Upgrade SpotBugs to 4.8.4 (#1001)

* deps: Upgraded SpotBugs to 4.8.4, updated profiles and rules count

.github/workflows/build.yml

@@ -126,7 +126,7 @@ jobs:
  uses: ./.github/actions/sonar-update-center
  with:
  prop-file: findbugs.properties
- description: Use SpotBugs 4.8.3, sb-contrib 7.6.4, and findsecbugs 1.13.0
+ description: Use SpotBugs 4.8.4, sb-contrib 7.6.4, and findsecbugs 1.13.0
  minimal-supported-sq-version: 9.9
  latest-supported-sq-version: LATEST
  changelog-url: https://github.com/spotbugs/sonar-findbugs/releases/tag/${{ github.event.release.tag_name }}

README.md

@@ -1,6 +1,6 @@
 # SonarQube Spotbugs Plugin
 [![.github/workflows/build.yml](https://github.com/spotbugs/sonar-findbugs/actions/workflows/build.yml/badge.svg)](https://github.com/spotbugs/sonar-findbugs/actions/workflows/build.yml)
-![FindBugs Rules](https://img.shields.io/badge/SpotBugs_rules-933-brightgreen.svg?maxAge=2592000)
+![FindBugs Rules](https://img.shields.io/badge/SpotBugs_rules-940-brightgreen.svg?maxAge=2592000)
 [![Coverage Status](https://sonarcloud.io/api/project_badges/measure?project=com.github.spotbugs%3Asonar-findbugs-plugin&metric=coverage)](https://sonarcloud.io/component_measures?id=com.github.spotbugs:sonar-findbugs-plugin&metric=coverage)
 
 ## Description / Features
@@ -73,4 +73,4 @@ Findbugs Plugin version|Embedded SpotBugs/Findbugs version|Embedded Findsecbugs
 4.2.6 | 4.8.2 (SpotBugs) | 1.12.0 | 7.6.2 (sb-contrib) | 1.8|7.9~|5.10.1.16922
 4.2.7 | 4.8.3 (SpotBugs) | 1.12.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
 4.2.8 | 4.8.3 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
-4.2.9-SNAPSHOT | 4.8.3 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922
+4.2.9-SNAPSHOT | 4.8.4 (SpotBugs) | 1.13.0 | 7.6.4 (sb-contrib) | 1.8|7.9~|5.10.1.16922

generate_profiles/BuildXmlFiles.groovy

@@ -8,13 +8,13 @@ import groovy.json.JsonSlurper;
 
 @Grapes([
 
- @Grab(group='com.github.spotbugs', module='spotbugs', version='4.8.3'),
+ @Grab(group='com.github.spotbugs', module='spotbugs', version='4.8.4'),
  @Grab(group='com.mebigfatguy.sb-contrib', module='sb-contrib', version='7.6.4'),
  @Grab(group='com.h3xstream.findsecbugs' , module='findsecbugs-plugin', version='1.13.0')]
 )
 
 
-FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.8.3')
+FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.8.4')
 CONTRIB = new Plugin(groupId: 'com.mebigfatguy.sb-contrib', artifactId: 'sb-contrib', version: '7.6.4')
 FSB = new Plugin(groupId: 'com.h3xstream.findsecbugs', artifactId: 'findsecbugs-plugin', version: '1.13.0')
 

pom.xml

@@ -52,7 +52,7 @@
  Also need to update profiles, see ./generate_profiles/README.md for detail.
  Update the version table and the rules count badge in README.md
  -->
- <spotbugs.version>4.8.3</spotbugs.version>
+ <spotbugs.version>4.8.4</spotbugs.version>
  <sbcontrib.version>7.6.4</sbcontrib.version>
  <findsecbugs.version>1.13.0</findsecbugs.version>
 

src/main/java/org/sonar/plugins/findbugs/rules/FindbugsRulesDefinition.java

@@ -28,7 +28,7 @@ public final class FindbugsRulesDefinition implements RulesDefinition {
 
  public static final String REPOSITORY_KEY = "findbugs";
  public static final String REPOSITORY_NAME = "FindBugs";
- public static final int RULE_COUNT = 476;
+ public static final int RULE_COUNT = 483;
  public static final int DEACTIVED_RULE_COUNT = 6;
 
