SONARJAVA-4383 jakarta support for S5122, S2254, S6437, S1168 (#4476)

Author: leonardo-pilastri-sonarsource

its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java

@@ -188,7 +188,7 @@ public void javaCheckTestSources() throws Exception {
      * No differences would mean that we find the same issues with and without the bytecode and libraries
      */
     String differences = Files.readString(pathFor(TARGET_ACTUAL + PROJECT_KEY + "-no-binaries_differences"));
-    assertThat(differences).isEqualTo("Issues differences: 3294");
+    assertThat(differences).isEqualTo("Issues differences: 3299");
   }
 
   private static Path pathFor(String path) {

its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json

@@ -1160,7 +1160,7 @@
   {
     "ruleKey": "S2254",
     "hasTruePositives": true,
-    "falseNegatives": 0,
+    "falseNegatives": 1,
     "falsePositives": 0
   },
   {
@@ -2108,7 +2108,7 @@
   {
     "ruleKey": "S5122",
     "hasTruePositives": true,
-    "falseNegatives": 15,
+    "falseNegatives": 18,
     "falsePositives": 0
   },
   {
@@ -2846,7 +2846,7 @@
   {
     "ruleKey": "S6437",
     "hasTruePositives": true,
-    "falseNegatives": 56,
+    "falseNegatives": 57,
     "falsePositives": 0
   },
   {

java-checks-test-sources/pom.xml

@@ -416,6 +416,12 @@
       <version>3.1.0</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+      <version>6.0.0</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>

java-checks-test-sources/src/main/java/checks/CORSCheck.java

@@ -46,6 +46,13 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
 
     resp.getWriter().write("response");
   }
+
+  protected void doGetJakarta(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse resp) {
+    resp.setHeader("Access-Control-Allow-Origin", "*"); // Noncompliant [[sc=10;ec=19]]
+    resp.setHeader("Access-control-allow-Origin", "*"); // Noncompliant [[sc=10;ec=19]]
+    resp.addHeader("Access-Control-Allow-Origin", "*"); // Noncompliant [[sc=10;ec=19]]
+  }
+
   // === Spring MVC Controller annotation ===
   @CrossOrigin(origins = "*") // Noncompliant [[sc=4;ec=15]] {{Make sure that enabling CORS is safe here.}}
   @RequestMapping("")
@@ -160,19 +167,19 @@ class Local {
       public CorsFilter corsFilter4() {
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         CorsConfiguration config = new CorsConfiguration();
-        config.addAllowedOrigin("*"); // Noncompliant [[secondary=164,165]]
+        config.addAllowedOrigin("*"); // Noncompliant [[secondary=+1,+2]]
         config.applyPermitDefaultValues();
         config.applyPermitDefaultValues();
-        config.addAllowedOrigin("*"); // Noncompliant [[secondary=164,165]]
+        config.addAllowedOrigin("*"); // Noncompliant [[secondary=-2,-1]]
         return new CorsFilter(source);
       }
     }
     UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
     CorsConfiguration config = new CorsConfiguration();
-    config.addAllowedOrigin("*"); // Noncompliant [[secondary=173,174]]
+    config.addAllowedOrigin("*"); // Noncompliant [[secondary=+1,+2]]
     config.applyPermitDefaultValues();
     config.applyPermitDefaultValues();
-    config.addAllowedOrigin("*"); // Noncompliant [[secondary=173,174]]
+    config.addAllowedOrigin("*"); // Noncompliant [[secondary=-2,-1]]
     return new CorsFilter(source);
   }
 

java-checks-test-sources/src/main/java/checks/GetRequestedSessionIdCheck.java

@@ -10,4 +10,7 @@ public class GetRequestedSessionIdCheck extends HttpServlet {
   protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
     String sessionId = request.getRequestedSessionId(); // Noncompliant [[sc=32;ec=53]] {{Remove use of this unsecured "getRequestedSessionId()" method}}
   }
+  protected void doPostJakarta(jakarta.servlet.http.HttpServletRequest request) {
+    String sessionId = request.getRequestedSessionId(); // Noncompliant
+  }
 }

java-checks-test-sources/src/main/java/checks/ReturnEmptyArrayNotNullCheck.java

@@ -123,6 +123,9 @@ public int[] bark() {
     return null; 
   }
 
+  @jakarta.annotation.Nullable
+  public int[] jakartaArr() { return null; }
+
   int[] qix(){
     takeLambda(a -> {
       return null;

java-checks-test-sources/src/main/java/checks/security/HardCodedCredentialsShouldNotBeUsedCheck.java

@@ -38,7 +38,7 @@ public class HardCodedCredentialsShouldNotBeUsedCheck {
   private static char[] secretCharArrayField = new char[]{0xC, 0xA, 0xF, 0xE};
   private static CharSequence secretCharSequenceField = "Hello, World!".subSequence(0, 12);
 
