ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5738/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

90 lines
3.4 KiB
Plaintext
Raw Permalink Blame History

== Why is this an issue?
With the introduction of Java 9, the standard annotation class `java.lang.Deprecated` has been updated with new parameters. Notably, a boolean parameter `forRemoval` has been added to clearly signify whether the deprecated code is intended to be removed in the future. This is indicated with `forRemoval=true`. The javadoc of the annotation explicitly mentions the following:
____
This annotation type has a boolean-valued element `forRemoval`. A value of `true` indicates intent to remove the annotated program element in a future version. A value of `false` indicates that use of the annotated program element is discouraged, but at the time the program element was annotated, there was no specific intent to remove it.
____
While it is generally recommended for developers to steer clear of using deprecated classes, interfaces, and their deprecated members, those already marked for removal will surely block you from upgrading your dependency. Usage of deprecated code should be avoided or eliminated as soon as possible to prevent accumulation and allow a smooth upgrade of dependencies.
The deprecated code is usually no longer maintained, can contain some bugs or vulnerabilities, and usually indicates that there is a better way to do the same thing. Removing it can even lead to significant improvement of your software.
== How to fix it
Usage of deprecated classes, interfaces, and their methods explicitly marked for removal is discouraged. A developer should either migrate to alternative methods or refactor the code to avoid the deprecated ones.
=== Code examples
==== Noncompliant code example
[source,java]
----
/**
* @deprecated As of release 1.3, replaced by {@link #Fee}. Will be dropped with release 1.4.
*/
@Deprecated(forRemoval=true)
public class Foo { ... }
public class Bar {
/**
* @deprecated As of release 1.7, replaced by {@link #doTheThingBetter()}
*/
@Deprecated(forRemoval=true)
public void doTheThing() { ... }
public void doTheThingBetter() { ... }
/**
* @deprecated As of release 1.14 due to poor performances.
*/
@Deprecated(forRemoval=false)
public void doTheOtherThing() { ... }
}
public class Qix extends Bar {
@Override
public void doTheThing() { ... } // Noncompliant; don't override a deprecated method marked for removal
}
public class Bar extends Foo { // Noncompliant; Foo is deprecated and will be removed
public void myMethod() {
Bar bar = new Bar(); // okay; the class isn't deprecated
bar.doTheThing(); // Noncompliant; doTheThing method is deprecated and will be removed
bar.doTheOtherThing(); // Okay; deprecated, but not marked for removal
}
}
----
== Resources
* CWE - https://cwe.mitre.org/data/definitions/477[CWE-477 - Use of Obsolete Functions]
* https://wiki.sei.cmu.edu/confluence/x/6TdGBQ[CERT, MET02-J.] - Do not use deprecated or obsolete classes or methods
* RSPEC-1874 for standard deprecation use
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Remove this call to a deprecated method, it has been marked for removal.
* Remove this use of a deprecated [class|field], it has been marked for removal.
* Remove this use of "xxx"; it is deprecated and has been marked for removal.
* Don't override this deprecated method, it has been marked for removal.
'''
== Comments And Links
(visible only on this page)
=== relates to: S1874
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink