Bean Validation should be enabled

java

(Jens Bannmann) #1

Hi all,

I would like to propose the following new rule.


Rule description & motivation
Bean Validation can be triggered programmatically on an object, but it will also run automatically for fields of objects being validated and for any method parameters. However, in both cases, the corresponding variable must be annotated with javax.validation.Valid. This can easily be forgotten.

This rule should create an issue for each

  • parameter of a public method (excluding constructors)
  • field with bean validation constraints
  • field in a class where other fields have bean validation constraints

that is not annotated javax.validation.Valid and where the type refers to a class with bean validation constraints.

This rule should support standard constraint annotations (such as @NotNull) as well as custom ones (annotations which have the javax.validation.Constraint annotation).

Impact to keep this code as it is
Not annotating the element with @Valid means bean validation will not be triggered, but readers may overlook this omission and assume the object will be validated.

Example Code

import javax.validation.Valid;
import javax.validation.constraints.NotNull;

public class User {
  @NotNull
  private String name;
}

public class Group {
  @NotNull
  private List<User> users; // noncompliant, User instances are not validated
}

public class Email {
  @Valid
  @NotNull
  private List<User> recipients; // compliant
}

public class MyService {
  public void login(User user) { // noncompliant, parameter is not validated
  }

  public void logout(@Valid User user) { // compliant
  }

  protected void logAction(User user) { // compliant
  }
}

References

Type
Code Smell

Tags
suspicious


Best regards