Merge branch 'master' into issue-1950-truncate-reports

CHANGELOG.md

@@ -5,9 +5,25 @@ This is the changelog for SpotBugs. This follows [Keep a Changelog v1.0.0](http:
 Currently the versioning policy of this project follows [Semantic Versioning v2.0.0](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased - 2022-??-??
+### Changed
+- Updated documentation by adding parenthesis `()` to the negative odd check message ([#1995](https://github.com/spotbugs/spotbugs/issues/1995))
+
 ### Fixed
-- Bumped Saxon-HE from 10.6 to 11.2 ([#1955](https://github.com/spotbugs/spotbugs/pull/1955))
 - Fixed reports to truncate existing files before writing new content ([#1950](https://github.com/spotbugs/spotbugs/issues/1950))
+- Bumped Saxon-HE from 10.6 to 11.3 ([#1955](https://github.com/spotbugs/spotbugs/pull/1955), [#1999](https://github.com/spotbugs/spotbugs/pull/1999))
+- Fixed traversal of nested archives governed by `-nested:true` ([#1930](https://github.com/spotbugs/spotbugs/pull/1930))
+- Warnings of deprecated System::setSecurityManager calls on Java 17 ([#1983](https://github.com/spotbugs/spotbugs/pull/1983))
+- Fixed false positive SSD bug for locking on java.lang.Class objects ([#1978](https://github.com/spotbugs/spotbugs/issues/1978))
+- FindReturnRef throws an IllegalArgumentException unexpectedly ([#2019](https://github.com/spotbugs/spotbugs/issues/2019))
+- Bump ObjectWeb ASM from 9.2 to 9.3 supporting JDK 19 ([#2004](https://github.com/spotbugs/spotbugs/pull/2004))
+
+### Added
+* New detector `ThrowingExceptions` and introduced new bug types:
+  * `THROWS_METHOD_THROWS_RUNTIMEEXCEPTION` is reported in case of a method throwing RuntimeException, 
+  * `THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION` is reported when a method has Exception in its throws clause and 
+  * `THROWS_METHOD_THROWS_CLAUSE_THROWABLE` is reported when a method has Throwable in its throws clause (See [SEI CERT ERR07-J](https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable))
+* New rule `PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS` to warn for custom class loaders who do not call their superclasses' `getPermissions()` in their `getPermissions()` method. This rule based on the SEI CERT rule *SEC07-J Call the superclass's getPermissions() method when writing a custom class loader*. ([#SEC07-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader))
+* New rule `USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE` to detect cases where a non-final method of a non-final class is called from public methods of public classes and then the same method is called on the same object inside a doPrivileged block. Since the called method may have been overridden to behave differently on the first and second invocations this is a possible security check based on an unreliable source. This rule is based on *SEC02-J. Do not base security checks on untrusted sources*. ([#SEC02-J](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources))
 
 ## 4.6.0 - 2022-03-08
 ### Fixed

build.gradle

@@ -1,6 +1,6 @@
 plugins {
   id "org.sonarqube" version "3.3"
-  id "com.diffplug.spotless" version "6.3.0"
+  id "com.diffplug.spotless" version "6.4.2"
   id "org.gradle.crypto.checksum" version "1.4.0"
   id "com.github.spotbugs" version "5.0.6"
   id "io.github.gradle-nexus.publish-plugin" version "1.1.0"

buildSrc/build.gradle.kts

@@ -6,5 +6,5 @@ repositories {
     gradlePluginPortal()
 }
 dependencies {
-    implementation("com.diffplug.gradle:goomph:3.35.0")
+    implementation("com.diffplug.gradle:goomph:3.36.2")
 }

docs/filter.rst

@@ -31,7 +31,7 @@ Types of Match clauses
 This element specifies a particular bug ``pattern`` or ``patterns`` to match. The ``pattern`` attribute is a comma-separated list of bug pattern types.
 You can find the bug pattern types for particular warnings by looking at the output produced by the **-xml** output option (the type attribute of BugInstance elements), or from the :doc:`bugDescriptions`.
 
