ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3749/java/rule.adoc
erwan-serandour 8558f5ea6f
Modify rule S3749: Update rule description to add new javax and jakarta annotations (SONARJAVA-5036) (#4578) 
Update rule description to add javax persistence annotations and jakarta inject and resource annotation
2024-12-16 18:03:21 +01:00

124 lines
4.1 KiB
Plaintext
Raw Permalink Blame History

== Why is this an issue?
Spring ``++@Component++``, ``++@Controller++``, ``++@RestController++``,``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring.
This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@RestController++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:
* ``++org.springframework.beans.factory.annotation.Autowired++``
* ``++org.springframework.beans.factory.annotation.Value++``
* ``++javax.annotation.Inject++``
* ``++javax.annotation.Resource++``
* ``++javax.persistence.PersistenceContext++``
* ``++jakarta.annotation.Resource++``
* ``++jakarta.inject.Inject++``
* ``++jakarta.persistence.PersistenceContext++``
== How to fix it
Add one of these annotations to all non-``++static++`` members: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.
=== Code examples
==== Noncompliant code example
[source,java]
----
@Controller
public class HelloWorld {
private String name = null;
@RequestMapping("/greet", method = GET)
public String greet(String greetee) {
if (greetee != null) {
this.name = greetee;
}
return "Hello " + this.name; // if greetee is null, you see the previous user's data
}
}
----
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it.
=== Parameters
.customInjectionAnnotations
****
----
""
----
comma-separated list of annotation fully qualified names to consider as valid
****
=== Highlighting
member declaration
'''
== Comments And Links
(visible only on this page)
=== on 17 Oct 2016, 15:23:37 Ann Campbell wrote:
Part of the idea is that constructor injection is declasse now, [~nicolas.peru]
=== on 31 Mar 2017, 09:40:29 Yves Dubois-Pèlerin wrote:
\[~ann.campbell.2]
This is about a https://groups.google.com/forum/#!topic/sonarqube/T-f83S9mvQU[question] on the Google group.
+1 for adding @Resource in this rule. Although annotation @Autowired is well-known among Java developers, it is Spring specific. The newer but standard @Resource annotation is mostly equivalent to @Autowire and should be added to the rule.
I don't know about @Inject - maybe a Guice-specific annotation.
Suggestions:
* Change the rule title into "Members of Spring components should be explicitly injected".
* Give more emphasis to @Resource than to @Autowired, which is slightly outdated. For example, replace
"That is, they should have the @Autowired annotation"
with
"That is, they should have the @Resource (or @Autowired) annotation"
Yves
=== on 4 Apr 2017, 15:23:12 Ann Campbell wrote:
Updated [~yves.duboispelerin]
=== on 19 Mar 2018, 10:01:50 Sébastien GIORIA - AppSecFR wrote:
Could be tagged OWASP A3:2017. This could leak sensitive data
=== on 19 Mar 2018, 10:14:30 Alexandre Gigleux wrote:
\[~SPoint]: thanks for the contribution - it's already tagged OWASP A3:2017 in the RSPEC ticket - as soon as SonarJava 5.2 will be released, the OWASP tags will be updated in SonarQube UI thanks to this ticket: \https://jira.sonarsource.com/browse/SONARJAVA-2682 - we reviewed all the OWASP tags of SonarJava rules to be sure they are aligned with OWASP TOP 10 2017.
=== on 16 Aug 2018, 20:27:21 Ann Campbell wrote:
\[~nicolas.harraudeau] despite the fact that Jira can't properly render its own code markdown when immediately followed by non-space characters, RuleAPI handles this correctly.
The current version is awkward IMO and should either get the 's'es back, or the word "classes" before "are singletons by default".
=== on 17 Aug 2018, 08:41:28 Nicolas Harraudeau wrote:
\[~ann.campbell.2] Thanks for the info. I'll add "classes" then so that it works in both Jira and RuleAPI.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink