SONAR-3699 Upgrade to FindBugs 2.0.1

New rules:
* PT_ABSOLUTE_PATH_TRAVERSAL
* PT_RELATIVE_PATH_TRAVERSAL
* NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR
* MS_SHOULD_BE_REFACTORED_TO_BE_FINAL
* BC_UNCONFIRMED_CAST_OF_RETURN_VALUE
* TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS

7 files changed, 72 insertions, 0 deletions

diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties
index 6b0577b8ca7..a86b043086c 100644
--- a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs.properties
@@ -406,3 +406,9 @@ rule.findbugs.UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD.name=Unused public or protect
 rule.findbugs.UWF_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD.name=Unwritten public or protected field
 rule.findbugs.VA_FORMAT_STRING_USES_NEWLINE.name=Format string should use %n rather than \\n
 rule.findbugs.VO_VOLATILE_INCREMENT.name=An increment to a volatile field isn't atomic
+rule.findbugs.PT_ABSOLUTE_PATH_TRAVERSAL.name=Absolute path traversal in servlet
+rule.findbugs.PT_RELATIVE_PATH_TRAVERSAL.name=Relative path traversal in servlet
+rule.findbugs.NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.name=Nonnull field is not initialized
+rule.findbugs.MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.name=Field isn't final but should be refactored to be so
+rule.findbugs.BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.name=Unchecked/unconfirmed cast of return value from method
+rule.findbugs.TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.name=Comparing values with incompatible type qualifiers
diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.html
new file mode 100644
index 00000000000..6563ad7d4f0
--- /dev/null
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/BC_UNCONFIRMED_CAST_OF_RETURN_VALUE.html
@@ -0,0 +1,6 @@
+<p>
+This code performs an unchecked cast of the return value of a method.
+The code might be calling the method in such a way that the cast is guaranteed to be
+safe, but FindBugs is unable to verify that the cast is safe.  Check that your program logic ensures that this
+cast will not fail.
+</p>
diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.html
new file mode 100644
index 00000000000..f0007009f78
--- /dev/null
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/MS_SHOULD_BE_REFACTORED_TO_BE_FINAL.html
@@ -0,0 +1,8 @@
+<p>
+This static field public but not final, and
+could be changed by malicious code or
+by accident from another package.
+The field could be made final to avoid
+this vulnerability. However, the static initializer contains more than one write
+to the field, so doing so will require some refactoring.
+</p>
diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.html
new file mode 100644
index 00000000000..f4b822805ea
--- /dev/null
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR.html
@@ -0,0 +1,5 @@
+<p>
+The field is marked as nonnull, but isn't written to by the constructor.
+The field might be initialized elsewhere during constructor, or might always
+be initialized before use.
+</p>
diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_ABSOLUTE_PATH_TRAVERSAL.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_ABSOLUTE_PATH_TRAVERSAL.html
new file mode 100644
index 00000000000..148eeb2a4d6
--- /dev/null
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_ABSOLUTE_PATH_TRAVERSAL.html
@@ -0,0 +1,13 @@
+<p>
+The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory,
+but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
+
+See <a href="http://cwe.mitre.org/data/definitions/36.html">http://cwe.mitre.org/data/definitions/36.html</a> for more information.
+</p>
+
+<p>
+FindBugs looks only for the most blatant, obvious cases of absolute path traversal.
+If FindBugs found <em>any</em>, you <em>almost certainly</em> have more
+vulnerabilities that FindBugs doesn't report. If you are concerned about absolute path traversal, you should seriously
+consider using a commercial static analysis or pen-testing tool.
+</p>
diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_RELATIVE_PATH_TRAVERSAL.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_RELATIVE_PATH_TRAVERSAL.html
new file mode 100644
index 00000000000..de134d8d60b
--- /dev/null
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/PT_RELATIVE_PATH_TRAVERSAL.html
@@ -0,0 +1,12 @@
+<p>
+The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory,
+but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
+
+See <a href="http://cwe.mitre.org/data/definitions/23.html">http://cwe.mitre.org/data/definitions/23.html</a> for more information.</p>
+
+<p>
+FindBugs looks only for the most blatant, obvious cases of relative path traversal.
+If FindBugs found <em>any</em>, you <em>almost certainly</em> have more
+vulnerabilities that FindBugs doesn't report. If you are concerned about relative path traversal, you should seriously
+consider using a commercial static analysis or pen-testing tool.
+</p>
diff --git a/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.html b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.html
new file mode 100644
index 00000000000..43dd5c46acd
--- /dev/null
+++ b/plugins/sonar-l10n-en-plugin/src/main/resources/org/sonar/l10n/findbugs/rules/findbugs/TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS.html
@@ -0,0 +1,22 @@
+<p>
+A value specified as carrying a type qualifier annotation is
+compared with a value that doesn't ever carry that qualifier.
+</p>
+
+<p>
+More precisely, a value annotated with a type qualifier specifying when=ALWAYS
+is compared with a value that where the same type qualifier specifies when=NEVER.
+</p>
+
+<p>
+For example, say that @NonNegative is a nickname for
+the type qualifier annotation @Negative(when=When.NEVER).
+The following code will generate this warning because
+the return statement requires a @NonNegative value,
+but receives one that is marked as @Negative.
+</p>
+<pre>
+public boolean example(@Negative Integer value1, @NonNegative Integer value2) {
+  return value1.equals(value2);
+}
+</pre>