Bump sonar-analyzer-commons for security reason related to woodstox-c…

…ore (#4206) * Bump sonar-analyzer-commons 2.1.0 for security reasons related to woodstox-core * S5994: Turn FN to TP
SonarSource · Nov 1, 2022 · b505d3f · b505d3f
1 parent 35bf2ff
commit b505d3f
Show file tree

Hide file tree

Showing 33 changed files with 47 additions and 35 deletions.
diff --git a/its/plugin/tests/pom.xml b/its/plugin/tests/pom.xml
@@ -80,6 +80,11 @@
       <artifactId>jsr305</artifactId>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

diff --git a/its/plugin/tests/src/test/java/com/sonar/it/java/suite/JavaClasspathTest.java b/its/plugin/tests/src/test/java/com/sonar/it/java/suite/JavaClasspathTest.java
@@ -28,7 +28,7 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.List;
-import org.apache.commons.lang.SystemUtils;
+import org.apache.commons.lang3.SystemUtils;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;

diff --git a/its/ruling/pom.xml b/its/ruling/pom.xml
@@ -78,6 +78,11 @@
       <artifactId>jsr305</artifactId>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <profiles>

diff --git a/its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java b/its/ruling/src/test/java/org/sonar/java/it/AutoScanTest.java
@@ -187,7 +187,7 @@ public void javaCheckTestSources() throws Exception {
      * No differences would mean that we find the same issues with and without the bytecode and libraries
      */
     String differences = Files.readString(pathFor(TARGET_ACTUAL + PROJECT_KEY + "-no-binaries_differences"));
-    assertThat(differences).isEqualTo("Issues differences: 3190");
+    assertThat(differences).isEqualTo("Issues differences: 3200");
   }
 
   private static Path pathFor(String path) {

diff --git a/its/ruling/src/test/java/org/sonar/java/it/JavaRulingTest.java b/its/ruling/src/test/java/org/sonar/java/it/JavaRulingTest.java
@@ -45,7 +45,7 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
 import org.assertj.core.api.Fail;
 import org.junit.AfterClass;

diff --git a/its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json b/its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json
@@ -1191,7 +1191,7 @@
     "ruleKey": "S2259",
     "hasTruePositives": true,
     "falseNegatives": 0,
-    "falsePositives": 134
+    "falsePositives": 140
   },
   {
     "ruleKey": "S2272",
@@ -1316,7 +1316,7 @@
   {
     "ruleKey": "S2583",
     "hasTruePositives": true,
-    "falseNegatives": 14,
+    "falseNegatives": 18,
     "falsePositives": 1
   },
   {
@@ -2867,4 +2867,4 @@
     "falseNegatives": 32,
     "falsePositives": 0
   }
-]
+]
diff --git a/...checks-test-sources/src/main/java/checks/regex/PossessiveQuantifierContinuationCheck.java b/...checks-test-sources/src/main/java/checks/regex/PossessiveQuantifierContinuationCheck.java
@@ -18,7 +18,7 @@ public void f(Pattern pattern) {
     f(compile("aa++bc"));
     f(compile("\\d*+(?<=[02468])"));
     f(compile("(xx++)+x")); // Noncompliant [[sc=23;ec=24]]
-    f(compile("(bx++)+x")); // false-negative, limitation of the algorithm when there's infinite loop
+    f(compile("(bx++)+x")); // Noncompliant [[sc=23;ec=24]]
     f(compile("(?:xx++)+x")); // Noncompliant [[sc=25;ec=26]]
     f(compile("(xx++)x")); // Noncompliant [[sc=22;ec=23]]
     f(compile(".*+\\w")); // Noncompliant [[sc=19;ec=22]]

diff --git a/java-checks/pom.xml b/java-checks/pom.xml
@@ -48,6 +48,10 @@
       <groupId>org.sonarsource.analyzer-commons</groupId>
       <artifactId>sonar-analyzer-recognizers</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
 
