bump up SpotBugs to 4.5.0

generate_profiles/BuildXmlFiles.groovy

@@ -5,13 +5,13 @@ import java.nio.charset.Charset;
 
 @Grapes([
 
- @Grab(group='com.github.spotbugs', module='spotbugs', version='4.4.0'),
+ @Grab(group='com.github.spotbugs', module='spotbugs', version='4.5.0'),
  @Grab(group='com.mebigfatguy.sb-contrib', module='sb-contrib', version='7.4.7'),
  @Grab(group='com.h3xstream.findsecbugs' , module='findsecbugs-plugin', version='1.11.0')]
 )
 
 
-FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.4.0')
+FB = new Plugin(groupId: 'com.github.spotbugs', artifactId: 'spotbugs', version: '4.5.0')
 CONTRIB = new Plugin(groupId: 'com.mebigfatguy.sb-contrib', artifactId: 'sb-contrib', version: '7.4.7')
 FSB = new Plugin(groupId: 'com.h3xstream.findsecbugs', artifactId: 'findsecbugs-plugin', version: '1.11.0')
 

pom.xml

@@ -51,7 +51,7 @@
  When update these versions, update description in .github/workflows/build.yml too.
  Also need to update profiles, see ./generate_profiles/README.md for detail.
  -->
- <spotbugs.version>4.4.0</spotbugs.version>
+ <spotbugs.version>4.5.0</spotbugs.version>
  <sbcontrib.version>7.4.7</sbcontrib.version>
  <findsecbugs.version>1.11.0</findsecbugs.version>
 

src/main/java/org/sonar/plugins/findbugs/rules/FindbugsRulesDefinition.java

@@ -29,7 +29,7 @@ public final class FindbugsRulesDefinition implements RulesDefinition {
 
  public static final String REPOSITORY_KEY = "findbugs";
  public static final String REPOSITORY_NAME = "FindBugs";
- public static final int RULE_COUNT = 449;
+ public static final int RULE_COUNT = 454;
  public static final int DEACTIVED_RULE_COUNT = 6;
 
  @Override

src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-and-fb-contrib.xml

@@ -1085,6 +1085,9 @@
  <Match>
  <Bug pattern='REC_CATCH_EXCEPTION' />
  </Match>
+ <Match>
+ <Bug pattern='DCN_NULLPOINTER_EXCEPTION' />
+ </Match>
  <Match>
  <Bug pattern='FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER' />
  </Match>
@@ -1346,6 +1349,18 @@
  <Match>
  <Bug pattern='EOS_BAD_END_OF_STREAM_CHECK' />
  </Match>
+ <Match>
+ <Bug pattern='REFLC_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_CLASS' />
+ </Match>
+ <Match>
+ <Bug pattern='REFLF_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_FIELD' />
+ </Match>
+ <Match>
+ <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR' />
+ </Match>
+ <Match>
+ <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' />
+ </Match>
  <Match>
  <Bug pattern='ISB_INEFFICIENT_STRING_BUFFERING' />
  </Match>

src/main/resources/org/sonar/plugins/findbugs/profile-findbugs-only.xml

@@ -1085,6 +1085,9 @@
  <Match>
  <Bug pattern='REC_CATCH_EXCEPTION' />
  </Match>
+ <Match>
+ <Bug pattern='DCN_NULLPOINTER_EXCEPTION' />
+ </Match>
  <Match>
  <Bug pattern='FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER' />
  </Match>
@@ -1346,4 +1349,16 @@
  <Match>
  <Bug pattern='EOS_BAD_END_OF_STREAM_CHECK' />
  </Match>
+ <Match>
+ <Bug pattern='REFLC_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_CLASS' />
+ </Match>
+ <Match>
+ <Bug pattern='REFLF_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_FIELD' />
+ </Match>
+ <Match>
+ <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR' />
+ </Match>
+ <Match>
+ <Bug pattern='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' />
+ </Match>
 </FindBugsFilter>

src/main/resources/org/sonar/plugins/findbugs/rules-findbugs.xml

@@ -191,7 +191,7 @@ consider using a commercial static analysis or pen-testing tool.
  <tag>security</tag>
  </rule>
  <rule key='SW_SWING_METHODS_INVOKED_IN_SWING_THREAD' priority='MAJOR'>
- <name>Bad practice - Certain swing methods needs to be invoked in Swing thread</name>
+ <name>Bad practice - Certain swing methods need to be invoked in Swing thread</name>
  <configKey>SW_SWING_METHODS_INVOKED_IN_SWING_THREAD</configKey>
  <description>&lt;p&gt;(&lt;a href="http://web.archive.org/web/20090526170426/http://java.sun.com/developer/JDCTechTips/2003/tt1208.html"&gt;From JDC Tech Tip&lt;/a&gt;): The Swing methods
 show(), setVisible(), and pack() will create the associated peer for the frame.
@@ -2151,7 +2151,7 @@ mechanism, it must be declared to have a return type of Object.
  <configKey>SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS</configKey>
  <description>&lt;p&gt; The field is marked as transient, but the class isn't Serializable, so marking it as transient
 has absolutely no effect.
-This may be leftover marking from a previous version of the code in which the class was transient, or
+This may be leftover marking from a previous version of the code in which the class was Serializable, or
 it may indicate a misunderstanding of how serialization works.
 &lt;/p&gt;
 &lt;p&gt;&lt;em&gt;This bug is reported only if special option &lt;tt&gt;reportTransientFieldOfNonSerializableClass&lt;/tt&gt; is set.&lt;/em&gt;&lt;/p&gt;</description>
@@ -4175,6 +4175,36 @@ does not need to be created, just access the static methods directly using the c
 } catch (Exception e) {
  ... deal with all non-runtime exceptions ...
 }
+&lt;/code&gt;&lt;/pre&gt;</description>
+ <tag>style</tag>
+ </rule>
+ <rule key='DCN_NULLPOINTER_EXCEPTION' priority='INFO'>
+ <name>Style - NullPointerException caught</name>
+ <configKey>DCN_NULLPOINTER_EXCEPTION</configKey>
+ <description>&lt;p&gt;
+According to SEI Cert rule &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors"&gt;ERR08-J&lt;/a&gt; NullPointerException should not be caught. Handling NullPointerException is considered an inferior alternative to null-checking.
+&lt;p&gt;
+This non-compliant code catches a NullPointerException to see if an incoming parameter is null:
+&lt;/p&gt;
+&lt;pre&gt;&lt;code&gt;
+boolean hasSpace(String m) {
+ try {
+ String ms[] = m.split(" ");
+ return names.length != 1;
+ } catch (NullPointerException e) {
+ return false;
+ }
+}
+&lt;/code&gt;&lt;/pre&gt;
+&lt;p&gt;
+A compliant solution would use a null-check as in the following example:
+&lt;/p&gt;
+&lt;pre&gt;&lt;code&gt;
+boolean hasSpace(String m) {
+ if (m == null) return false;
+ String ms[] = m.split(" ");
+ return names.length != 1;
+}
 &lt;/code&gt;&lt;/pre&gt;</description>
  <tag>style</tag>
  </rule>
@@ -5506,4 +5536,55 @@ after the call to initLogging, the logger configuration is lost
  <tag>correctness</tag>
  <tag>bug</tag>
  </rule>
+ <rule key='REFLC_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_CLASS' priority='INFO'>
+ <name>Malicious code - Public method uses reflection to create a class it gets in its parameter which could increase the accessibility of any class</name>
+ <configKey>REFLC_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_CLASS</configKey>
+ <description>&lt;p&gt;
+ &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes%2C+methods%2C+or+fields"&gt;SEI CERT SEC05-J&lt;/a&gt; rule forbids the use of reflection to increase accessibility of classes, methods or fields. If
+ a class in a package provides a public method which takes an instance of java.lang.Class as its parameter and
+ calls its newInstance() method then it increases accessibility of classes in the same package without public
+ constructors. An attacker code may call this method and pass such class to create an instance of it. This should
+ be avoided by either making the method non-public or by checking for package access permission on the package.
+ A third possibility is to use the java.beans.Beans.instantiate() method instead of java.lang.Class.newInstance()
+ which checks whether the Class object being received has any public constructors.
+ &lt;/p&gt;</description>
+ <tag>malicious-code</tag>
+ </rule>
+ <rule key='REFLF_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_FIELD' priority='INFO'>
+ <name>Malicious code - Public method uses reflection to modify a field it gets in its parameter which could increase the accessibility of any class</name>
+ <configKey>REFLF_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_FIELD</configKey>
+ <description>&lt;p&gt;
+ &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes%2C+methods%2C+or+fields"&gt;SEI CERT SEC05-J&lt;/a&gt; rule forbids the use of reflection to increase accessibility of classes, methods or fields. If
+ a class in a package provides a public method which takes an instance of java.lang.reflect.Field as its
+ parameter and calls a setter (or setAccessible()) method then it increases accessibility of fields in the same
+ package which are private, protected or package private. An attacker code may call this method and pass such
+ field to change it. This should be avoided by either making the method non-public or by checking for package
+ access permission on the package.
+ &lt;/p&gt;</description>
+ <tag>malicious-code</tag>
+ </rule>
+ <rule key='MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR' priority='INFO'>
+ <name>Malicious code - An overridable method is called from a constructor</name>
+ <configKey>MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR</configKey>
+ <description>&lt;p&gt;
+ Calling an overridable method during in a constructor may result in the use of uninitialized data. It may also
+ leak the this reference of the partially constructed object. Only static, final or private methods should be
+ invoked from a constructor.&lt;/p&gt;
+ &lt;p&gt;
+ See SEI CERT rule &lt;a href="https://wiki.sei.cmu.edu/confluence/display/java/MET05-J.+Ensure+that+constructors+do+not+call+overridable+methods"&gt;MET05-J. Ensure that constructors do not call overridable methods&lt;/a&gt;.
+ &lt;/p&gt;</description>
+ <tag>malicious-code</tag>
+ </rule>
+ <rule key='MC_OVERRIDABLE_METHOD_CALL_IN_CLONE' priority='INFO'>
+ <name>Malicious code - An overridable method is called from the clone() method.</name>
+ <configKey>MC_OVERRIDABLE_METHOD_CALL_IN_CLONE</configKey>
+ <description>&lt;p&gt;
+ Calling overridable methods from the clone() method is insecure because a subclass could override the method,
+ affecting the behavior of clone(). It can also observe or modify the clone object in a partially initialized
+ state. Only static, final or private methods should be invoked from the clone() method.&lt;/p&gt;
+ &lt;p&gt;
+ See SEI CERT rule &lt;a href="https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487921"&gt;MET06-J. Do not invoke overridable methods in clone()&lt;/a&gt;.
+ &lt;/p&gt;</description>
+ <tag>malicious-code</tag>
+ </rule>
 </rules>