="SQL_BAD_RESULTSET_ACCESS" priority="CRITICAL"> + <name><![CDATA[Correctness - Method attempts to access a result set field with index 0]]></name> + <configKey><![CDATA[SQL_BAD_RESULTSET_ACCESS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A call to getXXX or updateXXX methods of a result set was made where the +field index is 0. As ResultSet fields start at index 1, this is always a mistake.</p>]]></description> + </rule> + <rule key="SQL_BAD_PREPARED_STATEMENT_ACCESS" priority="CRITICAL"> + <name><![CDATA[Correctness - Method attempts to access a prepared statement parameter with index 0]]></name> + <configKey><![CDATA[SQL_BAD_PREPARED_STATEMENT_ACCESS]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> A call to a setXXX method of a prepared statement was made where the +parameter index is 0. As parameter indexes start at index 1, this is always a mistake.</p>]]></description> + </rule> + <rule key="SIO_SUPERFLUOUS_INSTANCEOF" priority="CRITICAL"> + <name><![CDATA[Correctness - Unnecessary type check done using instanceof operator]]></name> + <configKey><![CDATA[SIO_SUPERFLUOUS_INSTANCEOF]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> Type check performed using the instanceof operator where it can be statically determined whether the object +is of the type requested. </p>]]></description> + </rule> + <rule key="EC_ARRAY_AND_NONARRAY" priority="CRITICAL"> + <name><![CDATA[Correctness - equals() used to compare array and nonarray]]></name> + <configKey><![CDATA[EC_ARRAY_AND_NONARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This method invokes the .equals(Object o) to compare an array and a reference that doesn't seem +to be an array. If things being compared are of different types, they are guaranteed to be unequal +and the comparison is almost certainly an error. Even if they are both arrays, the equals method +on arrays only determines of the two arrays are the same object. +To compare the +contents of the arrays, use java.util.Arrays.equals(Object[], Object[]). +</p>]]></description> + </rule> + <rule key="EC_BAD_ARRAY_COMPARE" priority="CRITICAL"> + <name><![CDATA[Correctness - Invocation of equals() on an array, which is equivalent to ==]]></name> + <configKey><![CDATA[EC_BAD_ARRAY_COMPARE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This method invokes the .equals(Object o) method on an array. Since arrays do not override the equals +method of Object, calling equals on an array is the same as comparing their addresses. To compare the +contents of the arrays, use java.util.Arrays.equals(Object[], Object[]). +</p>]]></description> + </rule> + <rule key="STI_INTERRUPTED_ON_CURRENTTHREAD" priority="CRITICAL"> + <name><![CDATA[Correctness - Unneeded use of currentThread() call, to call interrupted() ]]></name> + <configKey><![CDATA[STI_INTERRUPTED_ON_CURRENTTHREAD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This method invokes the Thread.currentThread() call, just to call the interrupted() method. As interrupted() is a +static method, is more simple and clear to use Thread.interrupted(). +</p>]]></description> + </rule> + <rule key="STI_INTERRUPTED_ON_UNKNOWNTHREAD" priority="CRITICAL"> + <name><![CDATA[Correctness - Static Thread.interrupted() method invoked on thread instance]]></name> + <configKey><![CDATA[STI_INTERRUPTED_ON_UNKNOWNTHREAD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This method invokes the Thread.interrupted() method on a Thread object that appears to be a Thread object that is +not the current thread. As the interrupted() method is static, the interrupted method will be called on a different +object than the one the author intended. +</p>]]></description> + </rule> + <rule key="IP_PARAMETER_IS_DEAD_BUT_OVERWRITTEN" priority="CRITICAL"> + <name><![CDATA[Correctness - A parameter is dead upon entry to a method but overwritten]]></name> + <configKey><![CDATA[IP_PARAMETER_IS_DEAD_BUT_OVERWRITTEN]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The initial value of this parameter is ignored, and the parameter +is overwritten here. This often indicates a mistaken belief that +the write to the parameter will be conveyed back to +the caller. +</p>]]></description> + </rule> + <rule key="DLS_DEAD_LOCAL_STORE" priority="CRITICAL"> + <name><![CDATA[Dodgy - Dead store to local variable]]></name> + <configKey><![CDATA[DLS_DEAD_LOCAL_STORE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This instruction assigns a value to a local variable, +but the value is not read or used in any subsequent instruction. +Often, this indicates an error, because the value computed is never +used. +</p> +<p> +Note that Sun's javac compiler often generates dead stores for +final local variables. Because FindBugs is a bytecode-based tool, +there is no easy way to eliminate these false positives. +</p>]]></description> + </rule> + <rule key="DLS_DEAD_LOCAL_STORE_IN_RETURN" priority="CRITICAL"> + <name><![CDATA[Correctness - Useless assignment in return statement]]></name> + <configKey><![CDATA[DLS_DEAD_LOCAL_STORE_IN_RETURN]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This statement assigns to a local variable in a return statement. This assignment +has effect. Please verify that this statement does the right thing. +</p>]]></description> + </rule> + <rule key="DLS_DEAD_STORE_OF_CLASS_LITERAL" priority="CRITICAL"> + <name><![CDATA[Correctness - Dead store of class literal]]></name> + <configKey><![CDATA[DLS_DEAD_STORE_OF_CLASS_LITERAL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This instruction assigns a class literal to a variable and then never uses it. +<a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The behavior of this differs in Java 1.4 and in Java 5.</a> +In Java 1.4 and earlier, a reference to <code>Foo.class</code> would force the static initializer +for <code>Foo</code> to be executed, if it has not been executed already. +In Java 5 and later, it does not. +</p> +<p>See Sun's <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article on Java SE compatibility</a> +for more details and examples, and suggestions on how to force class initialization in Java 5. +</p>]]></description> + </rule> + <rule key="DLS_DEAD_LOCAL_STORE_OF_NULL" priority="CRITICAL"> + <name><![CDATA[Dodgy - Dead store of null to local variable]]></name> + <configKey><![CDATA[DLS_DEAD_LOCAL_STORE_OF_NULL]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p>The code stores null into a local variable, and the stored value is not +read. This store may have been introduced to assist the garbage collector, but +as of Java SE 6.0, this is no longer needed or useful. +</p>]]></description> + </rule> + <rule key="MF_METHOD_MASKS_FIELD" priority="MAJOR"> + <name><![CDATA[Correctness - Method defines a variable that obscures a field]]></name> + <configKey><![CDATA[MF_METHOD_MASKS_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This method defines a local variable with the same name as a field +in this class or a superclass. This may cause the method to +read an uninitialized value from the field, leave the field uninitialized, +or both.</p>]]></description> + </rule> + <rule key="MF_CLASS_MASKS_FIELD" priority="MAJOR"> + <name><![CDATA[Correctness - Class defines field that masks a superclass field]]></name> + <configKey><![CDATA[MF_CLASS_MASKS_FIELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This class defines a field with the same name as a visible +instance field in a superclass. This is confusing, and +may indicate an error if methods update or access one of +the fields when they wanted the other.</p>]]></description> + </rule> + <rule key="WMI_WRONG_MAP_ITERATOR" priority="CRITICAL"> + <name><![CDATA[Performance - Inefficient use of keySet iterator instead of entrySet iterator]]></name> + <configKey><![CDATA[WMI_WRONG_MAP_ITERATOR]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This method accesses the value of a Map entry, using a key that was retrieved from +a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the +Map.get(key) lookup.</p>]]></description> + </rule> + <rule key="ISC_INSTANTIATE_STATIC_CLASS" priority="MAJOR"> + <name><![CDATA[Bad practice - Needless instantiation of class that only supplies static methods]]></name> + <configKey><![CDATA[ISC_INSTANTIATE_STATIC_CLASS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This class allocates an object that is based on a class that only supplies static methods. This object +does not need to be created, just access the static methods directly using the class name as a qualifier.</p>]]></description> + </rule> + <rule key="REC_CATCH_EXCEPTION" priority="MAJOR"> + <name><![CDATA[Dodgy - Exception is caught when Exception is not thrown]]></name> + <configKey><![CDATA[REC_CATCH_EXCEPTION]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This method uses a try-catch block that catches Exception objects, but Exception is not + thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to + say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception + each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, + masking potential bugs. + </p>]]></description> + </rule> + <rule key="FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER" priority="CRITICAL"> + <name><![CDATA[Correctness - Doomed test for equality to NaN]]></name> + <configKey><![CDATA[FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This code checks to see if a floating point value is equal to the special + Not A Number value (e.g., <code>if (x == Double.NaN)</code>). However, + because of the special semantics of <code>NaN</code>, no value + is equal to <code>Nan</code>, including <code>NaN</code>. Thus, + <code>x == Double.NaN</code> always evaluates to false. + + To check to see if a value contained in <code>x</code> + is the special Not A Number value, use + <code>Double.isNaN(x)</code> (or <code>Float.isNaN(x)</code> if + <code>x</code> is floating point precision). + </p>]]></description> + </rule> + <rule key="FE_FLOATING_POINT_EQUALITY" priority="CRITICAL"> + <name><![CDATA[Dodgy - Test for floating point equality]]></name> + <configKey><![CDATA[FE_FLOATING_POINT_EQUALITY]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This operation compares two floating point values for equality. + Because floating point calculations may involve rounding, + calculated float and double values may not be accurate. + For values that must be precise, such as monetary values, + consider using a fixed-precision type such as BigDecimal. + For values that need not be precise, consider comparing for equality + within some range, for example: + <code>if ( Math.abs(x - y) < .0000001 )</code>. + See the Java Language Specification, section 4.2.4. + </p>]]></description> + </rule> + <rule key="UM_UNNECESSARY_MATH" priority="CRITICAL"> + <name><![CDATA[Performance - Method calls static Math class method on a constant value]]></name> + <configKey><![CDATA[UM_UNNECESSARY_MATH]]></configKey> + <category name="Efficiency"/> + <description><![CDATA[<p> This method uses a static method from java.lang.Math on a constant value. This method's +result in this case, can be determined statically, and is faster and sometimes more accurate to +just use the constant. Methods detected are: +</p> +<table> +<tr> + <th>Method</th> <th>Parameter</th> +</tr> +<tr> + <td>abs</td> <td>-any-</td> +</tr> +<tr> + <td>acos</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>asin</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>atan</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>atan2</td> <td>0.0</td> +</tr> +<tr> + <td>cbrt</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>ceil</td> <td>-any-</td> +</tr> +<tr> + <td>cos</td> <td>0.0</td> +</tr> +<tr> + <td>cosh</td> <td>0.0</td> +</tr> +<tr> + <td>exp</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>expm1</td> <td>0.0</td> +</tr> +<tr> + <td>floor</td> <td>-any-</td> +</tr> +<tr> + <td>log</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>log10</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>rint</td> <td>-any-</td> +</tr> +<tr> + <td>round</td> <td>-any-</td> +</tr> +<tr> + <td>sin</td> <td>0.0</td> +</tr> +<tr> + <td>sinh</td> <td>0.0</td> +</tr> +<tr> + <td>sqrt</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>tan</td> <td>0.0</td> +</tr> +<tr> + <td>tanh</td> <td>0.0</td> +</tr> +<tr> + <td>toDegrees</td> <td>0.0 or 1.0</td> +</tr> +<tr> + <td>toRadians</td> <td>0.0</td> +</tr> +</table>]]></description> + </rule> + <rule key="RI_REDUNDANT_INTERFACES" priority="MAJOR"> + <name><![CDATA[Dodgy - Class implements same interface as superclass]]></name> + <configKey><![CDATA[RI_REDUNDANT_INTERFACES]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This class declares that it implements an interface that is also implemented by a superclass. + This is redundant because once a superclass implements an interface, all subclasses by default also + implement this interface. It may point out that the inheritance hierarchy has changed since + this class was created, and consideration should be given to the ownership of + the interface's implementation. + </p>]]></description> + </rule> + <rule