== Why is this an issue? Spring ``++@Component++``, ``++@Controller++``, ``++@RestController++``,``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring. This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@RestController++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of: * ``++org.springframework.beans.factory.annotation.Autowired++`` * ``++org.springframework.beans.factory.annotation.Value++`` * ``++javax.annotation.Inject++`` * ``++javax.annotation.Resource++`` * ``++javax.persistence.PersistenceContext++`` * ``++jakarta.annotation.Resource++`` * ``++jakarta.inject.Inject++`` * ``++jakarta.persistence.PersistenceContext++`` == How to fix it Add one of these annotations to all non-``++static++`` members: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``. === Code examples ==== Noncompliant code example [source,java] ---- @Controller public class HelloWorld { private String name = null; @RequestMapping("/greet", method = GET) public String greet(String greetee) { if (greetee != null) { this.name = greetee; } return "Hello " + this.name; // if greetee is null, you see the previous user's data } } ---- ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it. === Parameters .customInjectionAnnotations **** ---- "" ---- comma-separated list of annotation fully qualified names to consider as valid **** === Highlighting member declaration ''' == Comments And Links (visible only on this page) === on 17 Oct 2016, 15:23:37 Ann Campbell wrote: Part of the idea is that constructor injection is declasse now, [~nicolas.peru] === on 31 Mar 2017, 09:40:29 Yves Dubois-Pèlerin wrote: \[~ann.campbell.2] This is about a https://groups.google.com/forum/#!topic/sonarqube/T-f83S9mvQU[question] on the Google group. +1 for adding @Resource in this rule. Although annotation @Autowired is well-known among Java developers, it is Spring specific. The newer but standard @Resource annotation is mostly equivalent to @Autowire and should be added to the rule. I don't know about @Inject - maybe a Guice-specific annotation. Suggestions: * Change the rule title into "Members of Spring components should be explicitly injected". * Give more emphasis to @Resource than to @Autowired, which is slightly outdated. For example, replace "That is, they should have the @Autowired annotation" with "That is, they should have the @Resource (or @Autowired) annotation" Yves === on 4 Apr 2017, 15:23:12 Ann Campbell wrote: Updated [~yves.duboispelerin] === on 19 Mar 2018, 10:01:50 Sébastien GIORIA - AppSecFR wrote: Could be tagged OWASP A3:2017. This could leak sensitive data === on 19 Mar 2018, 10:14:30 Alexandre Gigleux wrote: \[~SPoint]: thanks for the contribution - it's already tagged OWASP A3:2017 in the RSPEC ticket - as soon as SonarJava 5.2 will be released, the OWASP tags will be updated in SonarQube UI thanks to this ticket: \https://jira.sonarsource.com/browse/SONARJAVA-2682 - we reviewed all the OWASP tags of SonarJava rules to be sure they are aligned with OWASP TOP 10 2017. === on 16 Aug 2018, 20:27:21 Ann Campbell wrote: \[~nicolas.harraudeau] despite the fact that Jira can't properly render its own code markdown when immediately followed by non-space characters, RuleAPI handles this correctly. The current version is awkward IMO and should either get the 's'es back, or the word "classes" before "are singletons by default". === on 17 Aug 2018, 08:41:28 Nicolas Harraudeau wrote: \[~ann.campbell.2] Thanks for the info. I'll add "classes" then so that it works in both Jira and RuleAPI. endif::env-github,rspecator-view[]