S2441 - UnknownType detect for String result of method call

cdestombes · March 6, 2020, 10:28am

SonarQube 8.2 - Scanner SonarJava 6.1 (build 20866)
For rule S2441, some calls to setAttribute() of HTTPSession report a bug like : Make "org.sonar.java.resolve.Symbols$UnknownType@74d9668" serializable or don't store it in the session.
Our code detected is :

getHttpSession().setAttribute(CONSTANT + facesContext.getExternalContext().getRequestContextPath(), event.getRequestPath());

with event a method parameter defined of type NotLoggedInEvent that is other project (multi-module maven) and look like

public class NotLoggedInEvent implements Serializable {
    private String requestPath;

    public NotLoggedInEvent(String requestPath) {
        this.requestPath = requestPath;
    }

    public String getRequestPath() {
        return this.requestPath;
    }
}

In this case getRequestPath() is a String so it’s a Serializable value that can be store in HTTPSession, no ?

Colin · March 6, 2020, 12:24pm

Hey there,

Thanks for the report. Looks like a similar false-positive should be fixed in the next release with SONARJAVA-3168. Can you take a peek on the ticket to see if matches?

Colin

cdestombes · March 6, 2020, 1:07pm

Thanks for your reply.

In SONARJAVA-3168, the problem seem to be on the detection of the real type of the variable instance (HashMap versus Map for example). In our case, it’s already a String on getter so it should be detect as String all the path of analyze.

I modified our code for explicitly use a variable :

String requestPath = event.getRequestPath();
getHttpSession().setAttribute(CONSTANT + facesContext.getExternalContext().getRequestContextPath(), requestPath);

I will be able to give you feedback tomorrow (analyze only on night because it’s a big project) if this change the result.

Christophe

cdestombes · March 6, 2020, 3:50pm

I made a sample multi-module project to demonstrate the problem with one class in each project (sonar_S2441_subproject_1 and sonar_S2441_subproject_2).

You can see result in attachment :

If OtherClass is in same module project as caller class, it’s OK.
The bug seem to be specific to multi-modules projects

cdestombes · March 9, 2020, 8:33am

You can found it at GitHub - cdestombes/sonar_S2441_multiproject_failed: Simple maven multi-project that failed

cdestombes · March 16, 2020, 4:09pm

Hello,
I try the new version of scanner SonarJava 6.2 (build 21135), but now we have 2 false positive on the same sample project :

Maybe a regression of SONARJAVA-3168.

Michael · March 17, 2020, 9:52am

Hello Christophe,

Sorry for the delay answering you, and thanks a lot for your project reproducing the issue. Unfortunately, I have not been able to reproduce it strictly only using your sample project, but I managed to reproduce a similar case on my machine.

I created the following ticket to handle it: SONARJAVA-3322

Cheers,
Michael