key="MTIA_SUSPECT_STRUTS_INSTANCE_FIELD" priority="CRITICAL"> + <name><![CDATA[Dodgy - Class extends Struts Action class and uses instance variables]]></name> + <configKey><![CDATA[MTIA_SUSPECT_STRUTS_INSTANCE_FIELD]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This class extends from a Struts Action class, and uses an instance member variable. Since only + one instance of a struts Action class is created by the Struts framework, and used in a + multithreaded way, this paradigm is highly discouraged and most likely problematic. Consider + only using method local variables. Only instance fields that are written outside of a monitor + are reported. + </p>]]></description> + </rule> + <rule key="MTIA_SUSPECT_SERVLET_INSTANCE_FIELD" priority="CRITICAL"> + <name><![CDATA[Dodgy - Class extends Servlet class and uses instance variables]]></name> + <configKey><![CDATA[MTIA_SUSPECT_SERVLET_INSTANCE_FIELD]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This class extends from a Servlet class, and uses an instance member variable. Since only + one instance of a Servlet class is created by the J2EE framework, and used in a + multithreaded way, this paradigm is highly discouraged and most likely problematic. Consider + only using method local variables. + </p>]]></description> + </rule> + <rule key="PS_PUBLIC_SEMAPHORES" priority="CRITICAL"> + <name><![CDATA[Dodgy - Class exposes synchronization and semaphores in its public interface]]></name> + <configKey><![CDATA[PS_PUBLIC_SEMAPHORES]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This class uses synchronization along with wait(), notify() or notifyAll() on itself (the this + reference). Client classes that use this class, may, in addition, use an instance of this class + as a synchronizing object. Because two classes are using the same object for synchronization, + Multithread correctness is suspect. You should not synchronize nor call semaphore methods on + a public reference. Consider using a internal private member variable to control synchronization. + </p>]]></description> + </rule> + <rule key="ICAST_INTEGER_MULTIPLY_CAST_TO_LONG" priority="CRITICAL"> + <name><![CDATA[Dodgy - Result of integer multiplication cast to long]]></name> + <configKey><![CDATA[ICAST_INTEGER_MULTIPLY_CAST_TO_LONG]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This code performs integer multiply and then converts the result to a long, +as in: +<code> +<pre> + long convertDaysToMilliseconds(int days) { return 1000*3600*24*days; } +</pre></code> +If the multiplication is done using long arithmetic, you can avoid +the possibility that the result will overflow. For example, you +could fix the above code to: +<code> +<pre> + long convertDaysToMilliseconds(int days) { return 1000L*3600*24*days; } +</pre></code> +or +<code> +<pre> + static final long MILLISECONDS_PER_DAY = 24L*3600*1000; + long convertDaysToMilliseconds(int days) { return days * MILLISECONDS_PER_DAY; } +</pre></code> +</p>]]></description> + </rule> + <rule key="ICAST_INT_CAST_TO_FLOAT_PASSED_TO_ROUND" priority="CRITICAL"> + <name><![CDATA[Correctness - int value cast to float and then passed to Math.round]]></name> + <configKey><![CDATA[ICAST_INT_CAST_TO_FLOAT_PASSED_TO_ROUND]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This code converts an int value to a float precision +floating point number and then +passing the result to the Math.round() function, which returns the int/long closest +to the argument. This operation should always be a no-op, +since the converting an integer to a float should give a number with no fractional part. +It is likely that the operation that generated the value to be passed +to Math.round was intended to be performed using +floating point arithmetic. +</p>]]></description> + </rule> + <rule key="ICAST_INT_CAST_TO_DOUBLE_PASSED_TO_CEIL" priority="CRITICAL"> + <name><![CDATA[Correctness - int value cast to double and then passed to Math.ceil]]></name> + <configKey><![CDATA[ICAST_INT_CAST_TO_DOUBLE_PASSED_TO_CEIL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This code converts an int value to a double precision +floating point number and then +passing the result to the Math.ceil() function, which rounds a double to +the next higher integer value. This operation should always be a no-op, +since the converting an integer to a double should give a number with no fractional part. +It is likely that the operation that generated the value to be passed +to Math.ceil was intended to be performed using double precision +floating point arithmetic. +</p>]]></description> + </rule> + <rule key="ICAST_IDIV_CAST_TO_DOUBLE" priority="CRITICAL"> + <name><![CDATA[Dodgy - int division result cast to double or float]]></name> + <configKey><![CDATA[ICAST_IDIV_CAST_TO_DOUBLE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This code casts the result of an integer division operation to double or +float. +Doing division on integers truncates the result +to the integer value closest to zero. The fact that the result +was cast to double suggests that this precision should have been retained. +What was probably meant was to cast one or both of the operands to +double <em>before</em> performing the division. Here is an example: +</p> +<blockquote> +<pre> +int x = 2; +int y = 5; +// Wrong: yields result 0.0 +double value1 = x / y; + +// Right: yields result 0.4 +double value2 = x / (double) y; +</pre> +</blockquote>]]></description> + </rule> + <rule key="J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION" priority="CRITICAL"> + <name><![CDATA[Bad practice - Store of non serializable object into HttpSession]]></name> + <configKey><![CDATA[J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> +This code seems to be storing a non-serializable object into an HttpSession. +If this session is passivated or migrated, an error will result. +</p>]]></description> + </rule> + <rule key="DMI_NONSERIALIZABLE_OBJECT_WRITTEN" priority="CRITICAL"> + <name><![CDATA[Dodgy - Non serializable object written to ObjectOutput]]></name> + <configKey><![CDATA[DMI_NONSERIALIZABLE_OBJECT_WRITTEN]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This code seems to be passing a non-serializable object to the ObjectOutput.writeObject method. +If the object is, indeed, non-serializable, an error will result. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - No previous argument for format string]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The format string specifies a relative index to request that the argument for the previous format specifier +be reused. However, there is no previous argument. +For example, +</p> +<p><code>formatter.format("%<s %s", "a", "b")</code> +</p> +<p>would throw a MissingFormatArgumentException when executed. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_BAD_CONVERSION" priority="CRITICAL"> + <name><![CDATA[Correctness - The type of a supplied argument doesn't match format specifier]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_BAD_CONVERSION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +One of the arguments is uncompatible with the corresponding format string specifier. +As a result, this will generate a runtime exception when executed. +For example, <code>String.format("%d", "1")</code> will generate an exception, since +the String "1" is incompatible with the format specifier %d. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_BAD_CONVERSION_TO_BOOLEAN" priority="MAJOR"> + <name><![CDATA[Dodgy - Non-Boolean argument formatted using %b format specifier]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_BAD_CONVERSION_TO_BOOLEAN]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +An argument not of type Boolean is being formatted with a %b format specifier. This won't throw an +exception; instead, it will print true for any nonnull value, and false for null. +This feature of format strings is strange, and may not be what you intended. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_BAD_CONVERSION_FROM_ARRAY" priority="MAJOR"> + <name><![CDATA[Correctness - Array formatted in useless way using format string]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_BAD_CONVERSION_FROM_ARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +One of the arguments being formatted with a format string is an array. This will be formatted +using a fairly useless format, such as [I@304282, which doesn't actually show the contents +of the array. +Consider wrapping the array using <code>Arrays.asList(...)</code> before handling it off to a formatted. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_ARG_MISMATCH" priority="CRITICAL"> + <name> + <![CDATA[Correctness - Number of format-string arguments does not correspond to number of placeholders]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_ARG_MISMATCH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +A format-string method with a variable number of arguments is called, +but the number of arguments passed does not match with the number of +% placeholders in the format string. This is probably not what the +author intended. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED" priority="MAJOR"> + <name><![CDATA[Correctness - More arguments are passed that are actually used in the format string]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +A format-string method with a variable number of arguments is called, +but more arguments are passed than are actually used by the format string. +This won't cause a runtime exception, but the code may be silently omitting +information that was intended to be included in the formatted string. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_ILLEGAL" priority="CRITICAL"> + <name><![CDATA[Correctness - Illegal format string]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_ILLEGAL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The format string is syntactically invalid, +and a runtime exception will occur when +this statement is executed. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_MISSING_ARGUMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - Format string references missing argument]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_MISSING_ARGUMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +Not enough arguments are passed to satisfy a placeholder in the format string. +A runtime exception will occur when +this statement is executed. +</p>]]></description> + </rule> + <rule key="VA_FORMAT_STRING_BAD_ARGUMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - Format string placeholder incompatible with passed argument]]></name> + <configKey><![CDATA[VA_FORMAT_STRING_BAD_ARGUMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The format string placeholder is incompatible with the corresponding +argument. For example, +<code> + System.out.println("%d\n", "hello"); +</code> +<p>The %d placeholder requires a numeric argument, but a string value is +passed instead. +A runtime exception will occur when +this statement is executed. +</p>]]></description> + </rule> + <rule key="VA_PRIMITIVE_ARRAY_PASSED_TO_OBJECT_VARARG" priority="CRITICAL"> + <name> + <![CDATA[Correctness - Primitive array passed to function expecting a variable number of object arguments]]></name> + <configKey><![CDATA[VA_PRIMITIVE_ARRAY_PASSED_TO_OBJECT_VARARG]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This code passes a primitive array to a function that takes a variable number of object arguments. +This creates an array of length one to hold the primitive array and passes it to the function. +</p>]]></description> + </rule> + <rule key="BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS" priority="CRITICAL"> + <name><![CDATA[Bad practice - Equals method should not assume anything about the type of its argument]]></name> + <configKey><![CDATA[BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> +The <code>equals(Object o)</code> method shouldn't make any assumptions +about the type of <code>o</code>. It should simply return +false if <code>o</code> is not the same type as <code>this</code>. +</p>]]></description> + </rule> + <rule key="BC_BAD_CAST_TO_ABSTRACT_COLLECTION" priority="MAJOR"> + <name><![CDATA[Dodgy - Questionable cast to abstract collection ]]></name> + <configKey><![CDATA[BC_BAD_CAST_TO_ABSTRACT_COLLECTION]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This code casts a Collection to an abstract collection +(such as <code>List</code>, <code>Set</code>, or <code>Map</code>). +Ensure that you are guaranteed that the object is of the type +you are casting to. If all you need is to be able +to iterate through a collection, you don't need to cast it to a Set or List. +</p>]]></description> + </rule> + <rule key="BC_IMPOSSIBLE_CAST" priority="BLOCKER"> + <name><![CDATA[Correctness - Impossible cast]]></name> + <configKey><![CDATA[BC_IMPOSSIBLE_CAST]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This cast will always throw a ClassCastException. +</p>]]></description> + </rule> + <rule key="NP_NULL_INSTANCEOF" priority="BLOCKER"> + <name><![CDATA[Correctness - A known null value is checked to see if it is an instance of a type]]></name> + <configKey><![CDATA[NP_NULL_INSTANCEOF]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This instanceof test will always return false, since the value being checked is guaranteed to be null. +Although this is safe, make sure it isn't +an indication of some misunderstanding or some other logic error. +</p>]]></description> + </rule> + <rule key="BC_IMPOSSIBLE_INSTANCEOF" priority="CRITICAL"> + <name><![CDATA[Correctness - instanceof will always return false]]></name> + <configKey><![CDATA[BC_IMPOSSIBLE_INSTANCEOF]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This instanceof test will always return false. Although this is safe, make sure it isn't +an indication of some misunderstanding or some other logic error. +</p>]]></description> + </rule> + <rule key="BC_VACUOUS_INSTANCEOF" priority="CRITICAL"> + <name><![CDATA[Dodgy - instanceof will always return true]]></name> + <configKey><![CDATA[BC_VACUOUS_INSTANCEOF]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This instanceof test will always return true (unless the value being tested is null). +Although this is safe, make sure it isn't +an indication of some misunderstanding or some other logic error. +If you really want to test the value for being null, perhaps it would be clearer to do +better to do a null test rather than an instanceof test. +</p>]]></description> + </rule> + <rule key="BC_UNCONFIRMED_CAST" priority="CRITICAL"> + <name><![CDATA[Dodgy - Unchecked/unconfirmed cast]]></name> + <configKey><![CDATA[BC_UNCONFIRMED_CAST]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This cast is unchecked, and not all instances of the type casted from can be cast to +the type it is being cast to. Ensure that your program logic ensures that this +cast will not fail. +</p>]]></description> + </rule> + <rule key="BC_BAD_CAST_TO_CONCRETE_COLLECTION" priority="CRITICAL"> + <name><![CDATA[Dodgy - Questionable cast to concrete collection]]></name> + <configKey><![CDATA[BC_BAD_CAST_TO_CONCRETE_COLLECTION]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This code casts an abstract collection (such as a Collection, List, or Set) +to a specific concrete implementation (such as an ArrayList or HashSet). +This might not be correct, and it may make your code fragile, since +it makes it harder to switch to other concrete implementations at a future +point. Unless you have a particular reason to do so, just use the abstract +collection class. +</p>]]></description> + </rule> + <rule key="RE_POSSIBLE_UNINTENDED_PATTERN" priority="CRITICAL"> + <name><![CDATA[Correctness - "." used for regular expression]]></name> + <configKey><![CDATA[RE_POSSIBLE_UNINTENDED_PATTERN]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +A String function is being invoked and "." is being passed +to a parameter that takes a regular expression as an argument. Is this what you intended? +For example +s.replaceAll(".", "/") will return a String in which <em>every</em> +character has been replaced by a / character. +</p>]]></description> + </rule> + <rule key="RE_BAD_SYNTAX_FOR_REGULAR_EXPRESSION" priority="CRITICAL"> + <name><![CDATA[Correctness - Invalid syntax for regular expression]]></name> + <configKey><![CDATA[RE_BAD_SYNTAX_FOR_REGULAR_EXPRESSION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code here uses a regular expression that is invalid according to the syntax +for regular expressions. This statement will throw a PatternSyntaxException when +executed. +</p>]]></description> + </rule> + <rule key="RE_CANT_USE_FILE_SEPARATOR_AS_REGULAR_EXPRESSION" priority="CRITICAL"> + <name><![CDATA[Correctness - File.separator used for regular expression]]></name> + <configKey><![CDATA[RE_CANT_USE_FILE_SEPARATOR_AS_REGULAR_EXPRESSION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code here uses <code>File.separator</code> +where a regular expression is required. This will fail on Windows +platforms, where the <code>File.separator</code> is a backslash, which is interpreted in a +regular expression as an escape character. Amoung other options, you can just use +<code>File.separatorChar=='\\' & "\\\\" : File.separator</code> instead of +<code>File.separator</code> + +</p>]]></description> + </rule> + <rule key="DLS_OVERWRITTEN_INCREMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - Overwritten increment]]></name> + <configKey><![CDATA[DLS_OVERWRITTEN_INCREMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code performs an increment operation (e.g., <code>i++</code>) and then +immediately overwrites it. For example, <code>i = i++</code> immediately +overwrites the incremented value with the original value. +</p>]]></description> + </rule> + <rule key="ICAST_QUESTIONABLE_UNSIGNED_RIGHT_SHIFT" priority="CRITICAL"> + <name><![CDATA[Dodgy - Unsigned right shift cast to short/byte]]></name> + <configKey><![CDATA[ICAST_QUESTIONABLE_UNSIGNED_RIGHT_SHIFT]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +The code performs an unsigned right shift, whose result is then +cast to a short or byte, which discards the upper bits of the result. +Since the upper bits are discarded, there may be no difference between +a signed and unsigned right shift (depending upon the size of the shift). +</p>]]></description> + </rule> + <rule key="ICAST_BAD_SHIFT_AMOUNT" priority="CRITICAL"> + <name><![CDATA[Correctness - Integer shift by an amount not in the range 0..31]]></name> + <configKey><![CDATA[ICAST_BAD_SHIFT_AMOUNT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code performs an integer shift by a constant amount outside +the range 0..31. +The effect of this is to use the lower 5 bits of the integer +value to decide how much to shift by. This probably isn't want was expected, +and it at least confusing. +</p>]]></description> + </rule> + <rule key="IM_MULTIPLYING_RESULT_OF_IREM" priority="CRITICAL"> + <name><![CDATA[Correctness - Integer multiply of result of integer remainder]]></name> + <configKey><![CDATA[IM_MULTIPLYING_RESULT_OF_IREM]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code multiplies the result of an integer remaining by an integer constant. +Be sure you don't have your operator precedence confused. For example +i % 60 * 1000 is (i % 60) * 1000, not i % (60 * 1000). +</p>]]></description> + </rule> + <rule key="DMI_INVOKING_HASHCODE_ON_ARRAY" priority="CRITICAL"> + <name><![CDATA[Correctness - Invocation of hashCode on an array]]></name> + <configKey><![CDATA[DMI_INVOKING_HASHCODE_ON_ARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code invokes hashCode on an array. Calling hashCode on +an array returns the same value as System.identityHashCode, and ingores +the contents and length of the array. If you need a hashCode that +depends on the contents of an array <code>a</code>, +use <code>java.util.Arrays.hashCode(a)</code>. + +</p>]]></description> + </rule> + <rule key="DMI_INVOKING_TOSTRING_ON_ARRAY" priority="CRITICAL"> + <name><![CDATA[Correctness - Invocation of toString on an array]]></name> + <configKey><![CDATA[DMI_INVOKING_TOSTRING_ON_ARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code invokes toString on an array, which will generate a fairly useless result +such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable +String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12. +</p>]]></description> + </rule> + <rule key="DMI_INVOKING_TOSTRING_ON_ANONYMOUS_ARRAY" priority="CRITICAL"> + <name><![CDATA[Correctness - Invocation of toString on an array]]></name> + <configKey><![CDATA[DMI_INVOKING_TOSTRING_ON_ANONYMOUS_ARRAY]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The code invokes toString on an (anonymous) array. Calling toString on an array generates a fairly useless result +such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable +String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12. +</p>]]></description> + </rule> + <rule key="IM_AVERAGE_COMPUTATION_COULD_OVERFLOW" priority="CRITICAL"> + <name><![CDATA[Dodgy - Computation of average could overflow]]></name> + <configKey><![CDATA[IM_AVERAGE_COMPUTATION_COULD_OVERFLOW]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p>The code computes the average of two integers using either division or signed right shift, +and then uses the result as the index of an array. +If the values being averaged are very large, this can overflow (resulting in the computation +of a negative average). Assuming that the result is intended to be nonnegative, you +can use an unsigned right shift instead. In other words, rather that using <code>(low+high)/2</code>, +use <code>(low+high) >>> 1</code> +</p> +<p>This bug exists in many earlier implementations of binary search and merge sort. +Martin Buchholz <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6412541">found and fixed it</a> +in the JDK libraries, and Joshua Bloch +<a href="http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html">widely +publicized the bug pattern</a>. +</p>]]></description> + </rule> + <rule key="IM_BAD_CHECK_FOR_ODD" priority="CRITICAL"> + <name><![CDATA[Dodgy - Check for oddness that won't work for negative numbers ]]></name> + <configKey><![CDATA[IM_BAD_CHECK_FOR_ODD]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +The code uses x % 2 == 1 to check to see if a value is odd, but this won't work +for negative numbers (e.g., (-5) % 2 == -1). If this code is intending to check +for oddness, consider using x & 1 == 1, or x % 2 != 0. +</p>]]></description> + </rule> + <rule key="DMI_HARDCODED_ABSOLUTE_FILENAME" priority="CRITICAL"> + <name><![CDATA[Dodgy - Code contains a hard coded reference to an absolute pathname]]></name> + <configKey><![CDATA[DMI_HARDCODED_ABSOLUTE_FILENAME]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p>This code constructs a File object using a hard coded to an absolute pathname +(e.g., <code>new File("/home/dannyc/workspace/j2ee/src/share/com/sun/enterprise/deployment");</code> +</p>]]></description> + </rule> + <rule key="DMI_BAD_MONTH" priority="CRITICAL"> + <name><![CDATA[Correctness - Bad constant value for month]]></name> + <configKey><![CDATA[DMI_BAD_MONTH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +This code passes a constant month +value outside the expected range of 0..11 to a method. +</p>]]></description> + </rule> + <rule key="DMI_USELESS_SUBSTRING" priority="CRITICAL"> + <name><![CDATA[Dodgy - Invocation of substring(0), which returns the original value]]></name> + <configKey><![CDATA[DMI_USELESS_SUBSTRING]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> +This code invokes substring(0) on a String, which returns the original value. +</p>]]></description> + </rule> + <rule key="DMI_CALLING_NEXT_FROM_HASNEXT" priority="CRITICAL"> + <name><![CDATA[Correctness - hasNext method invokes next]]></name> + <configKey><![CDATA[DMI_CALLING_NEXT_FROM_HASNEXT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> +The hasNext() method invokes the next() method. This is almost certainly wrong, +since the hasNext() method is not supposed to change the state of the iterator, +and the next method is supposed to change the state of the iterator. +</p>]]></description> + </rule> + <rule key="SWL_SLEEP_WITH_LOCK_HELD" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Method calls Thread.sleep() with a lock held]]></name> + <configKey><![CDATA[SWL_SLEEP_WITH_LOCK_HELD]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method calls Thread.sleep() with a lock held. This may result + in very poor performance and scalability, or a deadlock, since other threads may + be waiting to acquire the lock. It is a much better idea to call + wait() on the lock, which releases the lock and allows other threads + to run. + </p>]]></description> + </rule> + <rule key="DB_DUPLICATE_BRANCHES" priority="CRITICAL"> + <name><![CDATA[Dodgy - Method uses the same code for two branches]]></name> + <configKey><![CDATA[DB_DUPLICATE_BRANCHES]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This method uses the same code to implement two branches of a conditional branch. + Check to ensure that this isn't a coding mistake. + </p>]]></description> + </rule> + <rule key="DB_DUPLICATE_SWITCH_CLAUSES" priority="CRITICAL"> + <name><![CDATA[Dodgy - Method uses the same code for two switch clauses]]></name> + <configKey><![CDATA[DB_DUPLICATE_SWITCH_CLAUSES]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This method uses the same code to implement two clauses of a switch statement. + This could be a case of duplicate code, but it might also indicate + a coding mistake. + </p>]]></description> + </rule> + <rule key="XFB_XML_FACTORY_BYPASS" priority="CRITICAL"> + <name><![CDATA[Dodgy - Method directly allocates a specific implementation of xml interfaces]]></name> + <configKey><![CDATA[XFB_XML_FACTORY_BYPASS]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This method allocates a specific implementation of an xml interface. It is preferable to use + the supplied factory classes to create these objects so that the implementation can be + changed at runtime. See + </p> + <ul> + <li>javax.xml.parsers.DocumentBuilderFactory</li> + <li>javax.xml.parsers.SAXParserFactory</li> + <li>javax.xml.transform.TransformerFactory</li> + <li>org.w3c.dom.Document.create<i>XXXX</i></li> + </ul> + <p>for details.