-For more coarse-grained matching, use ``code`` attribute. It takes a comma-separated list of bug abbreviations. For most-coarse grained matching use ``category`` attribute, that takes a comma separated list of bug category names: ``CORRECTNESS``, ``MT_CORRECTNESS``, ``BAD_PRACTICICE``, ``PERFORMANCE``, ``STYLE``.
+For more coarse-grained matching, use ``code`` attribute. It takes a comma-separated list of bug abbreviations. For most-coarse grained matching use ``category`` attribute, that takes a comma separated list of bug category names: ``CORRECTNESS``, ``MT_CORRECTNESS``, ``BAD_PRACTICE``, ``PERFORMANCE``, ``STYLE``.
 
 If more than one of the attributes mentioned above are specified on the same <Bug> element, all bug patterns that match either one of specified pattern names, or abbreviations, or categories will be matched.
 

eclipsePlugin-junit/build.gradle

@@ -12,7 +12,7 @@ tasks.named('compileJava', JavaCompile).configure {
 dependencies {
   implementation project(':eclipsePlugin')
   testImplementation 'junit:junit:4.13.2'
-  testImplementation 'org.mockito:mockito-core:4.4.0'
+  testImplementation 'org.mockito:mockito-core:4.5.1'
 }
 
 tasks.named('jacocoTestReport', JacocoReport).configure {

settings.gradle

@@ -1,5 +1,5 @@
 plugins {
-  id "com.gradle.enterprise" version "3.8.1"
+  id "com.gradle.enterprise" version "3.10"
 }
 
 include ':eclipsePlugin'

spotbugs-tests/build.gradle

@@ -19,7 +19,7 @@ dependencies {
   implementation 'org.hamcrest:hamcrest-all:1.3'
   implementation 'org.apache.ant:ant:1.10.12'
   implementation "org.apache.logging.log4j:log4j-slf4j18-impl:$log4jVersion"
-  implementation 'com.google.errorprone:error_prone_annotations:2.11.0'
+  implementation 'com.google.errorprone:error_prone_annotations:2.13.1'
   implementation files(project(":spotbugs").sourceSets.gui.output)
 }
 

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/classfile/impl/ClassPathBuilderTest.java

@@ -0,0 +1,36 @@
+package edu.umd.cs.findbugs.classfile.impl;
+
+import edu.umd.cs.findbugs.AppVersion;
+import edu.umd.cs.findbugs.BugCollection;
+import edu.umd.cs.findbugs.test.SpotBugsRule;
+import org.junit.Rule;
+import org.junit.Test;
+
+import java.nio.file.Paths;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+
+public class ClassPathBuilderTest {
+
+    @Rule
+    public SpotBugsRule analyzer = new SpotBugsRule();
+
+    @Test
+    public void nestedTraversalDisabled() {
+        BugCollection results = analyzer.performAnalysis((engine) -> {
+            engine.setScanNestedArchives(false);
+            engine.setNoClassOk(true);
+        }, Paths.get("../spotbugsTestCases/archives/nestedArchive.jar"));
+        AppVersion appInformation = results.getCurrentAppVersion();
+        assertThat(appInformation.getNumClasses(), equalTo(0));
+    }
+
+    @Test
+    public void nestedTraversalEnabled() {
+        BugCollection results = analyzer.performAnalysis((engine) -> engine.setScanNestedArchives(true),
+                Paths.get("../spotbugsTestCases/archives/nestedArchive.jar"));
+        AppVersion appInformation = results.getCurrentAppVersion();
+        assertThat(appInformation.getNumClasses(), equalTo(5));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/CheckThrowingExceptions.java

