Quantcast

Security - Array is stored directly weirness

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Security - Array is stored directly weirness

Ann Campbell
Below is a message from a user trying to clean up his project's score.

The method(s) he's looking at started out something like this:

        public void setInventoryClassId(String[] inventoryClassId)
        {                
                this.inventoryClassId = inventoryClassId;
        }

They, of course get flagged with "Security - Array is stored directly"

As you'll see below, in order to eliminate all the violations he ended up having to change the method's parameter name to something that didn't match the member name. All of this seems very odd to me. Our primary instance of Sonar is 2.12, but I also had him point Eclipse to my test instance of 2.13RC2. Same results.

BTW, he did say he performed a full clean-and-build between each iteration.

Is it possible that there's something odd going on at the Eclipse plugin level? His project manager won't allow him to check in right now so doing a full/real/non-local analysis is a bit of a problem, but if need be I can set him up with the simple Java Runner ...

Since these are Findbugs violations, and since Findbugs 2.0 has been released... is the current answer just to jump through the method param rename hoops until Finbugs 2.0 can be integrated into Sonar?


Ann Campbell
Engineer-Systems Sr.-IS Prod Sys-Shop Floor Sys
Shaw Industries Inc.
201 South Hamilton Street
Dalton, GA 30720
Email: [hidden email]  Office: 706.275.3857

Please consider the environment before printing.

----- Forwarded by Ann Campbell/SHAW on 01/11/2012 04:26 PM -----

This Throws 2 Violations  and should throw none.


        public void setInventoryClassId(String[] inventoryClassId)
        {                
                if(inventoryClassId == null)
                {
                        this.inventoryClassId = new String[0];
                }
                else
                {
                        this.inventoryClassId = Arrays.copyOf(inventoryClassId, inventoryClassId.length);
                }
               
        }

Violations returned:
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.        





This throws 3 Violations and (should only throw 1  for the empty if) notice that the Method parameter Array is Never assigned to Anything!


        public void setInventoryClassId(String[] inventoryClassId)
        {                
                if(inventoryClassId == null)
                {
                        this.inventoryClassId = new String[0];
                }
                else
                {
                        //this.inventoryClassId = Arrays.copyOf(inventoryClassId, inventoryClassId.length);
                }
               
        }

Violations returned:
Empty If Stmt        MaterialSearchRequest.java        Avoid empty if statements
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.



This Throws no Violations (method parameter renamed to anything else.


        public void setInventoryClassId(String[] newInventoryClassId)
        {                
                if(newInventoryClassId == null)
                {
                        this.inventoryClassId = new String[0];
                }
                else
                {
                        this.inventoryClassId = Arrays.copyOf(newInventoryClassId, newInventoryClassId.length);
                }
               
        }





Roland Rankin
Engineer-Systems Sr.-IS Prod Sys-Shop Floor Sys
Shaw Industries Inc.
201 South Hamilton Street
Dalton, GA 30720
Email: [hidden email]  Office: 706.275.3932
Cell: 706.934.3632

Plant IS


Please consider the environment before printing.
**********************************************************
Privileged and/or confidential information may be contained in this message. If you are not the addressee indicated in this message (or are not responsible for delivery of this message to that person) , you may not copy or deliver this message to anyone. In such case, you should destroy this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or other information in this message that do not relate to the official business of the company  or its subsidiaries.
**********************************************************


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Only Copy Assignment.png (39K) Download Attachment
No Assignment At All.png (46K) Download Attachment
Renamed varibles and violations disappear.png (27K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security - Array is stored directly weirness

Fabrice Bellingard-4
On Wed, Jan 11, 2012 at 22:37, <[hidden email]> wrote:
[... snip ...]

Since these are Findbugs violations, and since Findbugs 2.0 has been released... is the current answer just to jump through the method param rename hoops until Finbugs 2.0 can be integrated into Sonar?

Having a parameter with a different name is somewhat more readable, so this is a good option to get rid of this violation IMO.

BTW, which version of Sonar Eclipse is your developer using? I've just tried to reproduced the same behaviour but everything runs fine on my Eclipse with Sonar Eclipse 2.3 (i.e. in the first example he gives, I get no error - which is logical as Findbugs works on bytecode, so it can't be fooled by variables having the same name but not the same scope).


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com

 

Ann Campbell
Engineer-Systems Sr.-IS Prod Sys-Shop Floor Sys
Shaw Industries Inc.
201 South Hamilton Street
Dalton, GA 30720
Email: [hidden email]  Office: <a href="tel:706.275.3857" value="+17062753857" target="_blank">706.275.3857

Please consider the environment before printing.

----- Forwarded by Ann Campbell/SHAW on 01/11/2012 04:26 PM -----

This Throws 2 Violations  and should throw none.


        public void setInventoryClassId(String[] inventoryClassId)
        {                
                if(inventoryClassId == null)
                {
                        this.inventoryClassId = new String[0];
                }
                else
                {
                        this.inventoryClassId = Arrays.copyOf(inventoryClassId, inventoryClassId.length);
                }
               
        }

Violations returned:
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.        





This throws 3 Violations and (should only throw 1  for the empty if) notice that the Method parameter Array is Never assigned to Anything!


        public void setInventoryClassId(String[] inventoryClassId)
        {                
                if(inventoryClassId == null)
                {
                        this.inventoryClassId = new String[0];
                }
                else
                {
                        //this.inventoryClassId = Arrays.copyOf(inventoryClassId, inventoryClassId.length);
                }
               
        }

Violations returned:
Empty If Stmt        MaterialSearchRequest.java        Avoid empty if statements
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.
Security - Array is stored directly        MaterialSearchRequest.java        The user-supplied array 'inventoryClassId' is stored directly.



This Throws no Violations (method parameter renamed to anything else.


        public void setInventoryClassId(String[] newInventoryClassId)
        {                
                if(newInventoryClassId == null)
                {
                        this.inventoryClassId = new String[0];
                }
                else
                {
                        this.inventoryClassId = Arrays.copyOf(newInventoryClassId, newInventoryClassId.length);
                }
               
        }





Roland Rankin
Engineer-Systems Sr.-IS Prod Sys-Shop Floor Sys
Shaw Industries Inc.
201 South Hamilton Street
Dalton, GA 30720
Email: [hidden email]  Office: <a href="tel:706.275.3932" value="+17062753932" target="_blank">706.275.3932
Cell: <a href="tel:706.934.3632" value="+17069343632" target="_blank">706.934.3632

Plant IS


Please consider the environment before printing.
**********************************************************
Privileged and/or confidential information may be contained in this message. If you are not the addressee indicated in this message (or are not responsible for delivery of this message to that person) , you may not copy or deliver this message to anyone. In such case, you should destroy this message and notify the sender by reply e-mail.
If you or your employer do not consent to Internet e-mail for messages of this kind, please advise the sender.
Shaw Industries does not provide or endorse any opinions, conclusions or other information in this message that do not relate to the official business of the company  or its subsidiaries.
**********************************************************


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email


Loading...