</p>]]></description> + </rule> + <rule key="CI_CONFUSED_INHERITANCE" priority="MINOR"> + <name><![CDATA[Dodgy - Class is final but declares protected field]]></name> + <configKey><![CDATA[CI_CONFUSED_INHERITANCE]]></configKey> + <category name="Usability"/> + <description><![CDATA[<p> + This class is declared to be final, but declares fields to be protected. Since the class + is final, it can not be derived from, and the use of protected is confusing. The access + modifier for the field should be changed to private or public to represent the true + use for the field. + </p>]]></description> + </rule> + <rule key="QBA_QUESTIONABLE_BOOLEAN_ASSIGNMENT" priority="CRITICAL"> + <name><![CDATA[Correctness - Method assigns boolean literal in boolean expression]]></name> + <configKey><![CDATA[QBA_QUESTIONABLE_BOOLEAN_ASSIGNMENT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method assigns a literal boolean value (true or false) to a boolean variable inside + an if or while expression. Most probably this was supposed to be a boolean comparison using + ==, not an assignment using =. + </p>]]></description> + </rule> + <rule key="GC_UNCHECKED_TYPE_IN_GENERIC_CALL" priority="CRITICAL"> + <name><![CDATA[Bad practice - Unchecked type in generic call]]></name> + <configKey><![CDATA[GC_UNCHECKED_TYPE_IN_GENERIC_CALL]]></configKey> + <category name="Maintainability"/> + <description><![CDATA[<p> This call to a generic collection method passes an argument + while compile type Object where a specific type from + the generic type parameters is expected. + Thus, neither the standard Java type system nor static analysis + can provide useful information on whether the + object being passed as a parameter is of an appropriate type. + </p>]]></description> + </rule> + <rule key="GC_UNRELATED_TYPES" priority="CRITICAL"> + <name><![CDATA[Correctness - No relationship between generic parameter and method argument]]></name> + <configKey><![CDATA[GC_UNRELATED_TYPES]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This call to a generic collection method contains an argument + with an incompatible class from that of the collection's parameter + (i.e., the type of the argument is neither a supertype nor a subtype + of the corresponding generic type argument). + Therefore, it is unlikely that the collection contains any objects + that are equal to the method argument used here. + Most likely, the wrong value is being passed to the method.</p> + <p>In general, instances of two unrelated classes are not equal. + For example, if the <code>Foo</code> and <code>Bar</code> classes + are not related by subtyping, then an instance of <code>Foo</code> + should not be equal to an instance of <code>Bar</code>. + Among other issues, doing so will likely result in an equals method + that is not symmetrical. For example, if you define the <code>Foo</code> class + so that a <code>Foo</code> can be equal to a <code>String</code>, + your equals method isn't symmetrical since a <code>String</code> can only be equal + to a <code>String</code>. + </p> + <p>In rare cases, people do define nonsymmetrical equals methods and still manage to make + their code work. Although none of the APIs document or guarantee it, it is typically + the case that if you check if a <code>Collection<String></code> contains + a <code>Foo</code>, the equals method of argument (e.g., the equals method of the + <code>Foo</code> class) used to perform the equality checks. + </p>]]></description> + </rule> + <rule key="DMI_COLLECTIONS_SHOULD_NOT_CONTAIN_THEMSELVES" priority="CRITICAL"> + <name><![CDATA[Correctness - Collections should not contain themselves]]></name> + <configKey><![CDATA[DMI_COLLECTIONS_SHOULD_NOT_CONTAIN_THEMSELVES]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This call to a generic collection's method would only make sense if a collection contained +itself (e.g., if <code>s.contains(s)</code> were true). This is unlikely to be true and would cause +problems if it were true (such as the computation of the hash code resulting in infinite recursion). +It is likely that the wrong value is being passed as a parameter. + </p>]]></description> + </rule> + <rule key="DMI_VACUOUS_SELF_COLLECTION_CALL" priority="CRITICAL"> + <name><![CDATA[Correctness - Vacuous call to collections]]></name> + <configKey><![CDATA[DMI_VACUOUS_SELF_COLLECTION_CALL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> This call doesn't make sense. For any collection <code>c</code>, calling <code>c.containsAll(c)</code> should +always be true, and <code>c.retainAll(c)</code> should have no effect. + </p>]]></description> + </rule> + <rule key="DMI_USING_REMOVEALL_TO_CLEAR_COLLECTION" priority="CRITICAL"> + <name><![CDATA[Correctness - Don't use removeAll to clear a collection]]></name> + <configKey><![CDATA[DMI_USING_REMOVEALL_TO_CLEAR_COLLECTION]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> If you want to remove all elements from a collection <code>c</code>, use <code>c.clear</code>, +not <code>c.removeAll(c)</code>. + </p>]]></description> + </rule> + <rule key="STCAL_STATIC_CALENDAR_INSTANCE" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Static Calendar]]></name> + <configKey><![CDATA[STCAL_STATIC_CALENDAR_INSTANCE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>Even though the JavaDoc does not contain a hint about it, Calendars are inherently unsafe for multihtreaded use. +Sharing a single instance across thread boundaries without proper synchronization will result in erratic behavior of the +application. Under 1.4 problems seem to surface less often than under Java 5 where you will probably see +random ArrayIndexOutOfBoundsExceptions or IndexOutOfBoundsExceptions in sun.util.calendar.BaseCalendar.getCalendarDateFromFixedDate().</p> +<p>You may also experience serialization problems.</p> +<p>Using an instance field is recommended.</p> +<p>For more information on this see <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6231579">Sun Bug #6231579</a> +and <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6178997">Sun Bug #6178997</a>.</p>]]></description> + </rule> + <rule key="STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Call to static Calendar]]></name> + <configKey><![CDATA[STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>Even though the JavaDoc does not contain a hint about it, Calendars are inherently unsafe for multihtreaded use. +The detector has found a call to an instance of Calendar that has been obtained via a static +field. This looks suspicous.</p> +<p>For more information on this see <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6231579">Sun Bug #6231579</a> +and <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6178997">Sun Bug #6178997</a>.</p>]]></description> + </rule> + <rule key="STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Static DateFormat]]></name> + <configKey><![CDATA[STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>As the JavaDoc states, DateFormats are inherently unsafe for multithreaded use. +Sharing a single instance across thread boundaries without proper synchronization will result in erratic behavior of the +application.</p> +<p>You may also experience serialization problems.</p> +<p>Using an instance field is recommended.</p> +<p>For more information on this see <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6231579">Sun Bug #6231579</a> +and <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6178997">Sun Bug #6178997</a>.</p>]]></description> + </rule> + <rule key="STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Call to static DateFormat]]></name> + <configKey><![CDATA[STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p>As the JavaDoc states, DateFormats are inherently unsafe for multithreaded use. +The detector has found a call to an instance of DateFormat that has been obtained via a static +field. This looks suspicous.</p> +<p>For more information on this see <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6231579">Sun Bug #6231579</a> +and <a href="http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6178997">Sun Bug #6178997</a>.</p>]]></description> + </rule> + <rule key="TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED" priority="CRITICAL"> + <name> + <![CDATA[Correctness - Value annotated as carrying a type qualifier used where a value that must not carry that qualifier is required]]></name> + <configKey><![CDATA[TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value specified as carrying a type qualifier annotation is + consumed in a location or locations requiring that the value not + carry that annotation. + </p> + + <p> + More precisely, a value annotated with a type qualifier specifying when=ALWAYS + is guaranteed to reach a use or uses where the same type qualifier specifies when=NEVER. + </p> + + <p> + For example, say that @NonNegative is a nickname for + the type qualifier annotation @Negative(when=When.NEVER). + The following code will generate this warning because + the return statement requires a @NonNegative value, + but receives one that is marked as @Negative. + </p> + <blockquote> +<pre> +public @NonNegative Integer example(@Negative Integer value) { + return value; +} +</pre> + </blockquote>]]></description> + </rule> + <rule key="TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED" priority="CRITICAL"> + <name> + <![CDATA[Correctness - Value annotated as never carrying a type qualifier used where value carrying that qualifier is required]]></name> + <configKey><![CDATA[TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value specified as not carrying a type qualifier annotation is guaranteed + to be consumed in a location or locations requiring that the value does + carry that annotation. + </p> + + <p> + More precisely, a value annotated with a type qualifier specifying when=NEVER + is guaranteed to reach a use or uses where the same type qualifier specifies when=ALWAYS. + </p> + + <p> + TODO: example + </p>]]></description> + </rule> + <rule key="TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK" priority="CRITICAL"> + <name> + <![CDATA[Correctness - Value that might not carry a type qualifier is always used in a way requires that type qualifier]]></name> + <configKey><![CDATA[TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value that is annotated as possibility not being an instance of + the values denoted by the type qualifier, and the value is guaranteed to be used + in a way that requires values denoted by that type qualifier. + </p>]]></description> + </rule> + <rule key="TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK" priority="CRITICAL"> + <name> + <![CDATA[Correctness - Value that might carry a type qualifier is always used in a way prohibits it from having that type qualifier]]></name> + <configKey><![CDATA[TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value that is annotated as possibility being an instance of + the values denoted by the type qualifier, and the value is guaranteed to be used + in a way that prohibits values denoted by that type qualifier. + </p>]]></description> + </rule> + <rule key="TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK" priority="CRITICAL"> + <name><![CDATA[Correctness - Explicit annotation inconsistent with use]]></name> + <configKey><![CDATA[TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value is used in a way that requires it to be never be a value denoted by a type qualifier, but + there is an explicit annotation stating that it is not known where the value is prohibited from having that type qualifier. + Either the usage or the annotation is incorrect. + </p>]]></description> + </rule> + <rule key="TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK" priority="CRITICAL"> + <name><![CDATA[Correctness - Explicit annotation inconsistent with use]]></name> + <configKey><![CDATA[TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value is used in a way that requires it to be always be a value denoted by a type qualifier, but + there is an explicit annotation stating that it is not known where the value is required to have that type qualifier. + Either the usage or the annotation is incorrect. + </p>]]></description> + </rule> + <rule key="IO_APPENDING_TO_OBJECT_OUTPUT_STREAM" priority="CRITICAL"> + <name><![CDATA[Correctness - Doomed attempt to append to an object output stream]]></name> + <configKey><![CDATA[IO_APPENDING_TO_OBJECT_OUTPUT_STREAM]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This code opens a file in append mode and then wraps the result in an object output stream. + This won't allow you to append to an existing object output stream stored in a file. If you want to be + able to append to an object output stream, you need to keep the object output stream open. + </p> + <p>The only situation in which opening a file in append mode and the writing an object output stream + could work is if on reading the file you plan to open it in random access mode and seek to the byte offset + where the append started. + </p> + + <p> + TODO: example. + </p>]]></description> + </rule> + <rule key="WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL" priority="CRITICAL"> + <name><![CDATA[Multithreaded