@@ -0,0 +1,49 @@
+package edu.umd.cs.findbugs.detect;
+
+import static edu.umd.cs.findbugs.test.CountMatcher.containsExactly;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+public class CheckThrowingExceptions extends AbstractIntegrationTest {
+    @Test
+    public void throwingExceptionsTests() {
+        performAnalysis("MethodsThrowingExceptions.class");
+
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_RUNTIMEEXCEPTION", 1);
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION", 1);
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_CLAUSE_THROWABLE", 1);
+
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_RUNTIMEEXCEPTION", 1, "MethodsThrowingExceptions", "isCapitalizedThrowingRuntimeException");
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_RUNTIMEEXCEPTION", 0, "MethodsThrowingExceptions", "isCapitalizedThrowingSpecializedException");
+
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION", 1, "MethodsThrowingExceptions", "methodThrowingBasicException");
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION", 0, "MethodsThrowingExceptions", "methodThrowingIOException");
+
+        assertNumOfTHROWSBugs("THROWS_METHOD_THROWS_CLAUSE_THROWABLE", 1, "MethodsThrowingExceptions", "methodThrowingThrowable");
+    }
+
+    private void assertNumOfTHROWSBugs(String bugType, int num) {
+        final BugInstanceMatcher bugTypeMatcher = new BugInstanceMatcherBuilder()
+                .bugType(bugType)
+                .build();
+        assertThat(getBugCollection(), containsExactly(num, bugTypeMatcher));
+    }
+
+    private void assertNumOfTHROWSBugs(String bugType, int num, String className, String method) {
+        final BugInstanceMatcher bugTypeMatcher = new BugInstanceMatcherBuilder()
+                .bugType(bugType)
+                .inClass(className)
+                .inMethod(method)
+                .build();
+        if (num > 0) {
+            assertThat(getBugCollection(), hasItem(bugTypeMatcher));
+        }
+        assertThat(getBugCollection(), containsExactly(num, bugTypeMatcher));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/FindInstanceLockOnSharedStaticDataCheckTest.java

@@ -29,6 +29,13 @@ public void findSSDBugInClass_InstanceLevelSynchronizedMethod() {
         assertSSDBug("InstanceLevelSynchronizedMethod", "methodWithBug", 10);
     }
 
+    @Test
+    public void findNoSSDBugInClass_LockingOnJavaLangClassObject() {
+        performAnalysis("instanceLockOnSharedStaticData/LockingOnJavaLangClassObject.class");
+
+        assertNumOfSSDBugs(0);
+    }
+
     @Test
     public void findNoSSDBugInClass_StaticLockObjectOnStaticSharedData() {
         performAnalysis("instanceLockOnSharedStaticData/StaticLockObjectOnStaticSharedData.class");

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/FindPotentialSecurityCheckBasedOnUntrustedSourceTest.java

@@ -0,0 +1,42 @@
+package edu.umd.cs.findbugs.detect;
+
+import static edu.umd.cs.findbugs.test.CountMatcher.containsExactly;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+public class FindPotentialSecurityCheckBasedOnUntrustedSourceTest extends AbstractIntegrationTest {
+
+    @Test
+    public void test() throws Exception {
+        performAnalysis("PotentialSecurityCheckBasedOnUntrustedSource.class",
+                "PotentialSecurityCheckBasedOnUntrustedSource$1.class",
+                "PotentialSecurityCheckBasedOnUntrustedSource$2.class");
+
+        assertNumOfUSCBugs(2);
+        assertUSCBug("badOpenFile", 11);
+        assertUSCBug("badOpenFileLambda", 40);
+    }
+
+    private void assertNumOfUSCBugs(int num) throws Exception {
+        final BugInstanceMatcher bugTypeMatcher = new BugInstanceMatcherBuilder()
+                .bugType("USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE").build();
+        assertThat(getBugCollection(), containsExactly(num, bugTypeMatcher));
+    }
+
+    private void assertUSCBug(String methodName, int line) throws Exception {
+        final BugInstanceMatcher bugInstanceMatcher = new BugInstanceMatcherBuilder()
+                .bugType("USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE")
+                .inClass("PotentialSecurityCheckBasedOnUntrustedSource")
+                .inMethod(methodName)
+                .atLine(line)
+                .build();
+
+        assertThat(getBugCollection(), hasItem(bugInstanceMatcher));
+    }
+}

