Ammend injector rules in Java to allow Setter Injections and Constructor Injections

Jaff · October 6, 2023, 8:51pm

One of our developers complained that code got flagged with “Annotate this member with “@Autowired”, “@Resource”, “@Inject”, or “@Value”, or remove it.” and responded with

This particular rule doesn’t seem to take into consideration Setter Injections or Constructor Injections. It’s flagged under a security vulnerability and is failing our builds.
All our dependencies are injected via a setter or a constructor.
Is there a way this rule can be amended to factor in all forms of DIs,
if not then can this rule be removed?

I’m not sure if I can change the rule in our 9.9.0-Enterprise server.

ganncamp · October 9, 2023, 3:10pm

Hi,

Could you help us out with the rule ID?

Even better would be a reproducer - a code sample where an issue is raised but y’all believe it shouldn’t be.

Oh! And I assume this is Java?

Ann

Jaff · October 9, 2023, 4:19pm

Yes, this is in Java. The rule is java:S3749
Examples shown:

ganncamp · October 9, 2023, 5:14pm

Hi,

Thanks! Since your developer says these resources are either setter- or constructor-injected, could you expand your code sample (preferably text-code vs a screenshot ) to include the actual injection of at least one resource?

Thx,
Ann

Jaff · October 9, 2023, 5:29pm

Hope this helps:

    @Autowired
    public void setLaeGenerator(LAEGenerator laeGenerator) {
        this.laeGenerator = laeGenerator;
    }

jbeleites · October 10, 2023, 9:59am

Hello Mark,

Thanks for the report. Indeed, this rule currently does not consider setter injection but only property and constructor injection. I’ve created a ticket to track this issue.

system · October 17, 2023, 10:00am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.