     <dependency>
       <groupId>org.junit.jupiter</groupId>

diff --git a/java-checks/src/main/java/org/sonar/java/checks/AbstractHardCodedCredentialChecker.java b/java-checks/src/main/java/org/sonar/java/checks/AbstractHardCodedCredentialChecker.java
@@ -27,7 +27,7 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.java.checks.helpers.ExpressionsHelper;
 import org.sonar.java.model.LiteralUtils;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/AbstractPrintfChecker.java b/java-checks/src/main/java/org/sonar/java/checks/AbstractPrintfChecker.java
@@ -31,7 +31,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.java.checks.methods.AbstractMethodDetection;
 import org.sonar.java.model.LiteralUtils;
 import org.sonar.plugins.java.api.semantic.MethodMatchers;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/CommentContainsPatternChecker.java b/java-checks/src/main/java/org/sonar/java/checks/CommentContainsPatternChecker.java
@@ -19,7 +19,7 @@
  */
 package org.sonar.java.checks;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.tree.SyntaxTrivia;
 

diff --git a/java-checks/src/main/java/org/sonar/java/checks/CommentedOutCodeLineCheck.java b/java-checks/src/main/java/org/sonar/java/checks/CommentedOutCodeLineCheck.java
@@ -23,7 +23,7 @@
 import java.util.Collections;
 import java.util.List;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.model.DefaultJavaFileScannerContext;
 import org.sonar.java.reporting.AnalyzerMessage;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/DateFormatWeekYearCheck.java b/java-checks/src/main/java/org/sonar/java/checks/DateFormatWeekYearCheck.java
@@ -21,7 +21,7 @@
 
 import java.util.Locale;
 import java.util.Optional;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.checks.helpers.QuickFixHelper;
 import org.sonar.java.checks.methods.AbstractMethodDetection;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/DiamondOperatorCheck.java b/java-checks/src/main/java/org/sonar/java/checks/DiamondOperatorCheck.java
@@ -23,7 +23,7 @@
 import java.util.List;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang3.ArrayUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.JavaVersionAwareVisitor;
 import org.sonar.java.ast.visitors.SubscriptionVisitor;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/DisallowedConstructorCheck.java b/java-checks/src/main/java/org/sonar/java/checks/DisallowedConstructorCheck.java
@@ -19,7 +19,7 @@
  */
 package org.sonar.java.checks;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
 import org.sonar.java.checks.methods.AbstractMethodDetection;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/DisallowedMethodCheck.java b/java-checks/src/main/java/org/sonar/java/checks/DisallowedMethodCheck.java
@@ -19,7 +19,7 @@
  */
 package org.sonar.java.checks;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
 import org.sonar.java.checks.methods.AbstractMethodDetection;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/ForLoopFalseConditionCheck.java b/java-checks/src/main/java/org/sonar/java/checks/ForLoopFalseConditionCheck.java
@@ -19,19 +19,17 @@
  */
 package org.sonar.java.checks;
 
-import org.apache.commons.lang.BooleanUtils;
+import javax.annotation.CheckForNull;
+import org.apache.commons.lang3.BooleanUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.model.ExpressionUtils;
-import org.sonar.java.model.LiteralUtils;
 import org.sonar.plugins.java.api.tree.BinaryExpressionTree;
 import org.sonar.plugins.java.api.tree.ExpressionTree;
 import org.sonar.plugins.java.api.tree.ForStatementTree;
 import org.sonar.plugins.java.api.tree.LiteralTree;
 import org.sonar.plugins.java.api.tree.Tree;
 import org.sonar.plugins.java.api.tree.UnaryExpressionTree;
 
-import javax.annotation.CheckForNull;
-
 @Rule(key = "S2252")
 public class ForLoopFalseConditionCheck extends AbstractForLoopRule {
 

diff --git a/java-checks/src/main/java/org/sonar/java/checks/HardcodedIpCheck.java b/java-checks/src/main/java/org/sonar/java/checks/HardcodedIpCheck.java
@@ -24,7 +24,7 @@
 import java.util.Optional;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.model.LiteralUtils;
 import org.sonar.plugins.java.api.JavaFileScanner;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/ImmediatelyReturnedVariableCheck.java b/java-checks/src/main/java/org/sonar/java/checks/ImmediatelyReturnedVariableCheck.java
@@ -22,7 +22,7 @@
 import java.util.List;
 import java.util.Map;
 import javax.annotation.CheckForNull;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.checks.helpers.QuickFixHelper;
 import org.sonarsource.analyzer.commons.collections.MapBuilder;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/OperatorPrecedenceCheck.java b/java-checks/src/main/java/org/sonar/java/checks/OperatorPrecedenceCheck.java
@@ -27,7 +27,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import org.apache.commons.lang.BooleanUtils;
+import org.apache.commons.lang3.BooleanUtils;
 import org.sonar.check.Rule;
 import org.sonarsource.analyzer.commons.collections.SetUtils;
 import org.sonar.plugins.java.api.JavaFileScanner;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/PatternUtils.java b/java-checks/src/main/java/org/sonar/java/checks/PatternUtils.java
@@ -19,7 +19,7 @@
  */
 package org.sonar.java.checks;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.api.utils.WildcardPattern;
 
