Skip to content

Commit

Permalink
Merge branch 'master' into env02
Browse files Browse the repository at this point in the history
  • Loading branch information
JuditKnoll committed Nov 16, 2023
2 parents 29ff746 + a9ed9ef commit 32724d5
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 28 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.

### Fixed
- Fixed false positive UPM_UNCALLED_PRIVATE_METHOD for method used in JUnit's MethodSource ([[#2379](https://github.com/spotbugs/spotbugs/issues/2379)])
- Use java.nio to load filter files ([[#2684](https://github.com/spotbugs/spotbugs/pull/2684)])
- Eclipse: Do not export javax.annotation packages ([[#2699](https://github.com/spotbugs/spotbugs/pull/2699)])
- Fixed not thread safe FindOverridableMethodCall detector ([[#2701](https://github.com/spotbugs/spotbugs/issues/2701)])

### Added
- New detector finding `System.getenv()` calls, where the corresponding Java property could be used (See [ENV02-J](https://wiki.sei.cmu.edu/confluence/display/java/ENV02-J.+Do+not+trust+the+values+of+environment+variables)).
Expand Down
3 changes: 0 additions & 3 deletions eclipsePlugin/META-INF/MANIFEST-TEMPLATE.MF
Original file line number Diff line number Diff line change
Expand Up @@ -97,9 +97,6 @@ Export-Package: de.tobject.findbugs,
edu.umd.cs.findbugs.visitclass,
edu.umd.cs.findbugs.workflow,
edu.umd.cs.findbugs.xml,
javax.annotation,
javax.annotation.concurrent,
javax.annotation.meta,
org.apache.bcel,
org.apache.bcel.classfile,
org.apache.bcel.generic,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
/*
* Contributions to SpotBugs
* Copyright (C) 2023, the SpotBugs authors
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
package edu.umd.cs.findbugs.filter;

import static org.junit.jupiter.api.Assertions.fail;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;


import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;


/**
* @author gtoison
*/
class Utf8FilterFileNameTest {
@TempDir
private Path folderPath;

@Test
void loadFilter() {
Path filterPath = folderPath.resolve("äéàùçæð.xml");

try {
Files.createFile(filterPath);
Files.writeString(filterPath, "<FindBugsFilter/>");

