SonarSource
diff --git a/‎its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java‎
Lines changed: 1 addition & 1 deletion b/‎its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json‎
Lines changed: 6 additions & 6 deletions b/‎its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎java-checks-test-sources/pom.xml‎
Lines changed: 12 additions & 0 deletions b/‎java-checks-test-sources/pom.xml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎java-checks-test-sources/src/main/files/non-compiling/checks/security/CookieHttpOnlyCheck.java‎
Lines changed: 40 additions & 0 deletions b/‎java-checks-test-sources/src/main/files/non-compiling/checks/security/CookieHttpOnlyCheck.java‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎java-checks-test-sources/src/main/java/annotations/nullability/no_default/JakartaNullabilityAnnotation.java‎
Lines changed: 11 additions & 0 deletions b/‎java-checks-test-sources/src/main/java/annotations/nullability/no_default/JakartaNullabilityAnnotation.java‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎java-checks-test-sources/src/main/java/checks/LeastSpecificTypeCheck.java‎
Lines changed: 27 additions & 0 deletions b/‎java-checks-test-sources/src/main/java/checks/LeastSpecificTypeCheck.java‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎java-checks-test-sources/src/main/java/checks/regex/RedosCheck.java‎
Lines changed: 3 additions & 0 deletions b/‎java-checks-test-sources/src/main/java/checks/regex/RedosCheck.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎java-checks-test-sources/src/main/java/checks/regex/RedosCheckJava8.java‎
Lines changed: 3 additions & 0 deletions b/‎java-checks-test-sources/src/main/java/checks/regex/RedosCheckJava8.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎java-checks-test-sources/src/main/java/checks/security/CookieHttpOnlyCheck.java‎
Lines changed: 160 additions & 2 deletions b/‎java-checks-test-sources/src/main/java/checks/security/CookieHttpOnlyCheck.java‎
Lines changed: 160 additions & 2 deletions
@@ -188,7 +188,7 @@ public void javaCheckTestSources() throws Exception {
      * No differences would mean that we find the same issues with and without the bytecode and libraries
      */
     String differences = Files.readString(pathFor(TARGET_ACTUAL + PROJECT_KEY + "-no-binaries_differences"));
-    assertThat(differences).isEqualTo("Issues differences: 3254");
+    assertThat(differences).isEqualTo("Issues differences: 3294");
   }
 
   private static Path pathFor(String path) {
 
@@ -302,7 +302,7 @@
   {
     "ruleKey": "S1161",
     "hasTruePositives": true,
-    "falseNegatives": 6,
+    "falseNegatives": 7,
     "falsePositives": 0
   },
   {
@@ -338,7 +338,7 @@
   {
     "ruleKey": "S1172",
     "hasTruePositives": true,
-    "falseNegatives": 11,
+    "falseNegatives": 13,
     "falsePositives": 0
   },
   {
@@ -698,7 +698,7 @@
   {
     "ruleKey": "S1874",
     "hasTruePositives": true,
-    "falseNegatives": 89,
+    "falseNegatives": 102,
     "falsePositives": 0
   },
   {
@@ -974,7 +974,7 @@
   {
     "ruleKey": "S2160",
     "hasTruePositives": true,
-    "falseNegatives": 0,
+    "falseNegatives": 1,
     "falsePositives": 0
   },
   {
@@ -1322,7 +1322,7 @@
   {
     "ruleKey": "S2637",
     "hasTruePositives": true,
-    "falseNegatives": 19,
+    "falseNegatives": 21,
     "falsePositives": 0
   },
   {
@@ -1610,7 +1610,7 @@
   {
     "ruleKey": "S3330",
     "hasTruePositives": true,
-    "falseNegatives": 30,
+    "falseNegatives": 51,
     "falsePositives": 0
   },
   {
 
@@ -386,6 +386,18 @@
       <type>jar</type>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>jakarta.ws.rs</groupId>
+      <artifactId>jakarta.ws.rs-api</artifactId>
+      <version>3.1.0</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+      <version>6.0.0</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>javax.inject</groupId>
       <artifactId>javax.inject</artifactId>
 
@@ -83,3 +83,43 @@ void baw() {
     Unknown.unkown(() -> { Class<String> v = unknown(); });
   }
 }
+
+class JakartaCookieHttpOnlyCheck {
+
+  jakarta.servlet.http.Cookie field4;
+  jakarta.servlet.http.Cookie field6;
+
+  void servletCookie(boolean param, jakarta.servlet.http.Cookie c0) {
+    field6.setHttpOnly(false); // Noncompliant
+
+    jakarta.servlet.http.Cookie c7 = new UnknownCookie("name", "value"); // Noncompliant
+    Object c8 = new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant
+
+    jakarta.servlet.http.Cookie c13;
+    c13 = new UnknownCookie("name", "value"); // Noncompliant
+
+    field4 = new jakarta.servlet.http.Cookie("name, value"); // FN
+  }
+
+  jakarta.servlet.http.Cookie getC0() {
+    return new UnknownCookie("name", "value"); // FN
+  }
+
+  void compliant(jakarta.ws.rs.core.Cookie c) {
+    c.isHttpOnly();
+  }
+}
+
+class JakartaCookieHttpOnlyCheckCookie extends jakarta.servlet.http.Cookie {
+  public jakarta.servlet.http.Cookie c;
+  public void setHttpOnly(boolean isHttpOnly) { }
+  void foo() {
+    setHttpOnly(false); // Noncompliant
+  }
+  void bar(boolean x) {
+    setHttpOnly(x);
+  }
+  void baz() {
+    setHttpOnly(true);
+  }
+}
@@ -0,0 +1,11 @@
+package annotations.nullability.no_default;
+
+import jakarta.annotation.Nonnull;
+import jakarta.annotation.Nullable;
+
+public class JakartaNullabilityAnnotation {
+  @Nullable
+  Object id9002_type_WEAK_NULLABLE_level_VARIABLE;
+  @Nonnull
+  Object id9003_type_NON_NULL_level_VARIABLE;
+}
@@ -90,6 +90,33 @@ public void autowiredMethod3(List<Object> list) { // Compliant - List interface
     list.size();
   }
 
+  @jakarta.annotation.Resource
+  public void jakartaResourceAnnotatedMethod3(List<Object> list) { // Noncompliant {{Use 'java.util.Collection' here; it is a more general type than 'List'.}}
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+
+  @jakarta.inject.Inject
+  public void jakartaInjectAnnotatedMethod1(List<Object> list) { // Noncompliant {{Use 'java.util.Collection' here; it is a more general type than 'List'.}}
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+  @jakarta.annotation.Resource
+  public void jakartaRAnnotatedMethod4(Collection<Object> list) { // Compliant - since Spring annotated methods cannot take 'Iterable' as argument
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+
+  @jakarta.inject.Inject
+  public void jakartaInjectAnnotatedMethod2(Collection<Object> list) { // Compliant - since Spring annotated methods cannot take 'Iterable' as argument
+    for (Object o : list) {
+      o.toString();
+    }
+  }
+
   public static void staticMethod(List<Object> list) { // Noncompliant {{Use 'java.util.Collection' here; it is a more general type than 'List'.}}
     list.size();
   }
 
@@ -8,6 +8,9 @@ public class RedosCheck {
   @Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=9]] {{Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.}}
   String email;
 
+  @jakarta.validation.constraints.Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=40]] {{Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.}}
+  String email2;
+
   void realWorldExamples(String str) {
     String cloudflareAttack = "(?:(?:\"|'|\\]|\\}|\\\\|\\d|(?:nan|infinity|true|false|null|undefined|symbol|math)|\\`|\\-|\\+)+[)]*;?((?:\\s|-|~|!|\\{\\}|\\|\\||\\+)*.*(?:.*=.*)))";
     String stackOverflowAttack = "^[\\s\\u200c]+|[\\s\\u200c]+$";
 
@@ -7,6 +7,9 @@ public class RedosCheckJava8 {
   @Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=9]] {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
   String email;
 
+  @jakarta.validation.constraints.Email(regexp = "(.*-)*@.*") // Noncompliant [[sc=4;ec=40]] {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
+  String email2;
+
   void alwaysExponential(String str) {
     str.matches("(.*,)*?"); // Noncompliant [[sc=9;ec=16]] {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
     str.matches("(.?,)*?"); // Noncompliant {{Make sure the regex used here, which is vulnerable to exponential runtime due to backtracking, cannot lead to denial of service.}}
 
@@ -256,17 +256,175 @@ void baz() {
 
 class CookieHttpOnlyCheckCookieB {
   CookieHttpOnlyCheckCookieA a;
-  public void setHttpOnly(boolean isHttpOnly) { }
+
+  public void setHttpOnly(boolean isHttpOnly) {
+  }
+
   void foo() {
     setHttpOnly(false);
   }
-  void bar() { return; }
+
+  void bar() {
+    return;
+  }
+
   CookieHttpOnlyCheckCookieA getA() {
     return new CookieHttpOnlyCheckCookieA(); // Noncompliant
   }
+
   void baw() {
     int i;
     i = 1;
     a.c = new Cookie("1", "2"); // FN
   }
 }
+
+class JakartaCookieHttpOnlyCheckCookieACookieHttpOnlyCheck {
+
+  private static final boolean FALSE_CONSTANT = false;
+
+  jakarta.servlet.http.Cookie field1 = new jakarta.servlet.http.Cookie("name", "value"); // FN
+  jakarta.ws.rs.core.Cookie field3 = new jakarta.ws.rs.core.Cookie("name", "value"); // FN
+  jakarta.servlet.http.Cookie field6;
+  void servletCookie(boolean param, jakarta.servlet.http.Cookie c0) {
+    c0.setHttpOnly(false); // Noncompliant [[sc=19;ec=26]] {{Make sure creating this cookie without the "HttpOnly" flag is safe.}}
+    field6.setHttpOnly(false); // Noncompliant
+
+    jakarta.servlet.http.Cookie c1 = new jakarta.servlet.http.Cookie("name", "value");
+    if (param) {
+      c1.setHttpOnly(false); // Noncompliant
+    } else {
+      c1.setHttpOnly(true);
+    }
+
+    jakarta.servlet.http.Cookie c2 = new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant [[sc=42;ec=69]]
+
+    c1.setHttpOnly(false); // Noncompliant
+
+    c1.setHttpOnly(FALSE_CONSTANT); // Noncompliant
+
+    boolean b = false;
+    c1.setHttpOnly(b); // Noncompliant
+
+    c1.setHttpOnly(param);
+
+    jakarta.servlet.http.Cookie c3;
+    c3 = new jakarta.servlet.http.Cookie("name", "value");
+    c3.setHttpOnly(false); // Noncompliant
+
+    c3.setHttpOnly(true);
+
+    boolean bValue = true;
+    c3.setHttpOnly(!bValue); // FN
+  }
+
+  jakarta.servlet.http.Cookie getC1() {
+    return new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant [[sc=16;ec=43]]
+  }
+
+  jakarta.servlet.http.Cookie returnHttpCookie(jakarta.servlet.http.HttpServletResponse response) {
+    jakarta.servlet.http.Cookie cookie = new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant
+    response.addCookie(new jakarta.servlet.http.Cookie("name", "value")); // Noncompliant
+    return new jakarta.servlet.http.Cookie("name", "value"); // Noncompliant
+  }
+
+  void jakartaRsCookie() {
+    jakarta.ws.rs.core.Cookie c1 = new jakarta.ws.rs.core.Cookie("name", "value"); // Noncompliant
+    jakarta.ws.rs.core.Cookie c2 = new jakarta.ws.rs.core.Cookie("name", "value", "path", "domain"); // Noncompliant
+  }
+
+  void jakartaRsNewCookie(jakarta.ws.rs.core.Cookie cookie) {
+    jakarta.ws.rs.core.NewCookie c1 = new jakarta.ws.rs.core.NewCookie("name", "value", "path", "domain", "comment", 1, true); // Noncompliant
+    jakarta.ws.rs.core.NewCookie c2 = new jakarta.ws.rs.core.NewCookie(cookie, "comment", 2, true); // Noncompliant
+    jakarta.ws.rs.core.NewCookie c3 = new jakarta.ws.rs.core.NewCookie(cookie); // Noncompliant
+    jakarta.ws.rs.core.NewCookie c4 = new jakarta.ws.rs.core.NewCookie(cookie, "c", 1, true); // Noncompliant
+
+    jakarta.ws.rs.core.NewCookie c5 = new jakarta.ws.rs.core.NewCookie(cookie, "c", 1, new Date(), false, true); // last param is HttpOnly
+    jakarta.ws.rs.core.NewCookie c6 = new jakarta.ws.rs.core.NewCookie("1", "2", "3", "4", 5, "6", 7, new Date(), false, true);
+    jakarta.ws.rs.core.NewCookie c7 = new jakarta.ws.rs.core.NewCookie("1", "2", "3", "4", "5", 6, false, true);
+  }
+
+  jakarta.ws.rs.core.NewCookie getC3() {
+    return new jakarta.ws.rs.core.NewCookie("name", "value", "path", "domain", "comment", 1, true); // Noncompliant
+  }
+
+  // SONARJAVA-2772
+  jakarta.servlet.http.Cookie xsfrToken() {
+    String cookieName = "XSRF-TOKEN";
+
+    jakarta.servlet.http.Cookie xsfrToken = new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value"); // OK, used to implement XSRF
+    xsfrToken.setHttpOnly(false);
+
+    jakarta.servlet.http.Cookie xsfrToken2 = new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value");
+    xsfrToken2.setHttpOnly(true);
+
+    jakarta.servlet.http.Cookie xsfrToken3 = new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value");
+
+    jakarta.ws.rs.core.Cookie xsfrToken6 = new jakarta.ws.rs.core.Cookie("XSRF-TOKEN", "value");
+
+    jakarta.ws.rs.core.Cookie xsfrToken7 = new jakarta.ws.rs.core.Cookie("XSRF-TOKEN", "value", "path", "domain");
+
+    play.mvc.Http.CookieBuilder xsfrToken10;
+    xsfrToken10 = play.mvc.Http.Cookie.builder("XSRF-TOKEN", "2");
+    xsfrToken10.withHttpOnly(false);
+
+    play.mvc.Http.CookieBuilder xsfrToken11 = play.mvc.Http.Cookie.builder("XSRF-TOKEN", "2");
+    xsfrToken11.withHttpOnly(false);
+
+    jakarta.servlet.http.Cookie xsfrToken12 = new jakarta.servlet.http.Cookie("CSRFToken", "value");
+    xsfrToken12.setHttpOnly(false);
+
+    jakarta.servlet.http.Cookie xsfrToken13 = new jakarta.servlet.http.Cookie("Csrf-token", "value");
+    xsfrToken13.setHttpOnly(false);
+
+    return new jakarta.servlet.http.Cookie("XSRF-TOKEN", "value");
+  }
+}
+
+class JakartaCookieHttpOnlyCheckCookieA extends jakarta.servlet.http.Cookie {
