Java S4544 @JsonTypeInfo on Interface

jonenst · October 18, 2021, 9:24am

Hi,
is there a reason for S4544 (Using unsafe Jackson deserialization configuration is security-sensitive: Rules explorer) to be triggered only on classes and not interfaces when using @JsonTypeInfo ? In my project, I see that the security hotspot is reported only for classes, not interfaces. Looking at the sonar java source code, I see:

  return modifiers.parent().is(Tree.Kind.CLASS, Tree.Kind.VARIABLE);

as far as I understand, interfaces have the same threat model as classes. (as opposed to records or enums which don’t have polymorphism)
Thanks,
Jon

Alexandre_Gigleux · October 19, 2021, 12:07pm

Hello,

After a quick review, we believe you are right and created this ticket: SONARJAVA-4055.

As you look familiar with our code, don’t hesitate to raise a PR to fix the False-Negative.

Alex

system · January 6, 2022, 2:27pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
squid:S2293 generate false-positives for sub classes Report False-positive / False-negative... java , sonarqube	1	722	May 3, 2019
False positive from java:S1105 in record containing class or interface Report False-positive / False-negative... java	1	264	October 5, 2023
java:S3242 suggesting more general interface for Identity classes Discussions	1	60	January 30, 2025
Rule S2118: false positive because the concrete type can easily be inferred from the variable declaration Report False-positive / False-negative... java	2	723	January 22, 2019
java:S2326 false positive with sealed interface type parameters Report False-positive / False-negative... java	1	421	January 12, 2024

Java S4544 @JsonTypeInfo on Interface

Related topics