SONARJAVA-4473 Check that mutable member storage is reachable by public calls for S2384 (#5130)

romainbrenguier · web-flow · commit d5bbf5883264 · 2025-05-07T16:34:13.000+02:00
This is to be more precise and avoid false positives where the storage only happens in private methods, and calls to this private methods by public ones are protected in some way. We also want to reduce false negatives compared to the naive solution to entirely ignore private methods.
diff --git a/its/ruling/src/test/resources/eclipse-jetty-similar-to-main/java-S2384.json b/its/ruling/src/test/resources/eclipse-jetty-similar-to-main/java-S2384.json
@@ -27,8 +27,12 @@
 45
 ],
 "org.eclipse.jetty:jetty-project:jetty-io/src/main/java/org/eclipse/jetty/io/WriteFlusher.java": [
+217,
 223
 ],
+"org.eclipse.jetty:jetty-project:jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java": [
+148
+],
 "org.eclipse.jetty:jetty-project:jetty-jmx/src/main/java/org/eclipse/jetty/jmx/MetaData.java": [
 73
 ],
@@ -84,7 +88,8 @@
 196
 ],
 "org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java": [
-354
+354,
+441
 ],
 "org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java": [
 343,
diff --git a/its/ruling/src/test/resources/eclipse-jetty/java-S2384.json b/its/ruling/src/test/resources/eclipse-jetty/java-S2384.json
@@ -27,8 +27,12 @@
 45
 ],
 "org.eclipse.jetty:jetty-project:jetty-io/src/main/java/org/eclipse/jetty/io/WriteFlusher.java": [
+217,
 223
 ],
+"org.eclipse.jetty:jetty-project:jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java": [
+148
+],
 "org.eclipse.jetty:jetty-project:jetty-jmx/src/main/java/org/eclipse/jetty/jmx/MetaData.java": [
 73
 ],
@@ -84,7 +88,8 @@
 196
 ],
 "org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java": [
-354
+354,
+441
 ],
 "org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java": [
 343,
diff --git a/its/ruling/src/test/resources/guava/java-S2384.json b/its/ruling/src/test/resources/guava/java-S2384.json
@@ -7,6 +7,7 @@
 4498
 ],
 "com.google.guava:guava:src/com/google/common/collect/AbstractBiMap.java": [
+63,
 69,
 96
 ],
@@ -31,6 +32,12 @@
 "com.google.guava:guava:src/com/google/common/collect/HashBiMap.java": [
 684
 ],
+"com.google.guava:guava:src/com/google/common/collect/ImmutableEnumMap.java": [
+52
+],
+"com.google.guava:guava:src/com/google/common/collect/ImmutableEnumSet.java": [
+57
+],
 "com.google.guava:guava:src/com/google/common/collect/ImmutableMapEntrySet.java": [
 42
 ],
@@ -78,9 +85,11 @@
 1146
 ],
 "com.google.guava:guava:src/com/google/common/collect/TreeRangeSet.java": [
-268
+268,
+433
 ],
 "com.google.guava:guava:src/com/google/common/collect/WellBehavedMap.java": [
+43,
 57
 ],
 "com.google.guava:guava:src/com/google/common/escape/ArrayBasedEscaperMap.java": [
diff --git a/its/ruling/src/test/resources/sonar-server/java-S2384.json b/its/ruling/src/test/resources/sonar-server/java-S2384.json
@@ -162,6 +162,7 @@
 126
 ],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/exceptions/BadRequestException.java": [
+38,
 52
 ],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/favorite/ws/FavoritesWs.java": [
@@ -212,6 +213,7 @@
 ],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/issue/Result.java": [
 70,
+95,
 119
 ],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/issue/index/IssueIteratorForSingleChunk.java": [
@@ -276,6 +278,9 @@
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/metric/ws/MetricsWs.java": [
 31
 ],
+"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/metric/ws/SearchAction.java": [
+98
+],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/notification/DefaultNotificationManager.java": [
 59
 ],
@@ -293,6 +298,7 @@
 28
 ],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/permission/ApplyPermissionTemplateQuery.java": [
+34,
 47
 ],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/permission/index/PermissionIndexer.java": [
@@ -347,9 +353,15 @@
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/Visibility.java": [
 68
 ],
+"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/GhostsAction.java": [
+149
+],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/ProjectsWs.java": [
 32
 ],
+"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/ProvisionedAction.java": [
+150
+],
 "org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/SearchMyProjectsData.java": [
 106,
 111,
diff --git a/java-checks-test-sources/default/src/main/java/checks/MutableMembersUsageCheckSample.java b/java-checks-test-sources/default/src/main/java/checks/MutableMembersUsageCheckSample.java
@@ -564,16 +564,58 @@ public List<String> modifiable() {
 
 class SetThroughPrivateMethods {
   private byte[] buf;
-  private SetThroughPrivateMethods(final byte[] buf) {
-    this.buf = buf;  // Compliant: the constructor is private
+  private Map<String, String> map;
+  private List<Integer> list;
+
+  private SetThroughPrivateMethods(final byte[] buf, final Map<String, String> map) {
+    this.map = map; // Noncompliant
+    this.buf = buf; // Compliant: callers have to go through `of` which makes a clone of the parameter
+    this.list = new ArrayList<>(); // Compliant: not set from a parameter of this method
   }
 
   public static SetThroughPrivateMethods of(final byte[] buf) {
-    return new SetThroughPrivateMethods(buf.clone());
+    return new SetThroughPrivateMethods(buf.clone(), Collections.emptyMap());
+  }
+
+  public static SetThroughPrivateMethods of(final byte[] buf, final int off, final int len) {
+    return of(buf);
   }
 
-  public void set(final byte[] buf) {
+  private void set(final byte[] buf) {
+    // It is possible to call `set` from outside the class using `setBuf`
     this.buf = buf;  // Noncompliant
   }
 
+  private void setBuffer(final byte[] buf) {
+    set(buf);
+  }
+
+  public void setBuf(byte[] buf) {
+    setBuffer(buf);
+  }
+
+  private void internalSet(byte[] buf) {
+    this.buf = buf; // Compliant: this is only callable by private methods
+  }
+
+  private void internalSetBuffer(byte[] buf) {
+    internalSet(buf);
+  }
+
+  static SetThroughPrivateMethods ofMap(final Map<String, String> map) {
+    return new SetThroughPrivateMethods(null, map);
+  }
+
+  public void cycle(List<Integer> l){
+    cycleA(l, 5);
+  }
+  private void cycleA(List<Integer> l, int i){
+    cycleB(l, i);
+  }
+  private void cycleB(List<Integer> l, int i){
+    if (i > 0) {
+      cycleA(l, i - 1);
+    }
+    list = l; // Noncompliant
+  }
 }
diff --git a/java-checks/src/main/java/org/sonar/java/checks/MutableMembersUsageCheck.java b/java-checks/src/main/java/org/sonar/java/checks/MutableMembersUsageCheck.java
diff --git a/java-checks/src/test/java/org/sonar/java/checks/MutableMembersUsageCheckTest.java b/java-checks/src/test/java/org/sonar/java/checks/MutableMembersUsageCheckTest.java

