SONARJAVA-4679 S6833: @controller should be replaced with @RestContro… (#4521)

Author: irina-batinic-sonarsource

its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java

@@ -180,15 +180,15 @@ public void javaCheckTestSources() throws Exception {
     softly.assertThat(newTotal).isEqualTo(knownTotal);
     softly.assertThat(rulesCausingFPs).hasSize(6);
     softly.assertThat(rulesNotReporting).hasSize(7);
-    softly.assertThat(rulesSilenced).hasSize(79);
+    softly.assertThat(rulesSilenced).hasSize(80);
 
     /**
      * 4. Check total number of differences (FPs + FNs)
      *
      * No differences would mean that we find the same issues with and without the bytecode and libraries
      */
     String differences = Files.readString(pathFor(TARGET_ACTUAL + PROJECT_KEY + "-no-binaries_differences"));
-    softly.assertThat(differences).isEqualTo("Issues differences: 3508");
+    softly.assertThat(differences).isEqualTo("Issues differences: 3513");
 
     softly.assertAll();
   }

its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json

@@ -2939,6 +2939,12 @@
     "falseNegatives": 6,
     "falsePositives": 0
   },
+  {
+    "ruleKey": "S6833",
+    "hasTruePositives": false,
+    "falseNegatives": 5,
+    "falsePositives": 0
+  },
   {
     "ruleKey": "S6837",
     "hasTruePositives": false,

java-checks-test-sources/src/main/java/checks/spring/ControllerWithRestControllerReplacementCheck.java

@@ -0,0 +1,83 @@
+package checks.spring;
+
+import javax.annotation.Nullable;
+import org.springframework.stereotype.Controller;
+import org.springframework.stereotype.Service;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+public class ControllerWithRestControllerReplacementCheck {
+
+  @Controller // Noncompliant [[sc=3;ec=14;secondary=16;quickfixes=qf1,qf2]] {{Replace the "@Controller" annotation by "@RestController" and remove all
+              // "@ResponseBody" annotations.}}
+  // fix@qf2 {{Replace "@Controller" by "@RestController".}}
+  // edit@qf2 [[sl=10;el=10;sc=3;ec=14]] {{@RestController}}
+  class ClassOne {
+
+    @ResponseBody
+    // fix@qf1 {{Remove "@ResponseBody" annotations.}}
+    // edit@qf1 [[sl=16;el=16;sc=5;ec=18]] {{}}
+    public void m() {
+    }
+  }
+
+  @Controller // Noncompliant
+  @ResponseBody
+  class ClassTwo {
+
+    public void m() {
+    }
+  }
+
+  @Controller // Noncompliant
+  class ClassThree {
+
+    @ResponseBody
+    public void m() {
+    }
+
+    public void m2() {
+    }
+  }
+
+  @Controller // Compliant
+  class ClassFour {
+
+    public void m() {
+    }
+  }
+
+  @Controller // Compliant
+  class ClassFive {
+
+    @Nullable
+    public void m() {
+    }
+  }
+
+  @Service // Compliant
+  class ClassSix {
+
+    @ResponseBody
+    public void m() {
+    }
+  }
+
+  @Controller // Noncompliant [[sc=3;ec=14;secondary=71,77;quickfixes=qf3,qf4]] {{Replace the "@Controller" annotation by "@RestController" and remove all
+              // "@ResponseBody" annotations.}}
+  // fix@qf4 {{Replace "@Controller" by "@RestController".}}
+  // edit@qf4 [[sl=65;el=65;sc=3;ec=14]] {{@RestController}}
+  class ClassSeven {
+
+    @ResponseBody
+    // fix@qf3 {{Remove "@ResponseBody" annotations.}}
+    // edit@qf3 [[sl=71;el=71;sc=5;ec=18]] {{}}
+    public void m() {
+    }
+
+    @ResponseBody
+    // fix@qf3 {{Remove "@ResponseBody" annotations.}}
+    // edit@qf3 [[sl=77;el=77;sc=5;ec=18]] {{}}
+    public void m2() {
+    }
+  }
+}

java-checks/src/main/java/org/sonar/java/checks/CheckList.java

@@ -141,6 +141,7 @@
 import org.sonar.java.checks.spring.AutowiredOnConstructorWhenMultipleConstructorsCheck;
 import org.sonar.java.checks.spring.AutowiredOnMultipleConstructorsCheck;
 import org.sonar.java.checks.spring.AvoidQualifierOnBeanMethodsCheck;
+import org.sonar.java.checks.spring.ControllerWithRestControllerReplacementCheck;
 import org.sonar.java.checks.spring.ControllerWithSessionAttributesCheck;
 import org.sonar.java.checks.spring.FieldDependencyInjectionCheck;
 import org.sonar.java.checks.spring.ModelAttributeNamingConventionForSpELCheck;
@@ -364,6 +365,7 @@ public final class CheckList {
     ConstructorCallingOverridableCheck.class,
     ConstructorInjectionCheck.class,
     ControlCharacterInLiteralCheck.class,
+    ControllerWithRestControllerReplacementCheck.class,
     ControllerWithSessionAttributesCheck.class,
     CookieHttpOnlyCheck.class,
     HardCodedCredentialsShouldNotBeUsedCheck.class,

java-checks/src/main/java/org/sonar/java/checks/spring/ControllerWithRestControllerReplacementCheck.java

@@ -0,0 +1,87 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2023 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.java.checks.spring;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.sonar.check.Rule;
+import org.sonar.java.checks.helpers.QuickFixHelper;
+import org.sonar.java.reporting.JavaQuickFix;
+import org.sonar.java.reporting.JavaTextEdit;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.JavaFileScannerContext;
+import org.sonar.plugins.java.api.tree.ClassTree;
+import org.sonar.plugins.java.api.tree.MethodTree;
+import org.sonar.plugins.java.api.tree.Tree;
+
+@Rule(key = "S6833")
+public class ControllerWithRestControllerReplacementCheck extends IssuableSubscriptionVisitor {
+
+  @Override
+  public List<Tree.Kind> nodesToVisit() {
+    return List.of(Tree.Kind.CLASS);
+  }
+
+  @Override
+  public void visitNode(Tree tree) {
+    var classTree = (ClassTree) tree;
+
+    var annotation = classTree.modifiers().annotations().stream()
+      .filter(a -> "org.springframework.stereotype.Controller".equals(a.annotationType().symbolType().fullyQualifiedName()))
+      .findFirst();
+
+    if (annotation.isEmpty()) {
+      return;
+    }
+
+    var secondaryLocations = new ArrayList<JavaFileScannerContext.Location>();
+    List<JavaTextEdit> edits = new ArrayList<>();
+
+    classTree.members().stream()
+      .filter(member -> member.is(Tree.Kind.METHOD))
+      .map(MethodTree.class::cast)
+      .forEach(method -> {
+        var methodAnnotation = method.modifiers().annotations().stream()
+          .filter(a -> "org.springframework.web.bind.annotation.ResponseBody".equals(a.annotationType().symbolType().fullyQualifiedName()))
+          .findFirst();
+        methodAnnotation.ifPresent(annotationTree -> secondaryLocations.add(new JavaFileScannerContext.Location("Remove this \"@ResponseBody\" annotation.", annotationTree)));
+        methodAnnotation.ifPresent(annotationTree -> edits.add(JavaTextEdit.removeTree(annotationTree)));
+      });
+
+    classTree.modifiers().annotations().stream()
+      .filter(a -> "org.springframework.web.bind.annotation.ResponseBody".equals(a.annotationType().symbolType().fullyQualifiedName()))
+      .forEach(annotationTree -> secondaryLocations.add(new JavaFileScannerContext.Location("Remove this \"@ResponseBody\" annotation.", annotationTree)));
+
+    if (secondaryLocations.isEmpty()) {
+      return;
+    }
+
+    QuickFixHelper.newIssue(context)
+      .forRule(this)
+      .onTree(annotation.get())
+      .withMessage("Replace the \"@Controller\" annotation by \"@RestController\" and remove all \"@ResponseBody\" annotations.")
+      .withSecondaries(secondaryLocations)
+      .withQuickFixes(() -> List.of(JavaQuickFix.newQuickFix("Remove \"@ResponseBody\" annotations.").addTextEdits(edits).build(),
+        JavaQuickFix.newQuickFix("Replace \"@Controller\" by \"@RestController\".").addTextEdit(JavaTextEdit.replaceTree(annotation.get(), "@RestController")).build()))
+      .report();
+
+  }
+
+}