+  public jakarta.servlet.http.Cookie c;
+
+  public JakartaCookieHttpOnlyCheckCookieA() {
+    super("name", "value");
+  }
+
+  public void setHttpOnly(boolean isHttpOnly) {
+  }
+
+  void foo() {
+    setHttpOnly(false); // Noncompliant
+  }
+
+  void bar(boolean x) {
+    setHttpOnly(x);
+  }
+
+  void baz() {
+    setHttpOnly(true);
+  }
+}
+
+class JakartaCookieHttpOnlyCheckCookieB {
+  JakartaCookieHttpOnlyCheckCookieA a;
+
+  public void setHttpOnly(boolean isHttpOnly) {
+  }
+
+  void foo() {
+    setHttpOnly(false);
+  }
+
+  void bar() {
+    return;
+  }
+
+  JakartaCookieHttpOnlyCheckCookieA getC() {
+    return new JakartaCookieHttpOnlyCheckCookieA(); // Noncompliant
+  }
+
+  void baw() {
+    int i;
+    i = 1;
+    a.c = new jakarta.servlet.http.Cookie("1", "2"); // FN
+  }
+}
Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ public void javaCheckTestSources() throws Exception {`
`188`	`188`	`* No differences would mean that we find the same issues with and without the bytecode and libraries`
`189`	`189`	`*/`
`190`	`190`	`String differences = Files.readString(pathFor(TARGET_ACTUAL + PROJECT_KEY + "-no-binaries_differences"));`
`191`		`- assertThat(differences).isEqualTo("Issues differences: 3254");`
	`191`	`+ assertThat(differences).isEqualTo("Issues differences: 3294");`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`private static Path pathFor(String path) {`
Original file line number	Diff line number	Diff line change
`@@ -302,7 +302,7 @@`
`302`	`302`	`{`
`303`	`303`	`"ruleKey": "S1161",`
`304`	`304`	`"hasTruePositives": true,`
`305`		`- "falseNegatives": 6,`
	`305`	`+ "falseNegatives": 7,`
`306`	`306`	`"falsePositives": 0`
`307`	`307`	`},`
`308`	`308`	`{`
`@@ -338,7 +338,7 @@`
`338`	`338`	`{`
`339`	`339`	`"ruleKey": "S1172",`
`340`	`340`	`"hasTruePositives": true,`
`341`		`- "falseNegatives": 11,`
	`341`	`+ "falseNegatives": 13,`
`342`	`342`	`"falsePositives": 0`
`343`	`343`	`},`
`344`	`344`	`{`
`@@ -698,7 +698,7 @@`
`698`	`698`	`{`
`699`	`699`	`"ruleKey": "S1874",`
`700`	`700`	`"hasTruePositives": true,`
`701`		`- "falseNegatives": 89,`
	`701`	`+ "falseNegatives": 102,`
`702`	`702`	`"falsePositives": 0`
`703`	`703`	`},`
`704`	`704`	`{`
`@@ -974,7 +974,7 @@`
`974`	`974`	`{`
`975`	`975`	`"ruleKey": "S2160",`
`976`	`976`	`"hasTruePositives": true,`
`977`		`- "falseNegatives": 0,`
	`977`	`+ "falseNegatives": 1,`
`978`	`978`	`"falsePositives": 0`
`979`	`979`	`},`
`980`	`980`	`{`
`@@ -1322,7 +1322,7 @@`
`1322`	`1322`	`{`
`1323`	`1323`	`"ruleKey": "S2637",`
`1324`	`1324`	`"hasTruePositives": true,`
`1325`		`- "falseNegatives": 19,`
	`1325`	`+ "falseNegatives": 21,`
`1326`	`1326`	`"falsePositives": 0`
`1327`	`1327`	`},`
`1328`	`1328`	`{`
`@@ -1610,7 +1610,7 @@`
`1610`	`1610`	`{`
`1611`	`1611`	`"ruleKey": "S3330",`
`1612`	`1612`	`"hasTruePositives": true,`
`1613`		`- "falseNegatives": 30,`
	`1613`	`+ "falseNegatives": 51,`
`1614`	`1614`	`"falsePositives": 0`
`1615`	`1615`	`},`
`1616`	`1616`	`{`