2020-06-30 12:49:37 +02:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
This rule raises an issue as soon as there is a reference to argv, be it for direct use or via a CLI library like JCommander, GetOpt or Apache CLI.
2020-06-30 14:49:38 +02:00
2020-06-30 12:49:37 +02:00
----
public class Main {
public static void main (String[] argv) {
String option = argv[0];
}
}
----
----
// === JCommander ===
import
public class Main {
public static void main (String[] argv) {
Main main = new Main();
JCommander.newBuilder()
.addObject(main)
.build()
.parse(argv); // Sensitive
main.run();
}
}
----
----
// === GNU Getopt ===
import gnu.getopt.Getopt;
public class Main {
public static void main (String[] argv) {
Getopt g = new Getopt("myprog", argv, "ab"); // Sensitive
}
}
----
----
// === Apache CLI ===
import org.apache.commons.cli.*;
public class Main {
public static void main (String[] argv) {
Options options = new Options();
CommandLineParser parser = new DefaultParser();
try {
CommandLine line = parser.parse(options, argv); // Sensitive
}
}
}
----
2020-12-23 14:59:06 +01:00
In the case of Args4J, an issue is created on the ``public void run`` method of any class using ``org.kohsuke.args4j.Option`` or ``org.kohsuke.args4j.Argument``.
Such a class is called directly by ``org.kohsuke.args4j.Starter`` outside of any ``public static void main`` method. If the class has no ``run`` method, no issue will be raised as there must be a ``public static void main`` and its argument is already highlighted.
2020-06-30 12:49:37 +02:00
----
// === argv4J ===
import org.kohsuke.args4j.Option;
import org.kohsuke.args4j.Argument;
public class Main {
@Option(name="-myopt",usage="An option")
public String myopt;
@Argument(usage = "An argument", metaVar = "<myArg>")
String myarg;
String file;
@Option(name="-file")
public void setFile(String file) {
this.file = file;
}
String arg2;
@Argument(index=1)
public void setArg2(String arg2) {
this.arg2 = arg2;
}
public void run() { // Sensitive: This function
myarg.toString(); // check how this argument is used
}
}
----
== Exceptions
2020-12-23 14:59:06 +01:00
The support of Argv4J without the use of ``org.kohsuke.argv4j.Option`` is out of scope as there is no way to know which Bean will be used as the mainclass.
2020-06-30 12:49:37 +02:00
2020-12-23 14:59:06 +01:00
No issue will be raised on ``public static void main(String[] argv)`` if ``argv`` is not referenced in the method.
2020-06-30 12:49:37 +02:00
include::../see.adoc[]
