diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json index 87cbe8691bb..2b607b5003f 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json @@ -1,25 +1,23 @@ { - "title": "Unnecessary parentheses should be removed", + "title": "Redundant pairs of parentheses should be removed", "type": "CODE_SMELL", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CLEAR" + }, "status": "ready", "remediation": { "func": "Constant\/Issue", - "constantCost": "2 min" + "constantCost": "1min" }, "tags": [ - "clippy", - "redundant", - "readability" + "confusing" ], - "defaultSeverity": "Minor", + "defaultSeverity": "Major", "ruleSpecification": "RSPEC-1110", "sqKey": "S1110", "scope": "All", - "quickfix": "unknown", - "code": { - "impacts": { - "MAINTAINABILITY": "LOW" - }, - "attribute": "CLEAR" - } + "quickfix": "unknown" } diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json index fc12ceb2ead..bd8ee22ae12 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json @@ -16,7 +16,8 @@ "tags": [ "cwe", "cert", - "former-hotspot" + "former-hotspot", + "secret" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2068", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html index 00f6d99b765..436bf70b77a 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2077.html @@ -2,7 +2,7 @@
When SQL queries are constructed by concatenating or formatting user-supplied values directly into the query string, the structure of the query itself can be altered by a malicious input. This rule flags calls to SQL execution functions where the query string is built using string -concatenation or format operators rather than parameterized queries or prepared statements. Unlike rule {rule:javasecurity:S3649}, this rule does not perform +concatenation or format operators rather than parameterized queries or prepared statements. Unlike rule {rule:java:S3649}, this rule does not perform taint analysis — it flags all dynamically formatted SQL queries as a potential risk regardless of the data source.
The Spring Framework provides several specializations of the generic @Component stereotype annotation which better express the programmer's intent. Using them should be preferred.
Spring provides specialized stereotype annotations (@Service, @Repository, @Controller, and @RestController) that make code more expressive and provide additional semantics. When a class name suggests it should use one of these specialized annotations but uses @Component instead, it reduces code clarity.
Replace @Component with the appropriate specialized annotation based on the class's role in the application.
-@Component // Noncompliant +The Spring Framework provides several specializations of the generic
+@Componentstereotype annotation which better express the +programmer’s intent. Using them should be preferred.Noncompliant code example
++@Component // Noncompliant; class name suggests it's a @Service public class CustomerServiceImpl { // ... } -@Component // Noncompliant +@Component // Noncompliant; class name suggests it's a @Repository public class ProductRepository { // ... } -@Component // Noncompliant +@Component // Noncompliant; class name suggests it's a @Controller or @RestController public class FooBarRestController { // ... }-Compliant solution
-+Compliant solution
+@Service // Compliant public class CustomerServiceImpl { // ... @@ -37,9 +34,15 @@Compliant solution
public class FooBarRestController { // ... } + +@Component // Compliant +public class SomeOtherComponent { + // ... +}Resources
-Documentation
Explicitly specify rollbackFor to include the checked exceptions that should trigger a rollback. This is the most common fix, as most
checked exceptions represent error conditions that should prevent the transaction from committing.
Choose your approach based on the exception’s meaning:
+rollbackFor with specific exception types when you know exactly which exceptions represent failures requiring rollbackrollbackFor = Exception.class when the method throws Exception or multiple checked exception types that all
+ represent failuresnoRollbackFor only when a checked exception represents an expected, recoverable condition where you intentionally want the
+ transaction to commit (such as a notification failure after successfully saving core data)@@ -107,10 +115,9 @@Compliant solution
Resources
Documentation
This is an issue when a Spring @Configuration class is declared final. Spring needs to create CGLIB proxies for
+configuration classes that contain @Bean methods, and the final modifier prevents the necessary subclassing.
Spring Framework uses CGLIB proxies to enforce singleton semantics for beans defined in @Configuration classes. When you call a
@Bean method from within another @Bean method, Spring intercepts the call through a proxy to return the singleton instance
rather than creating a new object.
The Java final keyword prevents class inheritance, which blocks CGLIB from creating the necessary subclass proxy. Without this proxy,
-inter-bean method calls create new instances instead of retrieving the singleton, breaking Spring's container management.
This typically manifests as a ConfigurationClassPostProcessor exception during application startup, preventing the Spring context from
initializing.
When Spring @Configuration classes are marked final, the application fails to start. The
ConfigurationClassPostProcessor throws an exception because CGLIB cannot create the required proxy subclass.
If this check were bypassed, the impact would be more subtle: inter-bean method calls would create duplicate instances instead of using singletons, @@ -16,7 +18,11 @@
If you see this issue but your configuration class genuinely doesn’t call other @Bean methods directly, consider using
+@Configuration(proxyBeanMethods = false) instead of suppressing the issue. This makes the intent explicit and improves startup
+performance. Mark this as a false positive only if the class is not actually a @Configuration class or if the final modifier
+is required by a framework constraint you cannot control.
Remove the final modifier from the @Configuration class. This allows Spring to create the CGLIB proxy needed to enforce
singleton semantics for inter-bean method calls.
If you don't need inter-bean method calls and want to optimize startup performance, use @Configuration(proxyBeanMethods = false). This
+
If you don’t need inter-bean method calls and want to optimize startup performance, use @Configuration(proxyBeanMethods = false). This
disables CGLIB proxying, allowing the class to be final. However, you must use dependency injection instead of calling @Bean
methods directly.