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S6833.html

@@ -0,0 +1,77 @@
+<h2>Why is this an issue?</h2>
+<p>Classes annotated as <code>@Controller</code> in Spring are responsible for handling incoming web requests. When annotating methods or the entire
+controller with <code>@ResponseBody</code>, the return value of said methods will be serialized and set as the response body. In other words, it tells
+the Spring framework that this method does not produce a view. This mechanism is commonly used to create API endpoints.</p>
+<p>Spring provides <code>@RestController</code> as a convenient annotation to replace the combination of <code>@Controller</code> and
+<code>@ResponseBody</code>. The two are functionally identical, so the single annotation approach is preferred.</p>
+<p>This rule will raise an issue on a class that is annotated with <code>@Controller</code> if:</p>
+<ul>
+  <li> the class is also annotated with <code>@ResponseBody</code> or </li>
+  <li> all methods in said class are annotated with <code>@ResponseBody</code>. </li>
+</ul>
+<h2>How to fix it</h2>
+<p>Replace the <code>@Controller</code> annotation with the <code>@RestController</code> annotation and remove all <code>@ResponseBody</code>
+annotations from the class and its methods.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+@Controller
+@ResponseBody
+public class MyController {
+    @GetMapping("/hello")
+    public String hello() {
+        return "Hello World!";
+    }
+}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+@RestController
+public class MyController {
+    @GetMapping("/hello")
+    public String hello() {
+        return "Hello World!";
+    }
+}
+</pre>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+@Controller
+public class MyController {
+    @ResponseBody
+    @GetMapping("/hello")
+    public String hello() {
+        return "Hello World!";
+    }
+
+    @ResponseBody
+    @GetMapping("/foo")
+    public String foo() {
+        return "Foo";
+    }
+}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+@RestController
+public class MyController {
+    @GetMapping("/hello")
+    public String hello() {
+        return "Hello World!";
+    }
+
+    @GetMapping("/foo")
+    public String foo() {
+        return "Foo";
+    }
+}
+</pre>
+<h2>Resources</h2>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> Spring Guides - <a href="https://spring.io/guides/gs/rest-service/">Building a RESTful Web Service</a> </li>
+  <li> Baeldung - <a href="https://www.baeldung.com/spring-controller-vs-restcontroller">The Spring @Controller and @RestController Annotations</a>
+  </li>
+  <li> Baeldung - <a href="https://www.baeldung.com/spring-request-response-body">Spring’s RequestBody and ResponseBody Annotations</a> </li>
+</ul>
+

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S6833.json

@@ -0,0 +1,23 @@
+{
+  "title": "\"@Controller\" should be replaced with \"@RestController\"",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "spring"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6833",
+  "sqKey": "S6833",
+  "scope": "All",
+  "quickfix": "covered",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+}

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/Sonar_way_profile.json

@@ -491,6 +491,7 @@
     "S6829",
     "S6830",
     "S6831",
+    "S6833",
     "S6837"
   ]
 }

java-checks/src/test/java/org/sonar/java/checks/spring/ControllerWithRestControllerReplacementCheckTest.java

@@ -0,0 +1,37 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2023 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.java.checks.spring;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.internal.InternalCheckVerifier;
+
+import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPath;
+
+class ControllerWithRestControllerReplacementCheckTest {
+
+  @Test
+  void test() {
+    InternalCheckVerifier.newInstance()
+      .onFile(mainCodeSourcesPath("checks/spring/ControllerWithRestControllerReplacementCheck.java"))
+      .withCheck(new ControllerWithRestControllerReplacementCheck())
+      .withQuickFixes()
+      .verifyIssues();
+  }
+}