renjfk
October 25, 2022, 8:30am
1
org.springframework.util.json is missing rules for all methods introduced with Spring 5, mainly the ones with string supplier.
Here’s the list of methods:
org.springframework.util.Assert#notNull(java.lang.Object, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#hasLength(java.lang.String, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#hasText(java.lang.String, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#notEmpty(java.lang.Object[], java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#notEmpty(java.util.Collection<?>, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#notEmpty(java.util.Map<?,?>, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#isInstanceOf(java.lang.Class<?>, java.lang.Object, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#isAssignable(java.lang.Class<?>, java.lang.Class<?>, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#isNull(java.lang.Object, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#isTrue(boolean, java.util.function.Supplier<java.lang.String>)org.springframework.util.Assert#state(boolean, java.util.function.Supplier<java.lang.String>)
Colin
October 26, 2022, 8:49am
2
Hey there.
Thanks for the report! And noted here:
Hey SonarSource Community!
False-positives happen , as do false-negatives, and we’re eager to fix them. We are thrilled when our users report problems, so we can make our products better.
Can you please let us know what products/versions you’re using, and what rule(s) are affected?
renjfk
October 26, 2022, 9:09am
3
Hi,
I’m using Enterprise Edition / Version 8.9.9 (build 56886) but I would expect all versions are affected since as I mentioned earlier master branch (sonar-java/org.springframework.util.json at master · SonarSource/sonar-java · GitHub ) is missing the definitions.
Here’s a simple example:
This works fine
int test(@Nullable String tmp) {
org.springframework.util.Assert.notNull(tmp, "test");
return tmp.length();
}
however this one reports java:S2259
int test(@Nullable String tmp) {
org.springframework.util.Assert.notNull(tmp, () -> "test");
return tmp.length();
}
Hello there, thank you very much for the feedback, indeed the analyzer seems to be taking a safe approach when evaluating the notNull invocation with a supplier passed in that way, and so it does not apply a not-null-check on the tmp variable.
I noticed that storing the supplier in a variable, and passing the variable as the second parameter of the notNull does not raise an issue. So that can maybe be a temporary fix, but we will investigate further as soon as we can.
Here you can find the ticket with the temporary fix example.
Leonardo
Quick update, the temporary solution I suggested doesn’t work, we had a look at the file you mentioned and indeed the signatures for all the new Springboot 5 methods are not there. We updated the ticket to be aware of this, and we will tackle it as soon as possible!