correctness - Sychronization on getClass rather than class literal]]></name> + <configKey><![CDATA[WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This instance method synchronizes on <code>this.getClass()</code>. If this class is subclassed, + subclasses will synchronize on the class object for the subclass, which isn't likely what was intended. + For example, consider this code from java.awt.Label: + <pre> + private static final String base = "label"; + private static int nameCounter = 0; + String constructComponentName() { + synchronized (getClass()) { + return base + nameCounter++; + } + } + </pre></p> + <p>Subclasses of <code>Label</code> won't synchronize on the same subclass, giving rise to a datarace. + Instead, this code should be synchronizing on <code>Label.class</code> + <pre> + private static final String base = "label"; + private static int nameCounter = 0; + String constructComponentName() { + synchronized (Label.class) { + return base + nameCounter++; + } + } + </pre></p> + <p>Bug pattern contributed by Jason Mehrens</p>]]></description> + </rule> + <rule key="SF_SWITCH_FALLTHROUGH" priority="CRITICAL"> + <name> + <![CDATA[Switch statement found where one case falls through to the next case]]></name> + <configKey><![CDATA[SF_SWITCH_FALLTHROUGH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method contains a switch statement where one case branch will fall + through to the next case. Usually you need to end this case with a break or return. + </p>]]></description> + </rule> + <rule key="SF_SWITCH_NO_DEFAULT" priority="MAJOR"> + <name> + <![CDATA[Switch statement found where default case is missing]]></name> + <configKey><![CDATA[SF_SWITCH_NO_DEFAULT]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + This method contains a switch statement where default case is missing. + Usually you need to provide a default case. + </p>]]></description> + </rule> + <rule key="SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH" priority="CRITICAL"> + <name> + <![CDATA[Dead store due to switch statement fall through]]></name> + <configKey><![CDATA[SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value stored in the previous switch case is overwritten here due + to a switch fall through. It is likely that you forgot to put a + break or return at the end of the previous case. + </p>]]></description> + </rule> + <rule key="SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW" priority="CRITICAL"> + <name> + <![CDATA[Dead store due to switch statement fall through to throw]]></name> + <configKey><![CDATA[SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW]]></configKey> + <category name="Reliability"/> + <description><![CDATA[<p> + A value stored in the previous switch case is ignored here due + to a switch fall through to a place where an exception is thrown. + It is likely that you forgot to put a break or return at the end of the previous case. + </p>]]></description> + </rule> +</rules>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsAntConverterTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsAntConverterTest.java new file mode 100644 index 00000000000..e47a02c72a2 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsAntConverterTest.java @@ -0,0 +1,39 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import static org.hamcrest.CoreMatchers.is; +import static org.junit.Assert.assertThat; +import org.junit.Test; + +public class FindbugsAntConverterTest { + + @Test + public void convertToJavaRegexFormat() { + assertRegex("foo", "~foo"); + assertRegex("**/*Test.java", "~(.*\\.)?[^\\\\^\\s]*Test"); + } + + private void assertRegex(String antRegex, String javaRegex) { + assertThat(FindbugsAntConverter.antToJavaRegexpConvertor(antRegex), is(javaRegex)); + } + + +} diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsMavenPluginHandlerTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsMavenPluginHandlerTest.java new file mode 100644 index 00000000000..9b443c0c2ec --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsMavenPluginHandlerTest.java @@ -0,0 +1,189 @@ +/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2009 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.plugins.findbugs;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.maven.project.MavenProject;
+import static org.hamcrest.CoreMatchers.is;
+import org.hamcrest.core.Is;
+import static org.hamcrest.text.StringEndsWith.endsWith;
+import static org.junit.Assert.assertThat;
+import org.junit.Before;
+import org.junit.Test;
+import static org.mockito.Matchers.anyObject;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.argThat;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.*;
+import org.sonar.api.CoreProperties;
+import org.sonar.api.batch.maven.MavenPlugin;
+import org.sonar.api.profiles.RulesProfile;
+import org.sonar.api.resources.Project;
+import org.sonar.api.resources.ProjectFileSystem;
+import org.sonar.api.test.SimpleProjectFileSystem;
+import org.sonar.api.utils.SonarException;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class FindbugsMavenPluginHandlerTest {
+ private static final String TARGET_TMP_TESTS = "target/tmp-tests";
+
+ private Project project;
+ private ProjectFileSystem fs;
+ private File fakeSonarConfig;
+ private FindbugsRulesRepository repo;
+ private MavenPlugin plugin;
+ private FindbugsMavenPluginHandler handler;
+
+ @Before
+ public void setup() {
+ project = mock(Project.class);
+ fs = mock(ProjectFileSystem.class);
+ fakeSonarConfig = mock(File.class);
+ repo = mock(FindbugsRulesRepository.class);
+ plugin = mock(MavenPlugin.class);
+ handler = createMavenPluginHandler();
+ }
+
+ @Test
+ public void doOverrideConfig() throws Exception {
+ setupConfig();
+
+ handler.configureFilters(project, plugin);
+ verify(plugin).setParameter("includeFilterFile", "fakeSonarConfig.xml");
+ }
+
+ @Test
+ public void doReuseExistingRulesConfig() throws Exception {
+ setupConfig();
+ // See sonar 583
+ when(project.getReuseExistingRulesConfig()).thenReturn(true);
+ when(plugin.getParameter("excludeFilterFile")).thenReturn("existingConfig.xml");
+
+ handler.configureFilters(project, plugin);
+ verify(plugin, never()).setParameter(eq("includeFilterFile"), anyString());
+
+ setupConfig();
+ when(project.getReuseExistingRulesConfig()).thenReturn(true);
+ when(plugin.getParameter("includeFilterFile")).thenReturn("existingConfig.xml");
+
+ handler.configureFilters(project, plugin);
+ verify(plugin, never()).setParameter(eq("includeFilterFile"), anyString());
+ }
+
+ private void setupConfig() throws IOException {
+ when(fakeSonarConfig.getCanonicalPath()).thenReturn("fakeSonarConfig.xml");
+ when(project.getFileSystem()).thenReturn(fs);
+ when(fs.writeToWorkingDirectory(anyString(), anyString())).thenReturn(fakeSonarConfig);
+ }
+
+ @Test
+ public void shoulConfigurePlugin() throws URISyntaxException, IOException {
+
+ mockProject(CoreProperties.FINDBUGS_EFFORT_DEFAULT_VALUE);
+
+ handler.configure(project, plugin);
+
+ verify(plugin).setParameter("skip", "false");
+ verify(plugin).setParameter("xmlOutput", "true");
+ verify(plugin).setParameter("threshold", "Low");
+ verify(plugin).setParameter("effort", CoreProperties.FINDBUGS_EFFORT_DEFAULT_VALUE, false);
+ verify(plugin).setParameter(eq("classFilesDirectory"), anyString());
+ verify(plugin).setParameter(eq("includeFilterFile"), argThat(endsWith("findbugs-include.xml")));
+ assertFindbugsIncludeFileIsSaved();
+ }
+
+ @Test(expected = SonarException.class)
+ public void shoulFailIfNoCompiledClasses() throws URISyntaxException, IOException {
+ when(project.getFileSystem()).thenReturn(fs);
+
+ handler.configure(project, plugin);
+ }
+
+ @Test
+ public void shouldConfigureEffort() throws URISyntaxException, IOException {
+ FindbugsMavenPluginHandler handler = createMavenPluginHandler();
+ mockProject("EffortSetInPom");
+ MavenPlugin plugin = mock(MavenPlugin.class);
+
+ handler.configure(project, plugin);
+
+ verify(plugin).setParameter("effort", "EffortSetInPom", false);
+ }
+
+ @Test
+ public void shouldConvertAntToJavaRegexp() {
+ // see SONAR-853
+ assertAntPatternEqualsToFindBugsRegExp("?", "~.", "g");
+ assertAntPatternEqualsToFindBugsRegExp("*/myClass.JaVa", "~([^\\\\^\\s]*\\.)?myClass", "foo.bar.test.myClass");
+ assertAntPatternEqualsToFindBugsRegExp("*/myClass.java", "~([^\\\\^\\s]*\\.)?myClass", "foo.bar.test.myClass");
+ assertAntPatternEqualsToFindBugsRegExp("*/myClass2.jav", "~([^\\\\^\\s]*\\.)?myClass2", "foo.bar.test.myClass2");
+ assertAntPatternEqualsToFindBugsRegExp("*/myOtherClass", "~([^\\\\^\\s]*\\.)?myOtherClass", "foo.bar.test.myOtherClass");
+ assertAntPatternEqualsToFindBugsRegExp("*", "~[^\\\\^\\s]*", "ga.%#123_(*");
+ assertAntPatternEqualsToFindBugsRegExp("**", "~.*", "gd.3reqg.3151];9#@!");
+ assertAntPatternEqualsToFindBugsRegExp("**/generated/**", "~(.*\\.)?generated\\..*", "!@$Rq/32T$).generated.##TR.e#@!$");
+ assertAntPatternEqualsToFindBugsRegExp("**/cl*nt/*", "~(.*\\.)?cl[^\\\\^\\s]*nt\\.[^\\\\^\\s]*", "!#$_.clr31r#!$(nt.!#$QRW)(.");
+ assertAntPatternEqualsToFindBugsRegExp("**/org/apache/commons/**", "~(.*\\.)?org\\.apache\\.commons\\..*", "org.apache.commons.httpclient.contrib.ssl");
+ assertAntPatternEqualsToFindBugsRegExp("*/org/apache/commons/**", "~([^\\\\^\\s]*\\.)?org\\.apache\\.commons\\..*", "org.apache.commons.httpclient.contrib.ssl");
+ assertAntPatternEqualsToFindBugsRegExp("org/apache/commons/**", "~org\\.apache\\.commons\\..*", "org.apache.commons.httpclient.contrib.ssl");
+ }
+
+ @Test
+ public void shouldntMatchThoseClassPattern() {
+ // see SONAR-853
+ assertJavaRegexpResult("[^\\\\^\\s]", "fad f.ate 12#)", false);
+ }
+
+ private void assertAntPatternEqualsToFindBugsRegExp(String antPattern, String regExp, String example) {
+ assertThat(FindbugsAntConverter.antToJavaRegexpConvertor(antPattern), Is.is(regExp));
+ String javaRegexp = regExp.substring(1, regExp.length());
+ assertJavaRegexpResult(javaRegexp, example, true);
+ }
+
+ private void assertJavaRegexpResult(String javaRegexp, String example, boolean expectedResult) {
+ Pattern pattern = Pattern.compile(javaRegexp);
+ Matcher matcher = pattern.matcher(example);
+ assertThat(example + " tested with pattern " + javaRegexp, matcher.matches(), Is.is(expectedResult));
+ }
+
+ private void assertFindbugsIncludeFileIsSaved() {
+ File findbugsIncludeFile = new File(TARGET_TMP_TESTS + "/target/sonar/findbugs-include.xml");
+ assertThat(findbugsIncludeFile.exists(), is(true));
+ }
+
+ private FindbugsMavenPluginHandler createMavenPluginHandler() {
+ when(repo.exportConfiguration((RulesProfile) anyObject())).thenReturn("<test/>");
+ return new FindbugsMavenPluginHandler(new RulesProfile(), repo);
+ }
+
+ private void mockProject(String effort) throws URISyntaxException, IOException {
+ when(project.getPom()).thenReturn(new MavenProject());
+ when(project.getFileSystem()).thenReturn(new SimpleProjectFileSystem(new File(TARGET_TMP_TESTS)));
+
+ Configuration conf = mock(Configuration.class);
+ when(project.getConfiguration()).thenReturn(conf);
+ when(conf.getString(eq(CoreProperties.FINDBUGS_EFFORT_PROPERTY), anyString())).thenReturn(effort);
+
+ }
+}
diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest.java new file mode 100644 index 00000000000..2033a209f43 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest.java @@ -0,0 +1,186 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import org.apache.commons.io.IOUtils; +import org.hamcrest.BaseMatcher; +import static org.hamcrest.CoreMatchers.is; +import org.hamcrest.Description; +import static org.junit.Assert.*; +import org.junit.Before; +import org.junit.Ignore; +import org.junit.Test; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; +import org.sonar.api.CoreProperties; +import org.sonar.api.profiles.RulesProfile; +import org.sonar.api.resources.Java; +import org.sonar.api.rules.ActiveRule; +import org.sonar.api.rules.Rule; +import org.sonar.api.rules.RulePriority; +import org.xml.sax.SAXException; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; + +public class FindbugsRulesRepositoryTest extends FindbugsTests { + + private FindbugsRulesRepository repository; + + @Before + public void setup() { + repository = new FindbugsRulesRepository(new Java()); + } + + @Test + public void rulesAreDefinedWithTheDefaultSonarXmlFormat() { + List<Rule> rules = repository.getInitialReferential(); + assertTrue(rules.size() > 0); + for (Rule rule : rules) { + assertNotNull(rule.getKey()); + assertNotNull(rule.getDescription()); + assertNotNull(rule.getConfigKey()); + assertNotNull(rule.getName()); + } + } + + @Test + @Ignore + public void shouldProvideProfiles() { + List<RulesProfile> profiles = repository.getProvidedProfiles(); + assertThat(profiles.size(), is(1)); + + RulesProfile profile1 = profiles.get(0); + assertThat(profile1.getName(), is(RulesProfile.SONAR_WAY_FINDBUGS_NAME)); + assertEquals(profile1.getActiveRules().size(), 344); + } + + @Test + public void shouldAddHeaderToExportedXml() throws IOException, SAXException { + RulesProfile rulesProfile = mock(RulesProfile.class); + when(rulesProfile.getActiveRulesByPlugin(CoreProperties.FINDBUGS_PLUGIN)).thenReturn(Collections.