Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5128

"Bean Validation" (JSR 380) should be properly configured

    Details

    • Type: Code Smell Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Add missing "@Valid" on XXX to validate it with "Bean Validation".
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources

      Description

      Bean Validation as per defined by JSR 380 can be triggered programmatically or also executed by the Bean Validation providers. However something should tell the Bean Validation provider that a variable must be validated otherwise no validation will happen. This can be achieved by annotating a variable with javax.validation.Valid and unfortunally it's easy to forget to add this annotation on complex Beans.
      Not annotating a variable with @Valid means Bean Validation will not be triggered for this variable, but readers may overlook this omission and assume the variable will be validated.

      This rule will run by default on all Class'es and therefore can generate a lot of noise. This rule should be restricted to run only on certain layers. For this reason, the "Restrict Scope of Coding Rules" feature should be used to check for missing @Valid annotations only on some packages of the application.

      Noncompliant Code Example

      import javax.validation.Valid;
      import javax.validation.constraints.NotNull;
      
      public class User {
        @NotNull
        private String name;
      }
      
      public class Group {
        @NotNull
        private List<User> users; // Noncompliant; User instances are not validated
      }
      
      public class MyService {
        public void login(User user) { // Noncompliant; parameter "user" is not validated
        }
      }
      

      Compliant Solution

      import javax.validation.Valid;
      import javax.validation.constraints.NotNull;
      
      public class User {
        @NotNull
        private String name;
      }
      
      public class Group {
        @Valid
        @NotNull
        private List<User> users; // Compliant; User instances are validated
      
        @NotNull
        // preferred style as of Bean Validation 2.0
        private List<@Valid User> users2; // Compliant; User instances are validated
      }
      
      public class MyService {
        public void login(@Valid User user) { // Compliant
        }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: