Uploaded image for project: 'SonarSlang'
  1. SonarSlang
  2. SONARSLANG-33

Kotlin: False negative related to strings

    XMLWordPrintable

    Details

    • Type: False Negative
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.9
    • Component/s: Kotlin
    • Labels:
      None

      Description

      Context

      Strings in Kotlin can directly have interpolated values inside them:
      "My name is $name" => replaces $name with the value of name.toString()
      or even blocks of code:

      "The remainder is ${ i % x}"

      .

      In Kotlin AST, this is represented as a string template (KtStringTemplateExpression), which has a list of entries, that can either be literal children (KtLiteralStringTemplateEntry, KtEscapeStringTemplateEntry) or expression children that will be interpolated (KtSimpleNameStringTemplateEntry, KtBlockStringTemplateEntry)

      Tradeoffs

      • Variables used in string interpolation should appear in the Slang AST, otherwise it might result in False Positives for rules such as "unused variable"/"unused parameters".
      • Individual entries of a string template cannot appear as individual string literals in AST otherwise it might result in False Positives for similar string detection. (Ex: "My name " and "My name $name" would both be considered to have "My name " string literal)

      Current implementation

      In order to avoid False Positives mentioned above, string templates that involve interpolation are currently mapped to a native element instead of a string literal, and the template children entries that should be string literals are also mapped to native elements.
      This causes false negatives for the following cases:

      • The rule HardcodedCredentialsCheck (RSPEC-2068): strings in the form of "password=XXXX&login=$loginValue" will not raise an issue, since the literal will be considered as a native element
      • The rule StringLiteralDuplicatedCheck (RSPEC-1192): will not raise issues on duplicated strings with variable entries. Ex:
         a="$value"; a="$value"; a="$value"; a="$value" 

      Additionally, these strings are not flagged as such for highlighting

      Possible solution

      One possible solution would be to extend StringLiteralTree in Kotlin part, to have the literal value be the whole string (with interpolated value), and allow the tree to have children as well.
      Problem to this is that it is not in Slang grammar, so it cannot be tested in checks.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              christophe.zurn Christophe Zurn
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: