rspec/rules/S3749/java/rule.adoc

== Why is this an issue?

Spring ``++@Component++``, ``++@Controller++``, ``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring.

This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:

* ``++org.springframework.beans.factory.annotation.Autowired++``
* ``++org.springframework.beans.factory.annotation.Value++``
* ``++javax.annotation.Inject++``
* ``++javax.annotation.Resource++``

== How to fix it

Add one of these annotations to all non-``++static++`` members: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.

=== Code examples
 
==== Noncompliant code example

[source,java]
----
@Controller
public class HelloWorld {

  private String name = null;

  @RequestMapping("/greet", method = GET)
  public String greet(String greetee) {

    if (greetee != null) {
      this.name = greetee;
    }

    return "Hello " + this.name;  // if greetee is null, you see the previous user's data
  }
}
----


== Resources

* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it.


=== Parameters

.customInjectionAnnotations
****

----
""
----

comma-separated list of annotation fully qualified names to consider as valid
****


=== Highlighting

member declaration


'''
== Comments And Links
(visible only on this page)

=== on 17 Oct 2016, 15:23:37 Ann Campbell wrote:
Part of the idea is that constructor injection is declasse now, [~nicolas.peru]

=== on 31 Mar 2017, 09:40:29 Yves Dubois-Pèlerin wrote:
\[~ann.campbell.2]


This is about a https://groups.google.com/forum/#!topic/sonarqube/T-f83S9mvQU[question] on the Google group.


+1 for adding @Resource in this rule. Although annotation @Autowired is well-known among Java developers, it is Spring specific. The newer but standard @Resource annotation is mostly equivalent to @Autowire and should be added to the rule.


I don't know about @Inject - maybe a Guice-specific annotation.


Suggestions:

* Change the rule title into "Members of Spring components should be explicitly injected".
* Give more emphasis to @Resource than to @Autowired, which is slightly outdated. For example, replace
"That is, they should have the @Autowired annotation"

with

"That is, they should have the @Resource (or @Autowired) annotation"


Yves

=== on 4 Apr 2017, 15:23:12 Ann Campbell wrote:
Updated [~yves.duboispelerin]

=== on 19 Mar 2018, 10:01:50 Sébastien GIORIA - AppSecFR wrote:
Could be tagged OWASP A3:2017. This could leak sensitive data

=== on 19 Mar 2018, 10:14:30 Alexandre Gigleux wrote:
\[~SPoint]: thanks for the contribution - it's already tagged OWASP A3:2017 in the RSPEC ticket - as soon as SonarJava 5.2 will be released, the OWASP tags will be updated in SonarQube UI thanks to this ticket: \https://jira.sonarsource.com/browse/SONARJAVA-2682 - we reviewed all the OWASP tags of SonarJava rules to be sure they are aligned with OWASP TOP 10 2017.

=== on 16 Aug 2018, 20:27:21 Ann Campbell wrote:
\[~nicolas.harraudeau] despite the fact that Jira can't properly render its own code markdown when immediately followed by non-space characters, RuleAPI handles this correctly. 


The current version is awkward IMO and should either get the 's'es back, or the word "classes" before "are singletons by default".

=== on 17 Aug 2018, 08:41:28 Nicolas Harraudeau wrote:
\[~ann.campbell.2] Thanks for the info. I'll add "classes" then so that it works in both Jira and RuleAPI.

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Modify rule S3749: update issue type to Code-Smell (APPSEC-523) (#2485) 2023-08-04 09:26:25 +02:00			Spring ``++@Component++``, ``++@Controller++``, ``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring.
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
			This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:

			* ``++org.springframework.beans.factory.annotation.Autowired++``
			* ``++org.springframework.beans.factory.annotation.Value++``
			* ``++javax.annotation.Inject++``
			* ``++javax.annotation.Resource++``

Modify rule S3749: update issue type to Code-Smell (APPSEC-523) (#2485) 2023-08-04 09:26:25 +02:00			`== How to fix it`

			Add one of these annotations to all non-``++static++`` members: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Modify rule S3749: update issue type to Code-Smell (APPSEC-523) (#2485) 2023-08-04 09:26:25 +02:00			`=== Code examples`

			`==== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`@Controller`
			`public class HelloWorld {`

			`private String name = null;`

			`@RequestMapping("/greet", method = GET)`
			`public String greet(String greetee) {`

			`if (greetee != null) {`
			`this.name = greetee;`
			`}`

			`return "Hello " + this.name; // if greetee is null, you see the previous user's data`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it.`


			`=== Parameters`

			`.customInjectionAnnotations`
			`****`

			`----`
			`""`
			`----`

			`comma-separated list of annotation fully qualified names to consider as valid`
			`****`


			`=== Highlighting`

			`member declaration`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 17 Oct 2016, 15:23:37 Ann Campbell wrote:`
			`Part of the idea is that constructor injection is declasse now, [~nicolas.peru]`

			`=== on 31 Mar 2017, 09:40:29 Yves Dubois-Pèlerin wrote:`
			`\[~ann.campbell.2]`


			`This is about a https://groups.google.com/forum/#!topic/sonarqube/T-f83S9mvQU[question] on the Google group.`


			`+1 for adding @Resource in this rule. Although annotation @Autowired is well-known among Java developers, it is Spring specific. The newer but standard @Resource annotation is mostly equivalent to @Autowire and should be added to the rule.`


			`I don't know about @Inject - maybe a Guice-specific annotation.`


			`Suggestions:`

			`* Change the rule title into "Members of Spring components should be explicitly injected".`
			`* Give more emphasis to @Resource than to @Autowired, which is slightly outdated. For example, replace`
			`"That is, they should have the @Autowired annotation"`

			`with`

			`"That is, they should have the @Resource (or @Autowired) annotation"`


			`Yves`

			`=== on 4 Apr 2017, 15:23:12 Ann Campbell wrote:`
			`Updated [~yves.duboispelerin]`

			`=== on 19 Mar 2018, 10:01:50 Sébastien GIORIA - AppSecFR wrote:`
			`Could be tagged OWASP A3:2017. This could leak sensitive data`

			`=== on 19 Mar 2018, 10:14:30 Alexandre Gigleux wrote:`
			`\[~SPoint]: thanks for the contribution - it's already tagged OWASP A3:2017 in the RSPEC ticket - as soon as SonarJava 5.2 will be released, the OWASP tags will be updated in SonarQube UI thanks to this ticket: \https://jira.sonarsource.com/browse/SONARJAVA-2682 - we reviewed all the OWASP tags of SonarJava rules to be sure they are aligned with OWASP TOP 10 2017.`

			`=== on 16 Aug 2018, 20:27:21 Ann Campbell wrote:`
			`\[~nicolas.harraudeau] despite the fact that Jira can't properly render its own code markdown when immediately followed by non-space characters, RuleAPI handles this correctly.`


			`The current version is awkward IMO and should either get the 's'es back, or the word "classes" before "are singletons by default".`

			`=== on 17 Aug 2018, 08:41:28 Nicolas Harraudeau wrote:`
			`\[~ann.campbell.2] Thanks for the info. I'll add "classes" then so that it works in both Jira and RuleAPI.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`