Ammend injector rules in Java to allow Setter Injections and Constructor Injections

Rules and Languages Report False-positive / False-negative...
1

One of our developers complained that code got flagged with “Annotate this member with “@Autowired”, “@Resource”, “@Inject”, or “@Value”, or remove it.” and responded with

This particular rule doesn’t seem to take into consideration Setter Injections or Constructor Injections. It’s flagged under a security vulnerability and is failing our builds.
All our dependencies are injected via a setter or a constructor.
Is there a way this rule can be amended to factor in all forms of DIs,
if not then can this rule be removed?

I’m not sure if I can change the rule in our 9.9.0-Enterprise server.

2

Hi,

Could you help us out with the rule ID?

Even better would be a reproducer - a code sample where an issue is raised but y’all believe it shouldn’t be.

Oh! And I assume this is Java?

 
:sweat_smile:
Ann

3

Yes, this is in Java. The rule is java:S3749
Examples shown:

Security warnings
Security warnings1786×1094 97.9 KB

1 Like
5

Hi,

Thanks! Since your developer says these resources are either setter- or constructor-injected, could you expand your code sample (preferably text-code vs a screenshot :smiley:) to include the actual injection of at least one resource?

 
Thx,
Ann

6

Hope this helps:

    @Autowired
    public void setLaeGenerator(LAEGenerator laeGenerator) {
        this.laeGenerator = laeGenerator;
    }
1 Like
8

Hello Mark,

Thanks for the report. Indeed, this rule currently does not consider setter injection but only property and constructor injection. I’ve created a ticket to track this issue.

10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.