 public final class PatternUtils {

diff --git a/java-checks/src/main/java/org/sonar/java/checks/PreparedStatementAndResultSetCheck.java b/java-checks/src/main/java/org/sonar/java/checks/PreparedStatementAndResultSetCheck.java
@@ -22,7 +22,7 @@
 import java.util.Optional;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.checks.helpers.ReassignmentFinder;
 import org.sonar.java.checks.methods.AbstractMethodDetection;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/RegexPatternsNeedlesslyCheck.java b/java-checks/src/main/java/org/sonar/java/checks/RegexPatternsNeedlesslyCheck.java
@@ -20,7 +20,7 @@
 package org.sonar.java.checks;
 
 import java.util.Optional;
-import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.checks.methods.AbstractMethodDetection;
 import org.sonar.java.model.ExpressionUtils;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/StringToPrimitiveConversionCheck.java b/java-checks/src/main/java/org/sonar/java/checks/StringToPrimitiveConversionCheck.java
@@ -19,7 +19,7 @@
  */
 package org.sonar.java.checks;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.semantic.MethodMatchers;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/SuppressWarningsCheck.java b/java-checks/src/main/java/org/sonar/java/checks/SuppressWarningsCheck.java
@@ -26,7 +26,7 @@
 import java.util.Set;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
 import org.sonar.java.model.LiteralUtils;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/ThreadStartedInConstructorCheck.java b/java-checks/src/main/java/org/sonar/java/checks/ThreadStartedInConstructorCheck.java
@@ -23,7 +23,7 @@
 import java.util.Deque;
 import java.util.LinkedList;
 import java.util.List;
-import org.apache.commons.lang.BooleanUtils;
+import org.apache.commons.lang3.BooleanUtils;
 import org.sonar.check.Rule;
 import org.sonar.java.model.ExpressionUtils;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/TrailingCommentCheck.java b/java-checks/src/main/java/org/sonar/java/checks/TrailingCommentCheck.java
@@ -24,7 +24,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/UndocumentedApiCheck.java b/java-checks/src/main/java/org/sonar/java/checks/UndocumentedApiCheck.java
@@ -24,7 +24,7 @@
 import java.util.Set;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.api.utils.WildcardPattern;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/regex/RegexComplexityCheck.java b/java-checks/src/main/java/org/sonar/java/checks/regex/RegexComplexityCheck.java
@@ -23,7 +23,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
 import org.sonar.java.model.ExpressionUtils;

diff --git a/java-checks/src/main/java/org/sonar/java/checks/tests/AssertionsInTestsCheck.java b/java-checks/src/main/java/org/sonar/java/checks/tests/AssertionsInTestsCheck.java
@@ -40,7 +40,7 @@
 import org.sonar.plugins.java.api.tree.Modifier;
 import org.sonar.plugins.java.api.tree.Tree;
 
-import static org.apache.commons.lang.StringUtils.isEmpty;
+import static org.apache.commons.lang3.StringUtils.isEmpty;
 import static org.sonar.java.checks.helpers.UnitTestUtils.isUnitTest;
 
 @Rule(key = "S2699")

diff --git a/java-checks/src/main/java/org/sonar/java/checks/tests/NoTestInTestClassCheck.java b/java-checks/src/main/java/org/sonar/java/checks/tests/NoTestInTestClassCheck.java
@@ -27,7 +27,7 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
 import org.sonar.java.model.JUtils;

diff --git a/java-checks/src/test/java/org/sonar/java/checks/SanityTest.java b/java-checks/src/test/java/org/sonar/java/checks/SanityTest.java
@@ -31,7 +31,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import javax.annotation.Nullable;
-import org.apache.commons.lang.exception.ExceptionUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.EnabledIfSystemProperty;
 import org.junit.jupiter.api.extension.RegisterExtension;

diff --git a/pom.xml b/pom.xml
@@ -84,7 +84,7 @@
     <sonar.version>9.5.0.56709</sonar.version>
     <sonar.plugin.api.version>9.8.0.203</sonar.plugin.api.version>
     <sonarlint.plugin.api.version>6.3.0.36253</sonarlint.plugin.api.version>
-    <analyzer.commons.version>1.27.0.1040</analyzer.commons.version>
+    <analyzer.commons.version>2.1.0.1111</analyzer.commons.version>
     <orchestrator.version>3.35.1.2719</orchestrator.version>
     <sslr.version>1.24.0.633</sslr.version>
     <argLine>-Xmx512m</argLine>