Merge branch 'master' into fix2628

Author: JuditKnoll

CHANGELOG.md

@@ -12,6 +12,8 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 - Fixed missing null checks ([[#2629](https://github.com/spotbugs/spotbugs/issues/2629)])
 - Disabled DontReusePublicIdentifiers due to the high false positives rate ([[#2627](https://github.com/spotbugs/spotbugs/issues/2627)])
 - Removed signature of methods using UTF-8 in DefaultEncodingDetector ([[#2634](https://github.com/spotbugs/spotbugs/issues/2634)])
+- Fix exception escapes when calling functions of JUnit Assert or Assertions ([[#2640](https://github.com/spotbugs/spotbugs/issues/2640)])
+- Fixed an error in the SARIF export when a bug annotation is missing ([[#2632](https://github.com/spotbugs/spotbugs/issues/2632)])
 - Fixed false positive RV_EXCEPTION_NOT_THROWN when asserting to exception throws ([[#2628](https://github.com/spotbugs/spotbugs/issues/2628)])
 
 ## 4.8.0 - 2023-10-11

gradle/jacoco.gradle

@@ -1,7 +1,7 @@
 apply plugin: "jacoco"
 
 jacoco {
-  toolVersion = "0.8.10"
+  toolVersion = "0.8.11"
 }
 
 jacocoTestReport {

gradle/libs.versions.toml

@@ -1,7 +1,7 @@
 [versions]
 asm = "9.6"
 guice = "5.1.0"
-log4j = "2.20.0"
+log4j = "2.21.0"
 
 [libraries]
 asm = { module = "org.ow2.asm:asm", version.ref = "asm" }

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2640Test.java

@@ -0,0 +1,12 @@
+package edu.umd.cs.findbugs.detect;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+class Issue2640Test extends AbstractIntegrationTest {
+    @Test
+    void testIssue() {
+        Assertions.assertDoesNotThrow(() -> performAnalysis("ghIssues/Issue2640.class"));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/sarif/SarifBugReporterTest.java

@@ -160,6 +160,45 @@ void testRuleWithArguments() {
         assertThat(arguments.get(0).getAsInt(), is(10));
     }
 
+
+
+    @Test
+    void testRuleWithInvalidArguments() {
+        // given
+        final String EXPECTED_BUG_TYPE = "BUG_TYPE";
+        final int EXPECTED_PRIORITY = Priorities.NORMAL_PRIORITY;
+        final String EXPECTED_DESCRIPTION = "describing about this bug type...";
+        BugPattern bugPattern = new BugPattern(EXPECTED_BUG_TYPE, "abbrev", "category", false, EXPECTED_DESCRIPTION,
+                "describing about this bug type with value {1234}...", "detailText", null, 0);
+        DetectorFactoryCollection.instance().registerBugPattern(bugPattern);
+
+        // when
+        reporter.reportBug(new BugInstance(bugPattern.getType(), bugPattern.getPriorityAdjustment()).addInt(10).addClass("the/target/Class"));
+        reporter.finish();
+
+        // then
+        String json = writer.toString();
+        JsonObject jsonObject = new Gson().fromJson(json, JsonObject.class);
+        JsonObject run = jsonObject.getAsJsonArray("runs").get(0).getAsJsonObject();
+        JsonArray rules = run.getAsJsonObject("tool").getAsJsonObject("driver").getAsJsonArray("rules");
+        JsonArray results = run.getAsJsonArray("results");
+
+        assertThat(rules.size(), is(1));
+        JsonObject rule = rules.get(0).getAsJsonObject();
+        assertThat(rule.get("id").getAsString(), is(bugPattern.getType()));
+        String defaultText = rule.getAsJsonObject("messageStrings").getAsJsonObject("default").get("text").getAsString();
+        assertThat(defaultText, is("describing about this bug type with value {0}..."));
+
+        assertThat(results.size(), is(1));
+        JsonObject result = results.get(0).getAsJsonObject();
+        assertThat(result.get("ruleId").getAsString(), is(bugPattern.getType()));
+        JsonObject message = result.getAsJsonObject("message");
+        assertThat(message.get("id").getAsString(), is("default"));
+        assertThat(message.get("text").getAsString(), is(bugPattern.getShortDescription()));
+        JsonArray arguments = message.getAsJsonArray("arguments");
+        assertThat(arguments.get(0).getAsString(), is("?>?1234/2???"));
+    }
+
     @Test
     void testMissingClassNotification() {
         ClassDescriptor classDescriptor = DescriptorFactory.instance().getClassDescriptor("com/github/spotbugs/MissingClass");

spotbugs/src/main/java/edu/umd/cs/findbugs/detect/DumbMethods.java

@@ -169,8 +169,8 @@ public void sawOpcode(int seen) {
             }
 
             if (seen == Const.INVOKESTATIC && ("junit/framework/Assert".equals(getClassConstantOperand()) || "org/junit/Assert".equals(
-                    getClassConstantOperand()) || "org/junit/jupiter/api/Assertion".equals(getClassConstantOperand())
-                            && "assertNotNull".equals(getNameConstantOperand()))) {
+                    getClassConstantOperand()) || "org/junit/jupiter/api/Assertion".equals(getClassConstantOperand()))
+                    && "assertNotNull".equals(getNameConstantOperand())) {
 
                 OpcodeStack.Item item = stack.getStackItem(0);
                 Object o = item.getConstant();

spotbugs/src/main/java/edu/umd/cs/findbugs/sarif/Placeholder.java

@@ -28,6 +28,12 @@ class Placeholder {
 
     @NonNull
     String toArgument(List<? extends BugAnnotation> bugAnnotations, @Nullable ClassAnnotation primaryClass) {
-        return bugAnnotations.get(index).format(key, primaryClass);
+        if (index < 0) {
+            return "?<?" + index + "/" + bugAnnotations.size() + "???";
+        } else if (index >= bugAnnotations.size()) {
+            return "?>?" + index + "/" + bugAnnotations.size() + "???";
+        } else {
+            return bugAnnotations.get(index).format(key, primaryClass);
+        }
     }
 }

spotbugsTestCases/src/java/ghIssues/Issue2640.java

@@ -0,0 +1,8 @@
+package ghIssues;
+
+public class Issue2640 {
+    public void testUnreachableCode() {
+        org.junit.Assert.fail();
+        System.err.println("Not reachable code");
+    }
+}