False positive in squid:S2441 (Non-serializable objects should not be stored in "HttpSessions")
1,556 views
Skip to first unread message
mabb...@gmail.com
Jul 27, 2016, 10:41:38 AM7/27/16
to SonarQube
Hello,
I think the Rule squid:S2441 should not raise an issue for the following example
Both of Array and ArrayList are Serializable.
Is it possible to remove that false positive from that rule?
I am using SonarQube 5.6 , java 1.8.0_92 and javax.servlet-api-3.1.0.jar.
Regards,
I think the Rule squid:S2441 should not raise an issue for the following example
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public class Main {
public void test(HttpServletRequest request) {
// test with Array
HttpSession session = request.getSession();
session.setAttribute("test with array", new String[] { "1", "2" }); // Make "String[]" serializable or don't store it in the session
// test with List
List<String> list = new ArrayList<>();
session.setAttribute("test with list", list); // Make "List" serializable or don't store it in the session
}
}Both of Array and ArrayList are Serializable.
Is it possible to remove that false positive from that rule?
I am using SonarQube 5.6 , java 1.8.0_92 and javax.servlet-api-3.1.0.jar.
Regards,
Michael Gumowski
Aug 5, 2016, 1:08:35 PM8/5/16
to mabb...@gmail.com, SonarQube
Hello,
Thanks for the feedback and the reproducer. Ticket created to handle the issue: https://jira.sonarsource.com/browse/SONARJAVA-1810
Regards,
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/4a843bf2-202a-414e-9db6-0135ad5a166f%40googlegroups.com.
Message has been deleted
Michael Gumowski
Sep 20, 2016, 4:03:43 AM9/20/16
to heta...@gmail.com, SonarQube, mabb...@gmail.com
Hello hetaohai,
S1948 is supposed to take collections into account already. Do you have any reproducer with suspicious results?
Please also check that you are using last version of the Sonar Java Analyzer (4.2).
Cheers,
On Tue, 20 Sep 2016 at 05:34 <heta...@gmail.com> wrote:
Hello Michael,Is this issue including the fix for similar case squid:S1948 Fields in a "Serializable" class should either be transient or serializable ? I think they are the same case for taking collection as not serializable.
在 2016年8月6日星期六 UTC+8上午1:08:35,Michael Gumowski写道:
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/4a843bf2-202a-414e-9db6-0135ad5a166f%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/710c84b5-c6b7-4669-9ddc-68f66a631da7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
rake...@gmail.com
Feb 27, 2017, 5:35:57 PM2/27/17
to SonarQube
The current solution does not seem to work when the session is manipulated within a function and the formal parameter uses interface instead of actual type e.g. if the parameter is Map (not serializable) but then the argument is of type TreeMap (serializable), Sonar scan still results in the posted error.
Tibor Blenessy
Mar 3, 2017, 8:15:23 AM3/3/17
to rake...@gmail.com, SonarQube
Hello,
please do not hijack old threads when asking for support, start a new thread instead. If possible provide also self-contained minimal example code causing the issue and version of SonarJava analyzer you are using to do your analysis.
Regards
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5a10bd29-b6c4-4480-aee4-af873e4c7acb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Tibor BLENESSY | SonarSource
SonarJava Developer
Reply all
Reply to author
Forward
0 new messages