SONARJAVA-1225 improve handling of collections

Author: Wohops

its/ruling/src/test/resources/commons-beanutils/squid-S1948.json

@@ -8,6 +8,9 @@
 'commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils/BeanComparator.java':[
 52,
 ],
+'commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils/JDBCDynaClass.java':[
+64,
+],
 'commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils/LazyDynaBean.java':[
 145,
 154,

its/ruling/src/test/resources/jboss-ejb3-tutorial/squid-S1948.json

@@ -3,4 +3,16 @@
 45,
 46,
 ],
+'jboss-ejb3-tutorial:composite/src/org/jboss/tutorial/composite/bean/Customer.java':[
+41,
+],
+'jboss-ejb3-tutorial:composite/src/org/jboss/tutorial/composite/bean/Flight.java':[
+45,
+],
+'jboss-ejb3-tutorial:relationships/src/org/jboss/tutorial/relationships/bean/Customer.java':[
+51,
+],
+'jboss-ejb3-tutorial:relationships/src/org/jboss/tutorial/relationships/bean/Flight.java':[
+51,
+],
 }

java-checks/src/main/java/org/sonar/java/checks/serialization/SerializableFieldInSerializableClassCheck.java

@@ -20,6 +20,7 @@
 package org.sonar.java.checks.serialization;
 
 import com.google.common.collect.ImmutableList;
+
 import org.sonar.api.server.rule.RulesDefinition;
 import org.sonar.check.Priority;
 import org.sonar.check.Rule;
@@ -29,7 +30,9 @@
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.semantic.Symbol;
 import org.sonar.plugins.java.api.semantic.Type;
+import org.sonar.plugins.java.api.tree.AssignmentExpressionTree;
 import org.sonar.plugins.java.api.tree.ClassTree;
+import org.sonar.plugins.java.api.tree.ExpressionTree;
 import org.sonar.plugins.java.api.tree.IdentifierTree;
 import org.sonar.plugins.java.api.tree.MethodTree;
 import org.sonar.plugins.java.api.tree.Modifier;
@@ -44,6 +47,7 @@
 import org.sonar.squidbridge.annotations.SqaleSubCharacteristic;
 
 import javax.annotation.Nullable;
+
 import java.util.List;
 
 @Rule(
@@ -79,14 +83,47 @@ public void visitNode(Tree tree) {
   private void checkVariableMember(VariableTree variableTree) {
     if (!isExcluded(variableTree)) {
       IdentifierTree simpleName = variableTree.simpleName();
-      reportIssue(simpleName, "Make \"" + simpleName.name() + "\" transient or serializable.");
+      if (isCollectionOfSerializable(variableTree.type())) {
+        if (!ModifiersUtils.hasModifier(variableTree.modifiers(), Modifier.PRIVATE)) {
+          reportIssue(simpleName, "Make \"" + simpleName.name() + "\" private or transient.");
+        } else if (isUnserializableCollection(variableTree.type().symbolType())
+          || initializerIsUnserializableCollection(variableTree.initializer())) {
+          reportIssue(simpleName);
+        }
+        checkCollectionAssignments(variableTree.symbol().usages());
+      } else {
+        reportIssue(simpleName);
+      }
     }
   }
 
+  private static boolean initializerIsUnserializableCollection(ExpressionTree initializer) {
+    return initializer != null && isUnserializableCollection(initializer.symbolType());
+  }
+
+  private static boolean isUnserializableCollection(Type type) {
+    return !type.symbol().isInterface() && isSubtypeOfCollectionApi(type) && !implementsSerializable(type);
+  }
+
+  private void checkCollectionAssignments(List<IdentifierTree> usages) {
+    for (IdentifierTree usage : usages) {
+      Tree parentTree = usage.parent();
+      if (parentTree.is(Tree.Kind.ASSIGNMENT)) {
+        AssignmentExpressionTree assignment = (AssignmentExpressionTree) parentTree;
+        ExpressionTree expression = assignment.expression();
+        if (usage.equals(assignment.variable()) && !expression.is(Tree.Kind.NULL_LITERAL) && isUnserializableCollection(expression.symbolType())) {
+          reportIssue(usage);
+        }
+      }
+    }
+  }
+
+  private void reportIssue(IdentifierTree tree) {
+    reportIssue(tree, "Make \"" + tree.name() + "\" transient or serializable.");
+  }
+
   private static boolean isExcluded(VariableTree variableTree) {
-    return isStatic(variableTree)
-      || isTransientSerializableOrInjected(variableTree)
-      || isCollectionOfSerializable(variableTree.type());
+    return isStatic(variableTree) || isTransientSerializableOrInjected(variableTree);
   }
 
   private static boolean isCollectionOfSerializable(TypeTree typeTree) {

java-checks/src/main/resources/org/sonar/l10n/java/rules/squid/S1948.html

@@ -1,4 +1,5 @@
 <p>Fields in a <code>Serializable</code> class must themselves be either <code>Serializable</code> or <code>transient</code> even if the class is never explicitly serialized or deserialized. That's because under load, most J2EE application frameworks flush objects to disk, and an allegedly <code>Serializable</code> object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.</p>
+<p>This rule raises an issue on non-<code>Serializable</code> fields, and on collection fields when they are not <code>private</code> (because they could be assigned non-<code>Serializable</code> values externally), and when they are assigned non-<code>Serializable</code> types within the class.</p>
 