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,12 @@`
`27`	`27`	`45`
`28`	`28`	`],`
`29`	`29`	`"org.eclipse.jetty:jetty-project:jetty-io/src/main/java/org/eclipse/jetty/io/WriteFlusher.java": [`
	`30`	`+217,`
`30`	`31`	`223`
`31`	`32`	`],`
	`33`	`+"org.eclipse.jetty:jetty-project:jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslClientConnectionFactory.java": [`
	`34`	`+148`
	`35`	`+],`
`32`	`36`	`"org.eclipse.jetty:jetty-project:jetty-jmx/src/main/java/org/eclipse/jetty/jmx/MetaData.java": [`
`33`	`37`	`73`
`34`	`38`	`],`
`@@ -84,7 +88,8 @@`
`84`	`88`	`196`
`85`	`89`	`],`
`86`	`90`	`"org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java": [`
`87`		`-354`
	`91`	`+354,`
	`92`	`+441`
`88`	`93`	`],`
`89`	`94`	`"org.eclipse.jetty:jetty-project:jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java": [`
`90`	`95`	`343,`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`4498`
`8`	`8`	`],`
`9`	`9`	`"com.google.guava:guava:src/com/google/common/collect/AbstractBiMap.java": [`
	`10`	`+63,`
`10`	`11`	`69,`
`11`	`12`	`96`
`12`	`13`	`],`
`@@ -31,6 +32,12 @@`
`31`	`32`	`"com.google.guava:guava:src/com/google/common/collect/HashBiMap.java": [`
`32`	`33`	`684`
`33`	`34`	`],`
	`35`	`+"com.google.guava:guava:src/com/google/common/collect/ImmutableEnumMap.java": [`
	`36`	`+52`
	`37`	`+],`
	`38`	`+"com.google.guava:guava:src/com/google/common/collect/ImmutableEnumSet.java": [`
	`39`	`+57`
	`40`	`+],`
`34`	`41`	`"com.google.guava:guava:src/com/google/common/collect/ImmutableMapEntrySet.java": [`
`35`	`42`	`42`
`36`	`43`	`],`
`@@ -78,9 +85,11 @@`
`78`	`85`	`1146`
`79`	`86`	`],`
`80`	`87`	`"com.google.guava:guava:src/com/google/common/collect/TreeRangeSet.java": [`
`81`		`-268`
	`88`	`+268,`
	`89`	`+433`
`82`	`90`	`],`
`83`	`91`	`"com.google.guava:guava:src/com/google/common/collect/WellBehavedMap.java": [`
	`92`	`+43,`
`84`	`93`	`57`
`85`	`94`	`],`
`86`	`95`	`"com.google.guava:guava:src/com/google/common/escape/ArrayBasedEscaperMap.java": [`
Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,7 @@`
`162`	`162`	`126`
`163`	`163`	`],`
`164`	`164`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/exceptions/BadRequestException.java": [`
	`165`	`+38,`
`165`	`166`	`52`
`166`	`167`	`],`
`167`	`168`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/favorite/ws/FavoritesWs.java": [`
`@@ -212,6 +213,7 @@`
`212`	`213`	`],`
`213`	`214`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/issue/Result.java": [`
`214`	`215`	`70,`
	`216`	`+95,`
`215`	`217`	`119`
`216`	`218`	`],`
`217`	`219`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/issue/index/IssueIteratorForSingleChunk.java": [`
`@@ -276,6 +278,9 @@`
`276`	`278`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/metric/ws/MetricsWs.java": [`
`277`	`279`	`31`
`278`	`280`	`],`
	`281`	`+"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/metric/ws/SearchAction.java": [`
	`282`	`+98`
	`283`	`+],`
`279`	`284`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/notification/DefaultNotificationManager.java": [`
`280`	`285`	`59`
`281`	`286`	`],`
`@@ -293,6 +298,7 @@`
`293`	`298`	`28`
`294`	`299`	`],`
`295`	`300`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/permission/ApplyPermissionTemplateQuery.java": [`
	`301`	`+34,`
`296`	`302`	`47`
`297`	`303`	`],`
`298`	`304`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/permission/index/PermissionIndexer.java": [`
`@@ -347,9 +353,15 @@`
`347`	`353`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/Visibility.java": [`
`348`	`354`	`68`
`349`	`355`	`],`
	`356`	`+"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/GhostsAction.java": [`
	`357`	`+149`
	`358`	`+],`
`350`	`359`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/ProjectsWs.java": [`
`351`	`360`	`32`
`352`	`361`	`],`
	`362`	`+"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/ProvisionedAction.java": [`
	`363`	`+150`
	`364`	`+],`
`353`	`365`	`"org.sonarsource.sonarqube:sonar-server:src/main/java/org/sonar/server/project/ws/SearchMyProjectsData.java": [`
`354`	`366`	`106,`
`355`	`367`	`111,`