-  public static void nonCompliant(byte[] message, boolean condition, Charset encoding, SignatureAlgorithm paremSignatureAlgorithm) throws ServletException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
+  public static void nonCompliant(byte[] message, boolean condition, Charset encoding, SignatureAlgorithm paremSignatureAlgorithm) throws ServletException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, UnsupportedEncodingException, jakarta.servlet.ServletException {
     String effectivelyConstantString = "s3cr37";
     byte[] key = effectivelyConstantString.getBytes();
 
@@ -69,6 +69,8 @@ public static void nonCompliant(byte[] message, boolean condition, Charset encod
     String concatenatedPassword = "abc" + true + ":" + 12 + ":" + 43L + ":" + 'a' + ":" + 0.2f + ":" + 0.2d;
     request.login("user", concatenatedPassword); // Noncompliant [[sc=27;ec=47;secondary=-1]]
 
+    jakarta.servlet.http.HttpServletRequest requestJakarta = new jakarta.servlet.http.HttpServletRequestWrapper(null);
+    requestJakarta.login("user", "password"); // Noncompliant
     KeyStore store = KeyStore.getInstance(null);
 
     store.getKey("", new char[]{0xC, 0xA, 0xF, 0xE}); // Noncompliant

java-checks/src/main/java/org/sonar/java/checks/CORSCheck.java

@@ -45,7 +45,7 @@
 public class CORSCheck extends IssuableSubscriptionVisitor {
 
   private static final MethodMatchers SET_ADD_HEADER_MATCHER = MethodMatchers.create()
-    .ofTypes("javax.servlet.http.HttpServletResponse")
+    .ofTypes("javax.servlet.http.HttpServletResponse", "jakarta.servlet.http.HttpServletResponse")
     .names("setHeader", "addHeader")
     .withAnyParameters()
     .build();

java-checks/src/main/java/org/sonar/java/checks/GetRequestedSessionIdCheck.java

@@ -31,7 +31,7 @@ public class GetRequestedSessionIdCheck extends AbstractMethodDetection {
   @Override
   protected MethodMatchers getMethodInvocationMatchers() {
     return MethodMatchers.create()
-      .ofTypes("javax.servlet.http.HttpServletRequest")
+      .ofTypes("javax.servlet.http.HttpServletRequest", "jakarta.servlet.http.HttpServletRequest")
       .names("getRequestedSessionId")
       .addWithoutParametersMatcher()
       .build();

java-checks/src/main/resources/org/sonar/java/checks/security/S6437-methods.json

@@ -119,7 +119,6 @@
   {"cls":"io.vertx.ext.auth.oauth2.providers.StripeAuth","name":"create","args":["io.vertx.core.Vertx","java.lang.String","java.lang.String"],"indices":[2]},
   {"cls":"io.vertx.ext.auth.oauth2.providers.TwitterAuth","name":"create","args":["io.vertx.core.Vertx","java.lang.String","java.lang.String","io.vertx.core.http.HttpClientOptions"],"indices":[2]},
   {"cls":"io.vertx.ext.auth.oauth2.providers.TwitterAuth","name":"create","args":["io.vertx.core.Vertx","java.lang.String","java.lang.String"],"indices":[2]},
-  {"cls":"jakarta.security.auth.message.callback.PasswordValidationCallback","name":"PasswordValidationCallback","args":["javax.security.auth.Subject","java.lang.String","char[]"],"indices":[2]},
   {"cls":"java.net.PasswordAuthentication","name":"PasswordAuthentication","args":["java.lang.String","char[]"],"indices":[1]},
   {"cls":"java.security.KeyStore","name":"getKey","args":["java.lang.String","char[]"],"indices":[1]},
   {"cls":"java.security.KeyStore","name":"load","args":["java.io.InputStream","char[]"],"indices":[1]},
@@ -156,7 +155,9 @@
   {"cls":"javax.security.auth.message.callback.PasswordValidationCallback","name":"PasswordValidationCallback","args":["javax.security.auth.Subject","java.lang.String","char[]"],"indices":[2]},
   {"cls":"javax.security.auth.message.callback.PasswordValidationCallback","name":"PasswordValidationCallback","args":["javax.security.auth.Subject","java.lang.String","char[]"],"indices":[2]},
   {"cls":"javax.servlet.http.HttpServletRequest","name":"login","args":["java.lang.String","java.lang.String"],"indices":[1]},
+  {"cls":"jakarta.servlet.http.HttpServletRequest","name":"login","args":["java.lang.String","java.lang.String"],"indices":[1]},
   {"cls":"javax.servlet.http.HttpServletRequestWrapper","name":"login","args":["java.lang.String","java.lang.String"],"indices":[1]},
+  {"cls":"jakarta.servlet.http.HttpServletRequestWrapper","name":"login","args":["java.lang.String","java.lang.String"],"indices":[1]},
   {"cls":"javax.sql.ConnectionPoolDataSource","name":"getPooledConnection","args":["java.lang.String","java.lang.String"],"indices":[1]},
   {"cls":"javax.sql.DataSource","name":"getConnection","args":["java.lang.String","java.lang.String"],"indices":[1]},
   {"cls":"javax.sql.RowSet","name":"setPassword","args":["java.lang.String"],"indices":[0]},