<ActiveRule>emptyList()); + + assertXmlAreSimilar(repository.exportConfiguration(rulesProfile), "test_header.xml"); + } + + @Test + public void shouldExportConfiguration() throws IOException, SAXException { + List<Rule> rules = buildRulesFixture(); + List<ActiveRule> activeRulesExpected = buildActiveRulesFixture(rules); + RulesProfile activeProfile = new RulesProfile(); + activeProfile.setActiveRules(activeRulesExpected); + + assertXmlAreSimilar(repository.exportConfiguration(activeProfile), "test_xml_complete.xml"); + } + + @Test + public void shouldImportPatterns() throws IOException { + InputStream input = getClass().getResourceAsStream("/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportPatterns.xml"); + List<ActiveRule> results = repository.importConfiguration(IOUtils.toString(input), buildRulesFixtureImport()); + + assertThat(results.size(), is(2)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_1", RulePriority.MAJOR)); + assertThat(results, new ContainsActiveRule("FB2_IMPORT_TEST_4", RulePriority.MAJOR)); + } + + @Test + public void shouldImportCodes() throws IOException { + InputStream input = getClass().getResourceAsStream("/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCodes.xml"); + List<ActiveRule> results = repository.importConfiguration(IOUtils.toString(input), buildRulesFixtureImport()); + + assertThat(results.size(), is(4)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_1", RulePriority.MAJOR)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_2", RulePriority.MAJOR)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_3", RulePriority.MAJOR)); + assertThat(results, new ContainsActiveRule("FB3_IMPORT_TEST_5", RulePriority.MAJOR)); + } + + @Test + public void shouldImportCategories() throws IOException { + InputStream input = getClass().getResourceAsStream("/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCategories.xml"); + List<ActiveRule> results = repository.importConfiguration(IOUtils.toString(input), buildRulesFixtureImport()); + + assertThat(results.size(), is(4)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_1", RulePriority.INFO)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_2", RulePriority.INFO)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_3", RulePriority.INFO)); + assertThat(results, new ContainsActiveRule("FB2_IMPORT_TEST_4", RulePriority.INFO)); + } + + @Test + public void shouldImportConfigurationBugInclude() throws IOException { + InputStream input = getClass().getResourceAsStream("/org/sonar/plugins/findbugs/findbugs-include.xml"); + List<ActiveRule> results = repository.importConfiguration(IOUtils.toString(input), buildRulesFixtureImport()); + + assertThat(results.size(), is(4)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_1", null)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_2", null)); + assertThat(results, new ContainsActiveRule("FB1_IMPORT_TEST_3", null)); + assertThat(results, new ContainsActiveRule("FB2_IMPORT_TEST_4", null)); + } + + private static List<Rule> buildRulesFixtureImport() { + Rule rule1 = new Rule("Correctness - Import test 1 group 1", "FB1_IMPORT_TEST_1", + "FB1_IMPORT_TEST_1", null, CoreProperties.FINDBUGS_PLUGIN, null); + + Rule rule2 = new Rule("Multithreaded correctness - Import test 2 group 1", "FB1_IMPORT_TEST_2", + "FB1_IMPORT_TEST_2", null, CoreProperties.FINDBUGS_PLUGIN, null); + + Rule rule3 = new Rule("Multithreaded correctness - Import test 3 group 1", "FB1_IMPORT_TEST_3", + "FB1_IMPORT_TEST_3", null, CoreProperties.FINDBUGS_PLUGIN, null); + + Rule rule4 = new Rule("Multithreaded correctness - Import test 4 group 2", "FB2_IMPORT_TEST_4", + "FB2_IMPORT_TEST_4", null, CoreProperties.FINDBUGS_PLUGIN, null); + + Rule rule5 = new Rule("Style - Import test 5 group 3", "FB3_IMPORT_TEST_5", + "FB3_IMPORT_TEST_5", null, CoreProperties.FINDBUGS_PLUGIN, null); + + return Arrays.asList(rule1, rule2, rule3, rule4, rule5); + } +} + +class ContainsActiveRule extends BaseMatcher<List<ActiveRule>> { + private String key; + private RulePriority priority; + + ContainsActiveRule(String key, RulePriority priority) { + this.key = key; + this.priority = priority; + } + + public boolean matches(Object o) { + List<ActiveRule> rules = (List<ActiveRule>) o; + for (ActiveRule rule : rules) { + if (rule.getRule().getKey().equals(key)) { + if (priority == null) { + return true; + } + return rule.getPriority().equals(priority); + } + } + return false; + } + + public void describeTo(Description description) { + } +} diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsSensorTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsSensorTest.java new file mode 100644 index 00000000000..feed2b855a9 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsSensorTest.java @@ -0,0 +1,137 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.nullValue; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; +import static org.mockito.Matchers.any; +import static org.mockito.Matchers.argThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import java.io.File; + +import org.apache.commons.configuration.Configuration; +import org.apache.maven.project.MavenProject; +import org.junit.Test; +import org.sonar.api.CoreProperties; +import org.sonar.api.batch.SensorContext; +import org.sonar.api.resources.DefaultProjectFileSystem; +import org.sonar.api.resources.JavaFile; +import org.sonar.api.resources.Project; +import org.sonar.api.resources.Resource; +import org.sonar.api.rules.Violation; +import org.sonar.api.test.IsViolation; + +public class FindbugsSensorTest extends FindbugsTests { + + @Test + public void shouldExecuteWhenSomeRulesAreActive() throws Exception { + FindbugsSensor sensor = new FindbugsSensor(createRulesProfileWithActiveRules(), createRulesManager(), null); + Project project = createProject(); + assertTrue(sensor.shouldExecuteOnProject(project)); + } + + @Test + public void shouldNotExecuteWhenNoRulesAreActive() throws Exception { + FindbugsSensor analyser = new FindbugsSensor(createRulesProfileWithoutActiveRules(), createRulesManager(), null); + Project pom = createProject(); + assertFalse(analyser.shouldExecuteOnProject(pom)); + } + + @Test + public void testGetMavenPluginHandlerWhenFindbugsReportPathExists() throws Exception { + FindbugsSensor analyser = new FindbugsSensor(createRulesProfileWithoutActiveRules(), createRulesManager(), + mock(FindbugsMavenPluginHandler.class)); + Project pom = createProject(); + Configuration conf = mock(Configuration.class); + when(conf.getString(CoreProperties.FINDBUGS_REPORT_PATH)).thenReturn("pathToFindbugsReport"); + when(pom.getConfiguration()).thenReturn(conf); + assertThat(analyser.getMavenPluginHandler(pom), is(nullValue())); + } + + @Test + public void testGetFindbugsReport() { + FindbugsSensor analyser = new FindbugsSensor(createRulesProfileWithActiveRules(), createRulesManager(), + null); + Project pom = createProject(); + Configuration conf = mock(Configuration.class); + when(pom.getConfiguration()).thenReturn(conf); + assertThat(analyser.getFindbugsReportFile(pom).getName(), is("findbugsXml.xml")); + + when(conf.getString(CoreProperties.FINDBUGS_REPORT_PATH)).thenReturn("myFindbugs.xml"); + assertThat(analyser.getFindbugsReportFile(pom).getName(), is("myFindbugs.xml")); + } + + @Test + public void shouldNotExecuteOnEar() { + Project project = createProject(); + when(project.getPom().getPackaging()).thenReturn("ear"); + FindbugsSensor analyser = new FindbugsSensor(createRulesProfileWithActiveRules(), createRulesManager(), null); + assertFalse(analyser.shouldExecuteOnProject(project)); + } + + @Test + public void testAnalyse() throws Exception { + + SensorContext context = mock(SensorContext.class); + Project project = createProject(); + Configuration conf = mock(Configuration.class); + File xmlFile = new File(getClass().getResource("/org/sonar/plugins/findbugs/findbugsXml.xml").toURI()); + when(conf.getString(CoreProperties.FINDBUGS_REPORT_PATH)).thenReturn(xmlFile.getAbsolutePath()); + when(project.getConfiguration()).thenReturn(conf); + when(context.getResource(any(Resource.class))).thenReturn(new JavaFile("org.sonar.MyClass")); + + FindbugsSensor analyser = new FindbugsSensor(createRulesProfileWithoutActiveRules(), createRulesManager(), + null); + analyser.analyse(project, context); + + verify(context, times(3)).saveViolation(any(Violation.class)); + + Violation wanted = new Violation(null, new JavaFile("org.sonar.commons.ZipUtils")) + .setMessage("Empty zip file entry created in org.sonar.commons.ZipUtils._zip(String, File, ZipOutputStream)") + .setLineId(107); + + verify(context).saveViolation(argThat(new IsViolation(wanted))); + + wanted = new Violation(null, new JavaFile("org.sonar.commons.resources.MeasuresDao")) + .setMessage("The class org.sonar.commons.resources.MeasuresDao$1 could be refactored into a named _static_ inner class") + .setLineId(56); + + verify(context).saveViolation(argThat(new IsViolation(wanted))); + } + + private Project createProject() { + DefaultProjectFileSystem fileSystem = mock(DefaultProjectFileSystem.class); + when(fileSystem.hasJavaSourceFiles()).thenReturn(Boolean.TRUE); + + MavenProject mavenProject = mock(MavenProject.class); + Project project = mock(Project.class); + when(project.getFileSystem()).thenReturn(fileSystem); + when(project.getPom()).thenReturn(mavenProject); + return project; + } + +} diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsTests.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsTests.java new file mode 100644 index 00000000000..88afed2cdcd --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsTests.java @@ -0,0 +1,115 @@ +/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2009 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.plugins.findbugs;
+
+import org.apache.commons.io.IOUtils;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.stubbing.Answer;
+import org.sonar.api.CoreProperties;
+import org.sonar.api.profiles.RulesProfile;
+import org.sonar.api.rules.ActiveRule;
+import org.sonar.api.rules.Rule;
+import org.sonar.api.rules.RulePriority;
+import org.sonar.api.rules.RulesManager;
+import org.sonar.test.TestUtils;
+import org.xml.sax.SAXException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public abstract class FindbugsTests {
+
+ protected void assertXmlAreSimilar(String actualContent, String expectedFileName) throws IOException, SAXException {
+ InputStream input = getClass().getResourceAsStream("/org/sonar/plugins/findbugs/" + expectedFileName);
+ String expectedContent = IOUtils.toString(input);
+ TestUtils.assertSimilarXml(expectedContent, actualContent);
+ }
+
+ protected List<Rule> buildRulesFixture() {
+ List<Rule> rules = new ArrayList<Rule>();
+
+ Rule rule1 = new Rule("DLS: Dead store to local variable", "DLS_DEAD_LOCAL_STORE",
+ "DLS_DEAD_LOCAL_STORE", null, CoreProperties.FINDBUGS_PLUGIN, null);
+
+ Rule rule2 = new Rule("UrF: Unread field", "URF_UNREAD_FIELD",
+ "URF_UNREAD_FIELD", null, CoreProperties.FINDBUGS_PLUGIN, null);
+
+ rules.add(rule1);
+ rules.add(rule2);
+
+ return rules;
+ }
+
+ protected List<ActiveRule> buildActiveRulesFixture(List<Rule> rules) {
+ List<ActiveRule> activeRules = new ArrayList<ActiveRule>();
+ ActiveRule activeRule1 = new ActiveRule(null, rules.get(0), RulePriority.CRITICAL);
+ activeRules.add(activeRule1);
+ ActiveRule activeRule2 = new ActiveRule(null, rules.get(1), RulePriority.MAJOR);
+ activeRules.add(activeRule2);
+ return activeRules;
+ }
+
+
+ protected RulesManager createRulesManager() {
+ RulesManager rulesManager = mock(RulesManager.class);
+
+ when(rulesManager.getPluginRule(eq(CoreProperties.FINDBUGS_PLUGIN), anyString())).thenAnswer(new Answer<Rule>() {
+ public Rule answer(InvocationOnMock invocationOnMock) throws Throwable {
+ Object[] args = invocationOnMock.getArguments();
+ Rule rule = new Rule();
+ rule.setPluginName((String) args[0]);
+ rule.setKey((String) args[1]);
+ return rule;
+ }
+ });
+ return rulesManager;
+ }
+
+ protected RulesProfile createRulesProfileWithActiveRules() {
+ RulesProfile rulesProfile = mock(RulesProfile.class);
+ when(rulesProfile.getActiveRule(eq(CoreProperties.FINDBUGS_PLUGIN), anyString())).thenAnswer(new Answer<ActiveRule>() {
+ public ActiveRule answer(InvocationOnMock invocationOnMock) throws Throwable {
+ Object[] args = invocationOnMock.getArguments();
+ ActiveRule activeRule = mock(ActiveRule.class);
+ when(activeRule.getPluginName()).thenReturn((String) args[0]);
+ when(activeRule.getRuleKey()).thenReturn((String) args[1]);
+ when(activeRule.getPriority()).thenReturn(RulePriority.CRITICAL);
+ return activeRule;
+ }
+ });
+ when(rulesProfile.getActiveRulesByPlugin(CoreProperties.FINDBUGS_PLUGIN)).thenReturn(Arrays.asList(new ActiveRule()));
+ return rulesProfile;
+ }
+
+ protected RulesProfile createRulesProfileWithoutActiveRules() {
+ RulesProfile rulesProfile = new RulesProfile();
+ List<ActiveRule> list = new ArrayList<ActiveRule>();
+ rulesProfile.setActiveRules(list);
+ return rulesProfile;
+ }
+}
diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsXmlReportParserTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsXmlReportParserTest.java new file mode 100644 index 00000000000..ca6073ffdae --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/FindbugsXmlReportParserTest.java @@ -0,0 +1,82 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs; + +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertThat; + +import java.io.File; +import java.net.URISyntaxException; +import java.util.List; + +import org.junit.Before; +import org.junit.Test; +import org.sonar.api.utils.SonarException; + +public class FindbugsXmlReportParserTest { + + private List<FindbugsXmlReportParser.Violation> violations; + + @Before + public void init() { + File findbugsXmlReport = getFile("/org/sonar/plugins/findbugs/findbugsXml.xml"); + FindbugsXmlReportParser xmlParser = new FindbugsXmlReportParser(findbugsXmlReport); + violations = xmlParser.getViolations(); + } + + @Test(expected = SonarException.class) + public void createFindbugsXmlReportParserWithUnexistedReportFile() { + File xmlReport = new File("doesntExist.xml"); + new FindbugsXmlReportParser(xmlReport); + } + + @Test + public void testGetViolations() { + assertThat(violations.size(), is(3)); + + FindbugsXmlReportParser.Violation fbViolation = violations.get(0); + assertThat(fbViolation.getType(), is("AM_CREATES_EMPTY_ZIP_FILE_ENTRY")); + assertThat(fbViolation.getLongMessage(), + is("Empty zip file entry created in org.sonar.commons.ZipUtils._zip(String, File, ZipOutputStream)")); + assertThat(fbViolation.getStart(), is(107)); + assertThat(fbViolation.getEnd(), is(107)); + assertThat(fbViolation.getClassName(), is("org.sonar.commons.ZipUtils")); + assertThat(fbViolation.getSourcePath(), is("org/sonar/commons/ZipUtils.java")); + } + + @Test + public void testGetSonarJavaFileKey() { + FindbugsXmlReportParser.Violation violation = new FindbugsXmlReportParser.Violation(); + violation.className = "org.sonar.batch.Sensor"; + assertThat(violation.getSonarJavaFileKey(), is("org.sonar.batch.Sensor")); + violation.className = "Sensor"; + assertThat(violation.getSonarJavaFileKey(), is("Sensor")); + violation.className = "org.sonar.batch.Sensor$1"; + assertThat(violation.getSonarJavaFileKey(), is("org.sonar.batch.Sensor")); + } + + private final File getFile(String filename) { + try { + return new File(getClass().getResource(filename).toURI()); + } catch (URISyntaxException e) { + throw new SonarException("Unable to open file " + filename, e); + } + } +} diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/tools/RulesGenerator.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/tools/RulesGenerator.java new file mode 100644 index 00000000000..d3701ed66cc --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/tools/RulesGenerator.java @@ -0,0 +1,190 @@ +/* + * Sonar, open source software quality management tool. + * Copyright (C) 2009 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * Sonar is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * Sonar is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Sonar; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02 + */ +package org.sonar.plugins.findbugs.tools; + +import org.apache.commons.lang.StringUtils; +import org.codehaus.plexus.util.IOUtil; +import org.codehaus.staxmate.in.SMHierarchicCursor; +import org.codehaus.staxmate.in.SMInputCursor; +import org.sonar.api.rules.Rule; +import org.sonar.api.rules.RulesCategory; +import org.sonar.api.rules.StandardRulesXmlParser; +import org.sonar.api.utils.StaxParser; + +import javax.xml.stream.XMLStreamException; +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +public class RulesGenerator { + + private static final String FOR_VERSION = "1.3.8"; + + + private final static Map<String, String> BUG_CATEGS = new HashMap<String, String>(); + + static { + BUG_CATEGS.put("STYLE", "Usability"); + BUG_CATEGS.put("NOISE", "Reliability"); + BUG_CATEGS.put("CORRECTNESS", "Reliability"); + BUG_CATEGS.put("SECURITY", "Reliability"); + BUG_CATEGS.put("BAD_PRACTICE", "Maintainability"); + BUG_CATEGS.put("MT_CORRECTNESS", "Reliability"); + BUG_CATEGS.put("PERFORMANCE", "Efficiency"); + BUG_CATEGS.put("I18N", "Portability"); + BUG_CATEGS.put("MALICIOUS_CODE", "Reliability"); + } + + public static void main(String[] args) throws Exception { + List<FindBugsBug> bugs = getBugsToImport(); + String generatedXML = parseMessages(bugs); + File out = new File(".", "rules.xml"); + IOUtil.copy(generatedXML.getBytes(), new FileOutputStream(out)); + System.out.println("Written to " + out.getPath()); + } + + private static List<FindBugsBug> getBugsToImport() throws MalformedURLException, IOException, XMLStreamException { + URL messages = new URL("http://findbugs.googlecode.com/svn/branches/" + FOR_VERSION + "/findbugs/etc/findbugs.xml"); + InputStream in = messages.openStream(); + final List<FindBugsBug> bugs = new ArrayList<FindBugsBug>(); + StaxParser p = new StaxParser(new StaxParser.XmlStreamHandler() { + + public void stream(SMHierarchicCursor rootCursor) throws XMLStreamException { + rootCursor.advance(); + SMInputCursor bugPatterns = rootCursor.descendantElementCursor("BugPattern"); + collectBugDefs(bugs, bugPatterns); + } + + private void collectBugDefs(final List<FindBugsBug> bugs, SMInputCursor bugPatterns) throws XMLStreamException { + while (bugPatterns.getNext() != null) { + if (bugPatterns.asEvent().isEndElement()) continue; + + String experimental = bugPatterns.getAttrValue("experimental"); + boolean isExperimental = (StringUtils.isNotEmpty(experimental) && Boolean.valueOf(experimental)) || bugPatterns.getAttrValue("category").equals("EXPERIMENTAL"); + String deprecated = bugPatterns.getAttrValue("deprecated"); + boolean isDeprecated = StringUtils.isNotEmpty(deprecated) && Boolean.valueOf(deprecated); + if (!isExperimental && !isDeprecated) { + bugs.add(new FindBugsBug(bugPatterns.getAttrValue("category"), bugPatterns.getAttrValue("type"))); + } + } + } + }); + p.parse(in); + in.close(); + return bugs; + } + + private static String parseMessages(final List<FindBugsBug> bugs) throws MalformedURLException, IOException, XMLStreamException { + URL messages = new URL("http://findbugs.googlecode.com/svn/branches/" + FOR_VERSION + "/findbugs/etc/messages.xml"); + + InputStream in = messages.openStream(); + final List<Rule> rules = new ArrayList<Rule>(); + StaxParser p = new StaxParser(new StaxParser.XmlStreamHandler() { + + public void stream(SMHierarchicCursor rootCursor) throws XMLStreamException { + rootCursor.advance(); + Map<String, String> bugCategoriesDecr = new HashMap<String, String>(); + SMInputCursor childrens = rootCursor.childElementCursor(); + while (childrens.getNext() != null) { + if (childrens.asEvent().isEndElement()) continue; + if (childrens.getLocalName().equals("BugCategory")) { + String bugCateg = childrens.getAttrValue("category"); + bugCategoriesDecr.put(bugCateg, childrens.childElementCursor("Description").advance().collectDescendantText()); + } else if (childrens.getLocalName().equals("BugPattern")) { + String bugType = childrens.getAttrValue("type"); + FindBugsBug bug = getFindBugsBugByType(bugType, bugs); + if (bug == null) continue; + + rules.add(getRuleForBug(bugType, bug, bugCategoriesDecr, childrens)); + } + } + } + }); + + p.parse(in); + in.close(); + StandardRulesXmlParser parser = new StandardRulesXmlParser(); + return parser.toXml(rules); + } + + private static Rule getRuleForBug(String bugType, FindBugsBug bug, + Map<String, String> bugCategoriesDecr, SMInputCursor childrens) throws XMLStreamException { + Rule rule = new Rule(); + rule.setKey(bugType); + rule.setConfigKey(bugType); + + String rulesCateg = BUG_CATEGS.get(bug.getCategory()); + if (StringUtils.isEmpty(rulesCateg)) { + throw new RuntimeException("Rules cat not found " + bug.getCategory()); + } + rule.setRulesCategory(new RulesCategory(rulesCateg)); + + SMInputCursor descendents = childrens.childElementCursor(); + while (descendents.getNext() != null) { + if (descendents.asEvent().isStartElement()) { + if (descendents.getLocalName().equals("ShortDescription")) { + String categName = bugCategoriesDecr.get(bug.getCategory()); + if (StringUtils.isEmpty(categName)) throw new RuntimeException("Cat not found " + bug.getCategory()); + rule.setName(categName + " - " + descendents.collectDescendantText()); + } else if (descendents.getLocalName().equals("Details")) { + rule.setDescription(descendents.collectDescendantText()); + } + } + } + return rule; + } + + private static FindBugsBug getFindBugsBugByType(String type, List<FindBugsBug> bugs) { + for (FindBugsBug findBugsBug : bugs) { + if (findBugsBug.getType().equals(type)) { + return findBugsBug; + } + } + return null; + } + + private static class FindBugsBug { + private String category; + private String type; + + public FindBugsBug(String category, String type) { + super(); + this.category = category; + this.type = type; + } + + public String getCategory() { + return category; + } + + public String getType() { + return type; + } + + } + +} diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/xml/FindBugsFilterTest.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/xml/FindBugsFilterTest.java new file mode 100644 index 00000000000..384dc56882f --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/xml/FindBugsFilterTest.java @@ -0,0 +1,124 @@ +/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2009 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.plugins.findbugs.xml;
+
+import org.apache.commons.io.IOUtils;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import org.junit.Test;
+import org.sonar.api.CoreProperties;
+import org.sonar.api.rules.ActiveRule;
+import org.sonar.api.rules.Rule;
+import org.sonar.api.rules.RulePriority;
+import org.sonar.plugins.findbugs.FindbugsRulePriorityMapper;
+import org.xml.sax.SAXException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public class FindBugsFilterTest extends FindBugsXmlTests {
+
+ @Test
+ public void shouldBuilXmlFromModuleTree() throws IOException, SAXException {
+ FindBugsFilter root = buildModuleTreeFixture();
+
+ String xml = root.toXml();
+
+ assertXmlAreSimilar(xml, "test_module_tree.xml");
+ }
+
+ @Test
+ public void shouldBuilModuleTreeFromXml() throws IOException {
+ InputStream input = getClass().getResourceAsStream("/org/sonar/plugins/findbugs/test_module_tree.xml");
+
+ FindBugsFilter module = FindBugsFilter.fromXml(IOUtils.toString(input));
+
+ List<Match> matches = module.getMatchs();
+ assertThat(matches.size(), is(2));
+ assertChild(matches.get(0), "DLS_DEAD_LOCAL_STORE");
+ assertChild(matches.get(1), "URF_UNREAD_FIELD");
+ }
+
+ private static FindBugsFilter buildModuleTreeFixture() {
+ FindBugsFilter findBugsFilter = new FindBugsFilter();
+ findBugsFilter.addMatch(new Match(new Bug("DLS_DEAD_LOCAL_STORE")));
+ findBugsFilter.addMatch(new Match(new Bug("URF_UNREAD_FIELD")));
+ return findBugsFilter;
+ }
+
+ private static final String DLS_DEAD_LOCAL_STORE = "DLS_DEAD_LOCAL_STORE";
+ private static final String SS_SHOULD_BE_STATIC = "SS_SHOULD_BE_STATIC";
+
+ @Test
+ public void shouldBuildModuleWithProperties() {
+ ActiveRule activeRule = anActiveRule(DLS_DEAD_LOCAL_STORE);
+ FindBugsFilter filter = FindBugsFilter.fromActiveRules(Arrays.asList(activeRule));
+
+ assertThat(filter.getMatchs().size(), is(1));
+ assertChild(filter.getMatchs().get(0), DLS_DEAD_LOCAL_STORE);
+ }
+
+ @Test
+ public void shouldBuildOnlyOneModuleWhenNoActiveRules() {
+ FindBugsFilter filter = FindBugsFilter.fromActiveRules(Collections.<ActiveRule>emptyList());
+ assertThat(filter.getMatchs().size(), is(0));
+ }
+
+ @Test
+ public void shouldBuildTwoModulesEvenIfSameTwoRulesActivated() {
+ ActiveRule activeRule1 = anActiveRule(DLS_DEAD_LOCAL_STORE);
+ ActiveRule activeRule2 = anActiveRule(SS_SHOULD_BE_STATIC);
+ FindBugsFilter filter = FindBugsFilter.fromActiveRules(Arrays.asList(activeRule1, activeRule2));
+
+ List<Match> matches = filter.getMatchs();
+ assertThat(matches.size(), is(2));
+
+ assertChild(matches.get(0), DLS_DEAD_LOCAL_STORE);
+ assertChild(matches.get(1), SS_SHOULD_BE_STATIC);
+ }
+
+ @Test
+ public void shouldBuildOnlyOneModuleWhenNoFindbugsActiveRules() {
+ ActiveRule activeRule1 = anActiveRuleFromAnotherPlugin();
+ ActiveRule activeRule2 = anActiveRuleFromAnotherPlugin();
+
+ FindBugsFilter filter = FindBugsFilter.fromActiveRules(Arrays.asList(activeRule1, activeRule2));
+ assertThat(filter.getMatchs().size(), is(0));
+ }
+
+ private static ActiveRule anActiveRule(String configKey) {
+ Rule rule = new Rule();
+ rule.setConfigKey(configKey);
+ rule.setPluginName(CoreProperties.FINDBUGS_PLUGIN);
+ ActiveRule activeRule = new ActiveRule(null, rule, RulePriority.CRITICAL);
+ return activeRule;
+ }
+
+ private static ActiveRule anActiveRuleFromAnotherPlugin() {
+ Rule rule1 = new Rule();
+ rule1.setPluginName("not-a-findbugs-plugin");
+ ActiveRule activeRule1 = new ActiveRule(null, rule1, RulePriority.CRITICAL);
+ return activeRule1;
+ }
+
+}
diff --git a/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/xml/FindBugsXmlTests.java b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/xml/FindBugsXmlTests.java new file mode 100644 index 00000000000..907679f880a --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/java/org/sonar/plugins/findbugs/xml/FindBugsXmlTests.java @@ -0,0 +1,33 @@ +/*
+ * Sonar, open source software quality management tool.
