False Positive on java:S6863

wnmzzzz · October 16, 2024, 8:17am

What language is this for?
Java
Which rule?
java:S6863
Why do you believe it’s a false-positive/false-negative?
I am working on a Spring Rest Controller. The Rest Controller on a particular endpoint calls a validationService that checks if a given Principal (from java.security.Principal) is authorized to modify a particular Club’s data. If not, it sends back a 403 UNAUTHORIZED status, which seems sensible to me. The rule claims this is not an appropriate status to send, probably because the check happens inside a try block that doesn’t throw an exception. However, throwing an exception every time a user is not authorized seems to break control flow much more than it should, as exceptions should be reserved for extraordinary circumstances.
Are you using
- SonarLint - which IDE/version?
  SonarLint 10.11.1.79663 in IntelliJ IDEA 2024.1.6 (Ultimate Edition), not connected Mode
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import java.security.Principal;

@RestController()
@RequestMapping("/api/profile")
public class ProfileController {

    private final RestValidationService validationService;
// Bunch of other Methods here here, constructor, etc.
    @DeleteMapping("/verein_logo")
    ResponseEntity<String> deleteVereinLogo(Principal principal, @RequestParam String clubId) {
        try {
            if (validationService.isValidByClubAndPrincipal(clubId, principal)) {
                vereinLogoService.deleteLogo(clubId);
                return ResponseEntity.status(HttpStatus.OK).body("Sucessful deleted");
            } else {
				return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(""); //<- Issue is raised here, saying Set appropriate Status Codes on HTTP responses
			}
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(e.getMessage());
        }
    }
}

paul.oreilly · October 21, 2024, 2:13pm

Thank you for raising this issue. I’ve created a new ticket for addressing this here: [SONARJAVA-5150] - Jira.

Best regards,
Paul.