[Java][Squid] StringBuffer is ignored when not specifically extracted as variable (S1149)

oliver...@mindsatwork.com.br

unread,

Oct 9, 2015, 5:22:06 PM10/9/15

to SonarQube

Rule: Synchronized classes Vector, Hashtable, Stack and StringBuffer should not be used (squid:S1149)

Version: Sonar 5.1.2, Java 3.4 plugin (Yes, I know there is already the 3.6 update but I didn't find anything about this rule in the release notes)

Steps to reproduce:

Analyze following code with the rule enabled:

final StringBuffer requestURLBuffer = request.getRequestURL();

Which complains "Replace the synchronized class "StringBuffer" by an unsynchronized one such as "StringBuilder".

The following does not generate warning:

final String requestUrl = request.getRequestURL().toString();

Perhaps StringBuffer should generate warning when instantiated?

Michal Kordas

unread,

Oct 9, 2015, 5:37:36 PM10/9/15

to oliver...@mindsatwork.com.br, SonarQube

Hi,

Sorry, but it is not clear foot me why you expect warning in the second case. Can you elaborate?

Thanks,
Michal

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/95a6d78f-6e9c-46e4-8349-f286a40aae64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

oliver...@mindsatwork.com.br

unread,

Oct 9, 2015, 6:10:33 PM10/9/15

to SonarQube, oliver...@mindsatwork.com.br

Hi Michal,

javax.servlet.http.HttpServletRequest request.getRequestURL() returns a StringBuffer.

http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRequestURL()

First off all, I have no real control over the HttpServletRequest generating a StringBuffer, so I don't really think it should generate a warning in this case. It would only be the case if I willingly instantiated the offending class in my own code.

Either way, there is no difference between calling:

StringBuffer requestURL = request.getRequestURL(); <-- this line has the warning
String requestUrlString = requestURL.toString();

and

String requestUrlString = request.getRequestURL().toString();

but one generates the warning while the other doesn't.

Simillarly, I expect the following also not to generate a warning, when it's also the same thing. (thoughI haven't tested it)

final CharSequence requestURL = request.getRequestURL(); <-- this is actually a StringBuffer instance
final String requestUrl = requestURL.toString();

oliver...@mindsatwork.com.br

unread,

Oct 13, 2015, 2:39:02 PM10/13/15

to SonarQube, oliver...@mindsatwork.com.br

I tested the code, and ss expected, the following also not to generate a warning.

final CharSequence requestURL = request.getRequestURL(); <-- this is actually a StringBuffer instance
final String requestUrl = requestURL.toString();

Is this expected? Why?

Nicolas Peru

unread,

Jan 8, 2016, 11:22:32 AM1/8/16

to oliver...@mindsatwork.com.br, SonarQube

Hi,

Sorry for late reply. You are right this is indeed an FP and relates to this : https://jira.sonarsource.com/browse/SONARJAVA-1464

I added your example to the ticket.

Cheers,

Nicolas PERU | SonarSource

Senior Developer
http://sonarsource.com

https://twitter.com/benzonico

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/846a1c04-511e-417c-9c94-b9fe5a6a166a%40googlegroups.com.

inax.mins...@gmail.com

unread,

May 4, 2017, 9:32:51 AM5/4/17

to SonarQube, oliver...@mindsatwork.com.br

Hello, i forced the same error (request.getRequestURL()) using HttpServletRequest

Replace the synchronized class "StringBuffer" by an unsynchronized one such as "StringBuilder"

https://jira.sonarsource.com/browse/SONARJAVA-1464 is not solved

Please, what a workaround can be used to pass this check ?

Nicolas Peru

unread,

May 10, 2017, 9:32:59 AM5/10/17

to inax.mins...@gmail.com, SonarQube, oliver...@mindsatwork.com.br

Hi,

There are no real workaround : mark the issue as false positive for this case. We need to solve SONARJAVA-1464 to solve that. I rescheduled it so it can happen in a near future.

Cheers,

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/90afdfd8-5580-4935-9241-8399b7892ac5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Nicolas Peru | SonarSource

Senior Developer

http://t witter.com/benzonico

http://sonarsource.com

Reply all

Reply to author

Forward