+ * Copyright (C) 2009 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * Sonar is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * Sonar is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with Sonar; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02
+ */
+package org.sonar.plugins.findbugs.xml;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.*;
+import org.sonar.plugins.findbugs.FindbugsTests;
+
+public class FindBugsXmlTests extends FindbugsTests {
+
+ protected static void assertChild(Match child, String configKey) {
+ Bug bug = child.getBug();
+ assertNotNull(bug);
+ assertThat(bug.getPattern(), is(configKey));
+ }
+}
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCategories.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCategories.xml new file mode 100644 index 00000000000..5f4ae48efa2 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCategories.xml @@ -0,0 +1,6 @@ +<FindBugsFilter> + <Match> + <Bug category="CORRECTNESS,MT_CORRECTNESS" /> + <Priority value="3"/> + </Match> +</FindBugsFilter>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCodes.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCodes.xml new file mode 100644 index 00000000000..0da831362e5 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportCodes.xml @@ -0,0 +1,6 @@ +<FindBugsFilter> + <Match> + <Bug code="FB1,FB3"/> + <Priority value="2"/> + </Match> +</FindBugsFilter>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportPatterns.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportPatterns.xml new file mode 100644 index 00000000000..072a4b077ce --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/FindbugsRulesRepositoryTest/shouldImportPatterns.xml @@ -0,0 +1,9 @@ +<FindBugsFilter> + <Match> + <Or> + <Bug pattern="FB1_IMPORT_TEST_1"/> + <Bug pattern="FB2_IMPORT_TEST_4"/> + </Or> + <Priority value="2"/> + </Match> +</FindBugsFilter>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugs-class-without-package.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugs-class-without-package.xml new file mode 100644 index 00000000000..50dec4a885a --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugs-class-without-package.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="UTF-8"?> +<BugCollection version="1.2.1" threshold="Normal" effort="Max" > +<file classname="ClassOnDefaultPackage" > +<BugInstance type="DLS_DEAD_LOCAL_STORE" priority="High" category="STYLE" message="DLS: Dead store to i in ClassOnDefaultPackage.ClassOnDefaultPackage(int)" lineNumber="4" /> +<BugInstance type="DLS_DEAD_LOCAL_STORE" priority="Normal" category="STYLE" message="DLS: Dead store to j in ClassOnDefaultPackage.ClassOnDefaultPackage(int)" lineNumber="4" /> +</file> +</BugCollection> diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugs-include.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugs-include.xml new file mode 100644 index 00000000000..32e2e8f516c --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugs-include.xml @@ -0,0 +1,36 @@ +<FindBugsFilter> + <Match> + <Class name="com.foobar.ClassNotToBeAnalyzed" /> + </Match> + + <Match> + <Class name="com.foobar.ClassWithSomeBugsMatched" /> + <Bug code="FB1" /> + <Priority value="2" /> + </Match> + + <Match> + <Class name="com.foobar.MyClass" /> + <Method name="someMethod" /> + <Local name="maxArgs" /> + <Bug pattern="FB1_IMPORT_TEST_3" /> + <Priority value="1" /> + </Match> + + <Match> + <Bug pattern="FB1_IMPORT_TEST_3" /> + <Priority value="3" /> + <Field name="~ajc\$.*" /> + </Match> + + <Match> + <Package name="~com\.foobar\.fooproject\.ui.*" /> + <Or> + <Method name="nonOverloadedMethod" /> + <Method name="frob" params="int,java.lang.String" returns="void" /> + <Method name="blat" params="" returns="boolean" /> + </Or> + <Bug category="MT_CORRECTNESS" /> + <Priority value="3" /> + </Match> + </FindBugsFilter>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugsXml.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugsXml.xml new file mode 100644 index 00000000000..d5d47cf39b7 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/findbugsXml.xml @@ -0,0 +1,48 @@ +<BugCollection timestamp='1282919233000' analysisTimestamp='1282919402891' sequence='0' release='' version='1.3.9'> + <Project projectName=''> + <Jar>/Users/freddy/Documents/sonar_projects/sonar/sonar-commons/target/classes</Jar> + <AuxClasspathEntry>/Users/freddy/.m2/repository/org/apache/maven/reporting/maven-reporting-impl/2.0/maven-reporting-impl-2.0.jar</AuxClasspathEntry> + <SrcDir>/Users/freddy/Documents/sonar_projects/sonar/sonar-commons/src/main/java</SrcDir> + <WrkDir>/Users/freddy/Documents/sonar_projects/sonar/sonar-commons/target</WrkDir> + </Project> + <BugInstance category='BAD_PRACTICE' instanceHash='65c6770c9055a84db4899b95826e4edd' instanceOccurrenceNum='0' priority='2' abbrev='AM' type='AM_CREATES_EMPTY_ZIP_FILE_ENTRY' instanceOccurrenceMax='0'> + <ShortMessage>Creates an empty zip file entry</ShortMessage> + <LongMessage>Empty zip file entry created in org.sonar.commons.ZipUtils._zip(String, File, ZipOutputStream)</LongMessage> + <Class classname='org.sonar.commons.ZipUtils' primary='true'> + <SourceLine start='33' classname='org.sonar.commons.ZipUtils' sourcepath='org/sonar/commons/ZipUtils.java' sourcefile='ZipUtils.java' end='139'> + <Message>At ZipUtils.java:[lines 33-139]</Message> + </SourceLine> + <Message>In class org.sonar.commons.ZipUtils</Message> + </Class> + <Method isStatic='true' classname='org.sonar.commons.ZipUtils' name='_zip' primary='true' signature='(Ljava/lang/String;Ljava/io/File;Ljava/util/zip/ZipOutputStream;)V'> + <SourceLine endBytecode='353' startBytecode='0' start='103' classname='org.sonar.commons.ZipUtils' sourcepath='org/sonar/commons/ZipUtils.java' sourcefile='ZipUtils.java' end='124'></SourceLine> + <Message>In method org.sonar.commons.ZipUtils._zip(String, File, ZipOutputStream)</Message> + </Method> + <SourceLine endBytecode='42' startBytecode='42' start='107' classname='org.sonar.commons.ZipUtils' primary='true' sourcepath='org/sonar/commons/ZipUtils.java' sourcefile='ZipUtils.java' end='107'> + <Message>At ZipUtils.java:[line 107]</Message> + </SourceLine> + <SourceLine endBytecode='65' startBytecode='65' start='112' classname='org.sonar.commons.ZipUtils' primary='true' sourcepath='org/sonar/commons/ZipUtils.java' sourcefile='ZipUtils.java' end='124'> + <Message>At ZipUtils.java:[line 107]</Message> + </SourceLine> + </BugInstance> + <BugInstance category='PERFORMANCE' instanceHash='6ba81067bf4e178b360e52be449b1b60' instanceOccurrenceNum='0' priority='3' abbrev='SIC' type='SIC_INNER_SHOULD_BE_STATIC_ANON' instanceOccurrenceMax='0'> + <ShortMessage>Could be refactored into a named static inner class</ShortMessage> + <LongMessage>The class org.sonar.commons.resources.MeasuresDao$1 could be refactored into a named _static_ inner class</LongMessage> + <Class classname='org.sonar.commons.resources.MeasuresDao$1' primary='true'> + <SourceLine start='56' classname='org.sonar.commons.resources.MeasuresDao$1' sourcepath='org/sonar/commons/resources/MeasuresDao.java' sourcefile='MeasuresDao.java' end='57'> + <Message>At MeasuresDao.java:[lines 56-57]</Message> + </SourceLine> + <Message>In class org.sonar.commons.resources.MeasuresDao$1</Message> + </Class> + <SourceLine start='56' classname='org.sonar.commons.resources.MeasuresDao$1' sourcepath='org/sonar/commons/resources/MeasuresDao.java' synthetic='true' sourcefile='MeasuresDao.java' end='57'> + <Message>At MeasuresDao.java:[lines 56-57]</Message> + </SourceLine> + </BugInstance> + <FindBugsSummary> + <FindBugsProfile> + <ClassProfile avgMicrosecondsPerInvocation='398' maxMicrosecondsPerInvocation='107179' name='edu.umd.cs.findbugs.OpcodeStack$JumpInfoFactory' invocations='4722' totalMilliseconds='1881' standardDeviationMircosecondsPerInvocation='3050'></ClassProfile> + </FindBugsProfile> + </FindBugsSummary> + <ClassFeatures></ClassFeatures> + <History></History> +</BugCollection>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_header.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_header.xml new file mode 100644 index 00000000000..bd0b26eb00a --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_header.xml @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Sonar Findbugs rules generated configuration --> +<FindBugsFilter/>
\ No newline at end of file diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_module_tree.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_module_tree.xml new file mode 100644 index 00000000000..ec5853df727 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_module_tree.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <Bug pattern="DLS_DEAD_LOCAL_STORE" />
+ </Match>
+ <Match>
+ <Bug pattern="URF_UNREAD_FIELD" />
+ </Match>
+</FindBugsFilter>
diff --git a/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_xml_complete.xml b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_xml_complete.xml new file mode 100644 index 00000000000..6be898051d5 --- /dev/null +++ b/plugins/sonar-findbugs-plugin/src/test/resources/org/sonar/plugins/findbugs/test_xml_complete.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<!-- Sonar Findbugs rules generated configuration -->
+<!-- Do NEVER specify a rule priority in the export file !! -->
+<FindBugsFilter>
+ <Match>
+ <Bug pattern="DLS_DEAD_LOCAL_STORE" />
+ </Match>
+ <Match>
+ <Bug pattern="URF_UNREAD_FIELD" />
+ </Match>
+</FindBugsFilter>
|