Filter filter = new Filter(filterPath.toAbsolutePath().toString());
} catch (IOException e) {
fail("Error loading filter file " + filterPath, e);
}
}
}
26 changes: 13 additions & 13 deletions spotbugs/etc/messages.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2036,7 +2036,7 @@ While ScheduledThreadPoolExecutor inherits from ThreadPoolExecutor, a few of the
<LongDescription>HTTP cookie formed from untrusted input in {1}</LongDescription>
<Details>
<![CDATA[
<p>This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting
<p>This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow an HTTP response splitting
vulnerability. See <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">http://en.wikipedia.org/wiki/HTTP_response_splitting</a>
for more information.</p>
<p>SpotBugs looks only for the most blatant, obvious cases of HTTP response splitting.
Expand All @@ -2053,7 +2053,7 @@ consider using a commercial static analysis or pen-testing tool.
<LongDescription>HTTP parameter directly written to HTTP header output in {1}</LongDescription>
<Details>
<![CDATA[
<p>This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting
<p>This code directly writes an HTTP parameter to an HTTP header, which allows for an HTTP response splitting
vulnerability. See <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">http://en.wikipedia.org/wiki/HTTP_response_splitting</a>
for more information.</p>
<p>SpotBugs looks only for the most blatant, obvious cases of HTTP response splitting.
Expand Down Expand Up @@ -3779,7 +3779,7 @@ Thus, having a mutable instance field generally creates race conditions.
<p> This code seems to be using non-short-circuit logic (e.g., &amp;
or |)
rather than short-circuit logic (&amp;&amp; or ||). In addition,
it seem possible that, depending on the value of the left hand side, you might not
it seems possible that, depending on the value of the left hand side, you might not
want to evaluate the right hand side (because it would have side effects, could cause an exception
or could be expensive.</p>
<p>
Expand Down Expand Up @@ -3840,7 +3840,7 @@ Language Specification</a> for details.
will only give up one lock and the notify will be unable to get both locks,
and thus the notify will not succeed.
&nbsp; If there is also a warning about a two lock wait, the
probably of a bug is quite high.
probability of a bug is quite high.
</p>
]]>
</Details>
Expand Down Expand Up @@ -4318,7 +4318,7 @@ could be changed by malicious code or
<Details>
<![CDATA[
<p>
An inner class is invoking a method that could be resolved to either a inherited method or a method defined in an outer class.
An inner class is invoking a method that could be resolved to either an inherited method or a method defined in an outer class.
For example, you invoke <code>foo(17)</code>, which is defined in both a superclass and in an outer method.
By the Java semantics,
it will be resolved to invoke the inherited method, but this may not be what
Expand Down Expand Up @@ -5099,7 +5099,7 @@ dereferencing this value will generate a null pointer exception.
<![CDATA[
<p> This field is never initialized within any constructor, and is therefore could be null after
the object is constructed. Elsewhere, it is loaded and dereferenced without a null check.
This could be a either an error or a questionable design, since
This could be either an error or a questionable design, since
it means a null pointer exception will be generated if that field is dereferenced
before being initialized.
</p>
Expand Down Expand Up @@ -5324,9 +5324,9 @@ is important or acceptable.
<LongDescription>Return value of {2.givenClass} ignored, but method has no side effect</LongDescription>
<Details>
<![CDATA[
<p>This code calls a method and ignores the return value. However our analysis shows that
<p>This code calls a method and ignores the return value. However, our analysis shows that
the method (including its implementations in subclasses if any) does not produce any effect
other than return value. Thus this call can be removed.
other than return value. Thus, this call can be removed.
</p>
<p>We are trying to reduce the false positives as much as possible, but in some cases this warning might be wrong.
Common false-positive cases include:</p>
Expand Down Expand Up @@ -5927,7 +5927,7 @@ different types. The result of this comparison will always be false at runtime.
<p> This method calls equals(Object) on two references of different
class types and analysis suggests they will be to objects of different classes
at runtime. Further, examination of the equals methods that would be invoked suggest that either
this call will always return false, or else the equals method is not be symmetric (which is
this call will always return false, or else the equals method is not symmetric (which is
a property required by the contract
for equals in class Object).
</p>
Expand Down Expand Up @@ -6890,7 +6890,7 @@ less confusing to explicitly check pointer equality using <code>==</code>.
<Details>
<![CDATA[
<p>
This method invokes the .equals(Object o) to compare two arrays, but the arrays of
This method invokes the .equals(Object o) to compare two arrays, but the arrays
of incompatible types (e.g., String[] and StringBuffer[], or String[] and int[]).
They will never be equal. In addition, when equals(...) is used to compare arrays it
only checks to see if they are the same array, and ignores the contents of the arrays.
Expand Down Expand Up @@ -7326,7 +7326,7 @@ just use the constant. Methods detected are:
reference). Client classes that use this class, may, in addition, use an instance of this class
as a synchronizing object. Because two classes are using the same object for synchronization,
Multithread correctness is suspect. You should not synchronize nor call semaphore methods on
a public reference. Consider using a internal private member variable to control synchronization.
a public reference. Consider using an internal private member variable to control synchronization.
</p>
]]>
</Details>
Expand Down Expand Up @@ -7654,7 +7654,7 @@ better to do a null test rather than an instanceof test.
<Details>
<![CDATA[
<p>
This cast is unchecked, and not all instances of the type casted from can be cast to
This cast is unchecked, and not all instances of the type cast from can be cast to
the type it is being cast to. Check that your program logic ensures that this
cast will not fail.
</p>
Expand Down Expand Up @@ -9004,7 +9004,7 @@ Using floating-point variables should not be used as loop counters, as they are
<LongDescription>Assertion validates method argument at {1}. If assertions are disabled, there won't be any argument validation.</LongDescription>
<Details>
<![CDATA[
<p>Asssertions must not be used to validate arguments of public methods because the validations are
<p>Assertions must not be used to validate arguments of public methods because the validations are
not performed if assertions are disabled.</p>
<p>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,16 +59,16 @@ private static class CallerInfo {
}

// For methods called using the standard way
private static final Map<XMethod, CallerInfo> callerConstructors = new HashMap<>();
private static final Map<XMethod, CallerInfo> callerClones = new HashMap<>();
private static final Map<XMethod, XMethod> callsToOverridable = new HashMap<>();
private static final MultiMap<XMethod, XMethod> callerToCalleeMap = new MultiMap<>(ArrayList.class);
private static final MultiMap<XMethod, XMethod> calleeToCallerMap = new MultiMap<>(ArrayList.class);
private final Map<XMethod, CallerInfo> callerConstructors = new HashMap<>();
private final Map<XMethod, CallerInfo> callerClones = new HashMap<>();
private final Map<XMethod, XMethod> callsToOverridable = new HashMap<>();
private final MultiMap<XMethod, XMethod> callerToCalleeMap = new MultiMap<>(ArrayList.class);
private final MultiMap<XMethod, XMethod> calleeToCallerMap = new MultiMap<>(ArrayList.class);

// For methods called using method references
private static final Map<Integer, CallerInfo> refCallerConstructors = new HashMap<>();
private static final Map<Integer, CallerInfo> refCallerClones = new HashMap<>();
private static final MultiMap<Integer, XMethod> refCalleeToCallerMap = new MultiMap<>(ArrayList.class);
private final Map<Integer, CallerInfo> refCallerConstructors = new HashMap<>();
private final Map<Integer, CallerInfo> refCallerClones = new HashMap<>();
private final MultiMap<Integer, XMethod> refCalleeToCallerMap = new MultiMap<>(ArrayList.class);


private final BugAccumulator bugAccumulator;
Expand Down Expand Up @@ -303,7 +303,7 @@ private boolean checkAndRecordCallBetweenNonOverridableMethods(XMethod caller, X
}

private XMethod getIndirectlyCalledOverridable(XMethod caller) {
return getIndirectlyCalledOverridable(caller, new HashSet<XMethod>());
return getIndirectlyCalledOverridable(caller, new HashSet<>());
}

private XMethod getIndirectlyCalledOverridable(XMethod caller, Set<XMethod> visited) {
Expand Down Expand Up @@ -334,7 +334,7 @@ private CallerInfo getIndirectCallerClone(XMethod callee) {
}

private CallerInfo getIndirectCallerSpecial(XMethod callee, Map<XMethod, CallerInfo> map) {
return getIndirectCallerSpecial(callee, map, new HashSet<XMethod>());
return getIndirectCallerSpecial(callee, map, new HashSet<>());
}

private CallerInfo getIndirectCallerSpecial(XMethod callee, Map<XMethod, CallerInfo> map, Set<XMethod> visited) {
Expand Down
7 changes: 5 additions & 2 deletions spotbugs/src/main/java/edu/umd/cs/findbugs/filter/Filter.java
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@
package edu.umd.cs.findbugs.filter;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.Reader;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.IdentityHashMap;
import java.util.Iterator;

Expand Down Expand Up @@ -204,7 +206,8 @@ public boolean match(BugInstance bugInstance) {
* @throws ParserConfigurationException
*/
private void parse(String fileName) throws IOException, SAXException, ParserConfigurationException {
FileInputStream fileInputStream = new FileInputStream(new File(fileName));
Path path = FileSystems.getDefault().getPath(fileName);
InputStream fileInputStream = Files.newInputStream(path);
parse(fileName, fileInputStream);
}

Expand Down

0 comments on commit 32724d5

Please sign in to comment.