diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S9021.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S9021.json new file mode 100644 index 00000000000..34beddc3026 --- /dev/null +++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S9021.json @@ -0,0 +1,6 @@ +{ + "ruleKey": "S9021", + "hasTruePositives": false, + "falseNegatives": 6, + "falsePositives": 0 +} diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json index 87cbe8691bb..2b607b5003f 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S1110.json @@ -1,25 +1,23 @@ { - "title": "Unnecessary parentheses should be removed", + "title": "Redundant pairs of parentheses should be removed", "type": "CODE_SMELL", + "code": { + "impacts": { + "MAINTAINABILITY": "MEDIUM" + }, + "attribute": "CLEAR" + }, "status": "ready", "remediation": { "func": "Constant\/Issue", - "constantCost": "2 min" + "constantCost": "1min" }, "tags": [ - "clippy", - "redundant", - "readability" + "confusing" ], - "defaultSeverity": "Minor", + "defaultSeverity": "Major", "ruleSpecification": "RSPEC-1110", "sqKey": "S1110", "scope": "All", - "quickfix": "unknown", - "code": { - "impacts": { - "MAINTAINABILITY": "LOW" - }, - "attribute": "CLEAR" - } + "quickfix": "unknown" } diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json index fc12ceb2ead..bd8ee22ae12 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2068.json @@ -16,7 +16,8 @@ "tags": [ "cwe", "cert", - "former-hotspot" + "former-hotspot", + "secret" ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-2068", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2115.json b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2115.json index 38369e62a20..c7eb38ce575 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2115.json +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S2115.json @@ -13,7 +13,8 @@ "constantCost": "45min" }, "tags": [ - "cwe" + "cwe", + "secret" ], "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-2115", diff --git a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5673.html b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5673.html index 74c51da93b2..3ef379f8f9e 100644 --- a/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5673.html +++ b/sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S5673.html @@ -1,28 +1,25 @@ -
The Spring Framework provides several specializations of the generic @Component stereotype annotation which better express the programmer's intent. Using them should be preferred.
Spring provides specialized stereotype annotations (@Service, @Repository, @Controller, and @RestController) that make code more expressive and provide additional semantics. When a class name suggests it should use one of these specialized annotations but uses @Component instead, it reduces code clarity.
Replace @Component with the appropriate specialized annotation based on the class's role in the application.
-@Component // Noncompliant +The Spring Framework provides several specializations of the generic
+@Componentstereotype annotation which better express the +programmer’s intent. Using them should be preferred.Noncompliant code example
++@Component // Noncompliant; class name suggests it's a @Service public class CustomerServiceImpl { // ... } -@Component // Noncompliant +@Component // Noncompliant; class name suggests it's a @Repository public class ProductRepository { // ... } -@Component // Noncompliant +@Component // Noncompliant; class name suggests it's a @Controller or @RestController public class FooBarRestController { // ... }-Compliant solution
-+Compliant solution
+@Service // Compliant public class CustomerServiceImpl { // ... @@ -37,9 +34,15 @@Compliant solution
public class FooBarRestController { // ... } + +@Component // Compliant +public class SomeOtherComponent { + // ... +}Resources
-Documentation
Explicitly specify rollbackFor to include the checked exceptions that should trigger a rollback. This is the most common fix, as most
checked exceptions represent error conditions that should prevent the transaction from committing.
Choose your approach based on the exception’s meaning:
+rollbackFor with specific exception types when you know exactly which exceptions represent failures requiring rollbackrollbackFor = Exception.class when the method throws Exception or multiple checked exception types that all
+ represent failuresnoRollbackFor only when a checked exception represents an expected, recoverable condition where you intentionally want the
+ transaction to commit (such as a notification failure after successfully saving core data)@@ -107,10 +115,9 @@Compliant solution
Resources
Documentation
This is an issue when a Spring @Configuration class is declared final. Spring needs to create CGLIB proxies for
+configuration classes that contain @Bean methods, and the final modifier prevents the necessary subclassing.
Spring Framework uses CGLIB proxies to enforce singleton semantics for beans defined in @Configuration classes. When you call a
@Bean method from within another @Bean method, Spring intercepts the call through a proxy to return the singleton instance
rather than creating a new object.
The Java final keyword prevents class inheritance, which blocks CGLIB from creating the necessary subclass proxy. Without this proxy,
-inter-bean method calls create new instances instead of retrieving the singleton, breaking Spring's container management.
This typically manifests as a ConfigurationClassPostProcessor exception during application startup, preventing the Spring context from
initializing.
When Spring @Configuration classes are marked final, the application fails to start. The
ConfigurationClassPostProcessor throws an exception because CGLIB cannot create the required proxy subclass.
If this check were bypassed, the impact would be more subtle: inter-bean method calls would create duplicate instances instead of using singletons, @@ -16,7 +18,11 @@
If you see this issue but your configuration class genuinely doesn’t call other @Bean methods directly, consider using
+@Configuration(proxyBeanMethods = false) instead of suppressing the issue. This makes the intent explicit and improves startup
+performance. Mark this as a false positive only if the class is not actually a @Configuration class or if the final modifier
+is required by a framework constraint you cannot control.
Remove the final modifier from the @Configuration class. This allows Spring to create the CGLIB proxy needed to enforce
singleton semantics for inter-bean method calls.
If you don't need inter-bean method calls and want to optimize startup performance, use @Configuration(proxyBeanMethods = false). This
+
If you don’t need inter-bean method calls and want to optimize startup performance, use @Configuration(proxyBeanMethods = false). This
disables CGLIB proxying, allowing the class to be final. However, you must use dependency injection instead of calling @Bean
methods directly.