 <h2>Noncompliant Code Example</h2>
 <pre>

java-checks/src/test/files/checks/serialization/SerializableFieldInSerializableClassCheck.java

@@ -1,5 +1,7 @@
 package javax.inject;
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -40,23 +42,49 @@ class Person5 implements Serializable {
 }
 
 class Person6<E, F extends Serializable> implements Serializable {
-  List<Person6> persons; // Compliant
-  List things; // Noncompliant {{Make "things" transient or serializable.}}
-  List<MyObject> objects; // Noncompliant {{Make "objects" transient or serializable.}}
-  List<? extends MyObject> otherObjects; // Noncompliant {{Make "otherObjects" transient or serializable.}}
-  List<? extends Person6> otherPersons; // Compliant
-  List<? extends E> otherThings; // Noncompliant {{Make "otherThings" transient or serializable.}}
-  List<? extends F> otherSerializableThings; // Compliant
-  List<?> otherUnknown; // Noncompliant {{Make "otherUnknown" transient or serializable.}}
-  List<? super F> super1;
-  List<? super E> super2; // Noncompliant
+  private List<Person6> persons; // Compliant
+  private List things; // Noncompliant {{Make "things" transient or serializable.}}
+  private List<MyObject> objects; // Noncompliant {{Make "objects" transient or serializable.}}
+  private List<? extends MyObject> otherObjects; // Noncompliant {{Make "otherObjects" transient or serializable.}}
+  private List<? extends Person6> otherPersons; // Compliant
+  private List<? extends E> otherThings; // Noncompliant {{Make "otherThings" transient or serializable.}}
+  private List<? extends F> otherSerializableThings; // Compliant
+  private List<?> otherUnknown; // Noncompliant {{Make "otherUnknown" transient or serializable.}}
+  private List<? super F> super1;
+  private List<? super E> super2; // Noncompliant
+
+  public List<Person6> persons1; // Noncompliant {{Make "persons1" private or transient.}}
+  transient public List<Person6> persons2; // Compliant - transient
+  private List<Person6> persons3 = new ArrayList<>(); // Compliant - ArrayList is serializable
+  private List<Person6> persons4 = new MyNonSerializableList<>(); // Noncompliant
 }
 
 class Person7 implements Serializable {
-  Map<Object, Object> both; // Noncompliant {{Make "both" transient or serializable.}}
-  Map<String, Object> right; // Noncompliant {{Make "right" transient or serializable.}}
-  Map<Object, String> left; // Noncompliant {{Make "left" transient or serializable.}}
-  Map<String, String> ok; // Compliant
+  private Map<Object, Object> both; // Noncompliant {{Make "both" transient or serializable.}}
+  private Map<String, Object> right; // Noncompliant {{Make "right" transient or serializable.}}
+  private Map<Object, String> left; // Noncompliant {{Make "left" transient or serializable.}}
+  private Map<String, String> ok; // Compliant
+
+  private Map<String, String> nok1 = new MyNonSerializableMap<>(); // Noncompliant
+  private MyNonSerializableMap<String, String> nok2; // Noncompliant
+
+  void foo() {
+    ok = new MyNonSerializableMap<>(); // Noncompliant
+    nok2 = new MyNonSerializableMap<>(); // Noncompliant
+    ok = nok2; // Noncompliant
+    ok = null; // Compliant
+    ok = bar(); // Compliant
+    ok = MyAbstractNonSerializableMap.foo(); // Noncompliant
+    ok = new HashMap<>(); // Compliant
+    ok = unknown(); // Compliant
+    if (ok.isEmpty()) {
+      Object myVar = ok;
+    }
+  }
+
+  Map bar() {
+    return null;
+  }
 }
 
 class Person8 implements Serializable {
@@ -66,3 +94,17 @@ class Person8 implements Serializable {
 class MyObject {
 
 }
+
+class MyNonSerializableList<E> implements List<E> {
+  MyNonSerializableList() {}
+}
+
+class MyNonSerializableMap<K, V> implements Map<K, V> {
+  MyNonSerializableMap() {}
+}
+
+abstract class MyAbstractNonSerializableMap<K,V> extends MyNonSerializableMap<K,V> {
+  static MyAbstractNonSerializableMap foo() {
+    return null;
+  }
+}