  @Override

src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml

@@ -1370,6 +1370,27 @@
  <Match>
  <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' />
  </Match>
+ <Match>
+ <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONEABLE' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONE_METHOD' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_IMPLEMENTS_SERIALIZABLE' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_GETTER_NOT_SYNCHRONIZED' />
+ </Match>
  <Match>
  <Bug pattern='SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA' />
  </Match>

src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml

@@ -1370,6 +1370,27 @@
  <Match>
  <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' />
  </Match>
+ <Match>
+ <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONEABLE' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_IMPLEMENTS_CLONE_METHOD' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_IMPLEMENTS_SERIALIZABLE' />
+ </Match>
+ <Match>
+ <Bug pattern='SING_SINGLETON_GETTER_NOT_SYNCHRONIZED' />
+ </Match>
  <Match>
  <Bug pattern='SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA' />
  </Match>

src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml

@@ -4560,6 +4560,13 @@ If the object is, indeed, non-serializable, an error will result.
  <description>&lt;p&gt;
 This format string includes a newline character (\n). In format strings, it is generally
  preferable to use %n, which will produce the platform-specific line separator.
+
+ When using text blocks introduced in Java 15, use the &lt;code&gt;\&lt;/code&gt; escape sequence:
+
+&lt;code&gt;String value = """
+ first line%n\
+ second line%n\
+ """;&lt;/code&gt;
 &lt;/p&gt;</description>
  <tag>bad-practice</tag>
  </rule>
@@ -5651,6 +5658,94 @@ object explicitly.&lt;/p&gt;</description>
  &lt;/p&gt;</description>
  <tag>malicious-code</tag>
  </rule>
+ <rule key='MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT' priority='INFO'>
+ <name>Malicious code - An overridable method is called from the readObject method.</name>
+ <configKey>MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT</configKey>
+ <description>&lt;p&gt;
+ The readObject() method must not call any overridable methods. Invoking overridable methods from the readObject()
+ method can provide the overriding method with access to the object's state before it is fully initialized. This
+ premature access is possible because, in deserialization, readObject plays the role of object constructor and
+ therefore object initialization is not complete until readObject exits.&lt;/p&gt;
+ &lt;p&gt;
+ &lt;br/&gt;
+ See SEI CERT rule &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method"&gt;
+ SER09-J. Do not invoke overridable methods from the readObject() method&lt;/a&gt;.
+ &lt;/p&gt;</description>
+ <tag>malicious-code</tag>
+ </rule>
+ <rule key='SING_SINGLETON_IMPLEMENTS_CLONEABLE' priority='MAJOR'>
+ <name>Correctness - Class using singleton design pattern directly implements Cloneable interface.</name>
+ <configKey>SING_SINGLETON_IMPLEMENTS_CLONEABLE</configKey>
+ <description>&lt;p&gt;
+ If a class using singleton design pattern directly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
+ Therefore, implementing the Cloneable interface should be avoided.&lt;br&gt;&lt;br&gt;
+
+ For more information, see: &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt;.
+ &lt;/p&gt;</description>
+ <tag>correctness</tag>
+ <tag>bug</tag>
+ </rule>
+ <rule key='SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE' priority='MAJOR'>
+ <name>Correctness - Class using singleton design pattern indirectly implements Cloneable interface.</name>
+ <configKey>SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE</configKey>
+ <description>&lt;p&gt;
+ If a class using singleton design pattern indirectly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
+ Therefore, implementing the Cloneable interface should be avoided. If that's not possible because of an extended super-class, the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.&lt;br&gt;&lt;br&gt;
+
+ For more information, see: &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt;.
+ &lt;/p&gt;</description>
+ <tag>correctness</tag>
+ <tag>bug</tag>
+ </rule>
+ <rule key='SING_SINGLETON_IMPLEMENTS_CLONE_METHOD' priority='MAJOR'>
+ <name>Correctness - Class using singleton design pattern implements clone() method without being an unconditional CloneNotSupportedException-thrower.</name>
+ <configKey>SING_SINGLETON_IMPLEMENTS_CLONE_METHOD</configKey>
+ <description>&lt;p&gt;
+ This class is using singleton design pattern and does not implement the Cloneable interface, but implements the clone() method without being an unconditional CloneNotSupportedException-thrower. 
+ With that, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
+ Therefore, implementing the clone method should be avoided, otherwise the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.&lt;br&gt;&lt;br&gt;
+
+ For more information, see: &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt;.
+ &lt;/p&gt;</description>
+ <tag>correctness</tag>
+ <tag>bug</tag>
+ </rule>
+ <rule key='SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR' priority='MAJOR'>
+ <name>Correctness - Class using singleton design pattern has non-private constructor.</name>
+ <configKey>SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR</configKey>
+ <description>&lt;p&gt;
+ This class is using singleton design pattern and has non-private constructor (please note that a default constructor might exist which is not private). Given that, it is possible to create a copy of the object, thus violating the singleton pattern.&lt;br&gt;
+ The easier solution would be making the constructor private.&lt;br&gt;&lt;br&gt;
+
+ &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt; rule
+ &lt;/p&gt;</description>
+ <tag>correctness</tag>
+ <tag>bug</tag>
+ </rule>
+ <rule key='SING_SINGLETON_IMPLEMENTS_SERIALIZABLE' priority='MAJOR'>
+ <name>Correctness - Class using singleton design pattern directly or indirectly implements Serializable interface.</name>
+ <configKey>SING_SINGLETON_IMPLEMENTS_SERIALIZABLE</configKey>
+ <description>&lt;p&gt;
+ This class (using singleton design pattern) directly or indirectly implements the Serializable interface, which allows the class to be serialized.&lt;br&gt;
+ Deserialization makes multiple instantiation of a singleton class possible, and therefore should be avoided.&lt;br&gt;&lt;br&gt;
+
+ &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt; rule
+ &lt;/p&gt;</description>
+ <tag>correctness</tag>
+ <tag>bug</tag>
+ </rule>
+ <rule key='SING_SINGLETON_GETTER_NOT_SYNCHRONIZED' priority='MAJOR'>
+ <name>Correctness - Instance-getter method of class using singleton design pattern is not synchronized.</name>
+ <configKey>SING_SINGLETON_GETTER_NOT_SYNCHRONIZED</configKey>
+ <description>&lt;p&gt;
+ Instance-getter method of class using singleton design pattern is not synchronized. When this method is invoked by two or more threads simultaneously, 
+ multiple instantiation of a singleton class becomes possible.&lt;br&gt;&lt;br&gt;
+
+ &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects"&gt;SEI CERT MSC07-J&lt;/a&gt; rule
+ &lt;/p&gt;</description>
+ <tag>correctness</tag>
+ <tag>bug</tag>
+ </rule>
  <rule key='SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA' priority='MAJOR'>
  <name>Multi-threading - Instance level lock was used on a shared static data</name>
  <configKey>SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA</configKey>

src/test/java/org/sonar/plugins/findbugs/FindbugsProfileImporterTest.java

@@ -132,7 +132,7 @@ void shouldImportCategories() {
  BuiltInQualityProfile profile = context.profile(Java.KEY, TEST_PROFILE);
  Collection<BuiltInActiveRule> results = profile.rules();
 
- assertThat(results).hasSize(153);
+ assertThat(results).hasSize(159);
  assertThat(findActiveRule(profile, FindbugsRulesDefinition.REPOSITORY_KEY, "BC_IMPOSSIBLE_DOWNCAST")).isNotNull();
  }
 
@@ -182,7 +182,7 @@ void testImportingUncorrectXmlFile() {
  @ParameterizedTest
  @CsvSource({
  "/org/sonar/plugins/findbugs/findbugsXmlWithUnknownRule.xml,1",
- "/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCategory.xml,153",
+ "/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCategory.xml,159",
  "/org/sonar/plugins/findbugs/findbugsXmlWithUnknownCode.xml,12"})
  void profileImport(String profilePath, int expectedSize) {
  NewBuiltInQualityProfile newProfile = context.createBuiltInQualityProfile(TEST_PROFILE, Java.KEY);