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2019Test.java

@@ -0,0 +1,17 @@
+package edu.umd.cs.findbugs.detect;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import org.junit.Test;
+
+
+public class Issue2019Test extends AbstractIntegrationTest {
+    @Test
+    public void test() {
+        performAnalysis("ghIssues/Issue2019$ATNSimulator.class",
+                "ghIssues/Issue2019$BaseParser.class",
+                "ghIssues/Issue2019$Parser.class",
+                "ghIssues/Issue2019$ParserATNSimulator.class",
+                "ghIssues/Issue2019$Recognizer.class",
+                "ghIssues/Issue2019.class");
+    }
+}

spotbugs/build.gradle

@@ -23,7 +23,7 @@ configurations {
 }
 
 ext {
-  asmVersion = '9.2'
+  asmVersion = '9.3'
   log4jVersion = '2.17.2'
 }
 
@@ -87,7 +87,7 @@ dependencies {
   api 'org.apache.commons:commons-lang3:3.12.0'
   api 'org.apache.commons:commons-text:1.9'
   api 'org.slf4j:slf4j-api:1.8.0-beta4'
-  implementation 'net.sf.saxon:Saxon-HE:11.2'
+  implementation 'net.sf.saxon:Saxon-HE:11.3'
   logBinding ("org.apache.logging.log4j:log4j-slf4j18-impl:$log4jVersion") {
     exclude group: 'org.slf4j'
   }

spotbugs/etc/findbugs.xml

@@ -659,6 +659,12 @@
                     reports="MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR,MC_OVERRIDABLE_METHOD_CALL_IN_CLONE"/>
           <Detector class="edu.umd.cs.findbugs.detect.FindInstanceLockOnSharedStaticData" speed="fast"
                     reports="SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA"/>
+          <Detector class="edu.umd.cs.findbugs.detect.ThrowingExceptions" speed="fast"
+                    reports="THROWS_METHOD_THROWS_RUNTIMEEXCEPTION,THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION,THROWS_METHOD_THROWS_CLAUSE_THROWABLE" />
+          <Detector class="edu.umd.cs.findbugs.detect.PermissionsSuper"
+                    reports="PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS"/>
+          <Detector class="edu.umd.cs.findbugs.detect.FindPotentialSecurityCheckBasedOnUntrustedSource" speed="fast"
+                    reports="USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE"/>
             <!-- Bug Categories -->
            <BugCategory category="NOISE" hidden="true"/>
 
@@ -1269,4 +1275,10 @@
           <BugPattern abbrev="MC" type="MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR" category="MALICIOUS_CODE" />
           <BugPattern abbrev="MC" type="MC_OVERRIDABLE_METHOD_CALL_IN_CLONE" category="MALICIOUS_CODE" />
           <BugPattern abbrev="SSD" type="SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA" category="CORRECTNESS" />
+          <BugPattern abbrev="THROWS" type="THROWS_METHOD_THROWS_RUNTIMEEXCEPTION" category="BAD_PRACTICE" />
+          <BugPattern abbrev="THROWS" type="THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION" category="BAD_PRACTICE" />
+          <BugPattern abbrev="THROWS" type="THROWS_METHOD_THROWS_CLAUSE_THROWABLE" category="BAD_PRACTICE" />
+          <BugPattern abbrev="PERM" type="PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS" category="MALICIOUS_CODE" />
+          <BugPattern abbrev="USC" type="USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE"
+                    category="MALICIOUS_CODE"/>
 </FindbugsPlugin>