Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3800

S5128 does not take into account @Validated in method parameter

    Details

    • Type: False-Positive
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Rules
    • Labels:
      None

      Description

      Implementation of RSPEC-5128 raises FP on method parameter in some usage of "@Validated "

      In Spring documentation https://www.baeldung.com/spring-boot-testing-configurationproperties and https://www.baeldung.com/configuration-properties-in-spring-boot it is stated: "@ConfigurationProperties provides validation of properties using the JSR-303 format." 

      The combination of usage of "@Bean" on the method, "@Validated" and "@ConfigurationProperty" on the class type of its method parameter makes the "@Valid" not required.

      If the class annotated "@Validated" class has some user-defined fields, all its fields must be annotated "@Valid". If not rising an issue with missing "@Valid" in the method parameter is correct.

      NB
      According to Spring documentation, it is the recommended way to load properties, especially when we want to override values of external libraries

      Compliant code

      Application code

      package com.mathiric.house.server.bis;
      
      import org.springframework.boot.context.properties.ConfigurationProperties;
      import org.springframework.validation.annotation.Validated;
      import javax.validation.constraints.NotBlank;
      
      @Validated
      @ConfigurationProperties(prefix = "address")
      public class AddressBis {
          @NotBlank
          private String ip;
      }
      

      Configuration

      package com.mathiric.house.server.bis;
      
      import org.springframework.boot.context.properties.EnableConfigurationProperties;
      import org.springframework.context.annotation.Bean;
      import org.springframework.context.annotation.Configuration;
      
      @Configuration
      @EnableConfigurationProperties(AddressBis.class)
      public class MyServerService {
      
           @Bean
           public ServerConfigBis getConfig(AddressBis address) {  //Compliant @Valid is not missing, @Bean on the method + AddressBis correctly annotated
                  return new ServerConfigBis(address);
           }
      }  
      

      Bean object (only needed for the correct execution of Spring, does not change anything to the rule).

      package com.mathiric.house.server.bis;
      
      import org.springframework.context.annotation.Configuration;
      import javax.validation.Valid;
      
      @Configuration
      public class ServerConfigBis {
      
         @Valid
          private AddressBis address;
      
          public ServerConfigBis(AddressBis address) {
              this.address = address;
          }
      
          public AddressBis getAddress() { return address; }
      }
      

      Non compliant

      package com.mathiric.house.server.bis;
      
      import org.springframework.boot.context.properties.ConfigurationProperties;
      import org.springframework.validation.annotation.Validated;
      import javax.validation.constraints.NotBlank;
      
      @Validated
      @ConfigurationProperties(prefix = "address")
      public class AddressBis {
          @NotBlank
          private String ip;
      
          private MyPhysicalAddress address; //Noncompliant (issue will be reported in configuration) because the field is not annotated @Valid and not primitive
      }
      
      @Validated
      public class AnotherClass { 
       @NotBlank 
       private String ip; 
      }
      

      Configuration

      package com.mathiric.house.server.bis;
      
      import org.springframework.boot.context.properties.EnableConfigurationProperties;
      import org.springframework.context.annotation.Bean;
      import org.springframework.context.annotation.Configuration;
      
      @Configuration
      @EnableConfigurationProperties(AddressBis.class)
      public class MyServerService {
      
           @Bean
           public ServerConfigBis getConfig(AddressBis address) {  // Noncompliant, the class AddressBis has a user defined field not annotated @Valid and the parameter @Valid.
                  return new ServerConfigBis(address);
           }
      
          @Bean 
          public ServerConfigBis getConfig(AnotherClass address) { //NonCompliant: @Valid is missing. (AnotherClass is not correctly annotated).  
              return new ServerConfigBis(address);
          }
      }  
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                richard.mathis Richard Mathis
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: