Triage some SpotBugs violations #6049
Conversation
| @@ -327,7 +328,7 @@ public T getDynamic(String className) { | |||
| * Chooses the object that locks the loading of the extension instances. | |||
| */ | |||
| protected Object getLoadLock() { | |||
| return jenkins.lookup.setIfNull(Lock.class,new Lock()); | |||
| return Objects.requireNonNull(jenkins).lookup.setIfNull(Lock.class,new Lock()); | |||
There was a problem hiding this comment.
Chases away NP_NULL_ON_SOME_PATH.
| @@ -379,7 +380,7 @@ private void fireOnChangeListeners() { | |||
| LOGGER.log(Level.FINER, String.format("Loading ExtensionList '%s' from", extensionType.getName()), new Throwable("Only present for stacktrace information")); | |||
| } | |||
|
|
|||
| return jenkins.getPluginManager().getPluginStrategy().findComponents(extensionType, hudson); | |||
| return Objects.requireNonNull(jenkins).getPluginManager().getPluginStrategy().findComponents(extensionType, hudson); | |||
There was a problem hiding this comment.
Chases away NP_NULL_ON_SOME_PATH.
| // Tomcat breaks XSLT with JDK 5.0 and onward. Check if that's the case, and if so, | ||
| // try to correct it | ||
| try { | ||
| TransformerFactory.newInstance(); | ||
| // if this works we are all happy | ||
| } catch (TransformerFactoryConfigurationError x) { | ||
| // no it didn't. | ||
| LOGGER.log(WARNING, "XSLT not configured correctly. Hudson will try to fix this. See https://bz.apache.org/bugzilla/show_bug.cgi?id=40895 for more details",x); | ||
| System.setProperty(TransformerFactory.class.getName(),"com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl"); | ||
| try { | ||
| TransformerFactory.newInstance(); | ||
| LOGGER.info("XSLT is set to the JAXP RI in JRE"); | ||
| } catch(TransformerFactoryConfigurationError y) { | ||
| LOGGER.log(SEVERE, "Failed to correct the problem."); | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Was triggering XXE_DTD_TRANSFORM_FACTORY and XXE_XSLT_TRANSFORM_FACTORY, but the TransformerFactory is immediately thrown away rather than used for anything, so this is not actually a problem. Furthermore, this entire block of code is a workaround for a bug that was fixed in Tomcat 5.5, which was EOLed in 2012, so it's safe to say we don't need it anymore.
| @@ -353,6 +353,7 @@ protected void checkRename(@NonNull String newName) throws Failure { | |||
| * Not all the Items need to support this operation, but if you decide to do so, | |||
| * you can use this method. | |||
| */ | |||
| @SuppressFBWarnings(value = "SWL_SLEEP_WITH_LOCK_HELD", justification = "no big deal") | |||
There was a problem hiding this comment.
The sleep is only done in an edge case (retrying when a file rename operation fails on Windows), so I think this is fine overall.
| @@ -108,6 +109,7 @@ public void generateResponse(StaplerRequest req, StaplerResponse rsp, Object o) | |||
| * The nearby contextual {@link ItemGroup} to resolve relative job names from. | |||
| * @since 1.553 | |||
| */ | |||
| @SuppressFBWarnings(value = "SBSC_USE_STRINGBUFFER_CONCATENATION", justification = "no big deal") | |||
There was a problem hiding this comment.
Premature optimization if I ever saw it.
| @@ -145,7 +145,7 @@ public String getHelpFile() { | |||
| @Override | |||
| public ParameterValue createValue(StaplerRequest req, JSONObject jo) { | |||
| StringParameterValue value = req.bindJSON(StringParameterValue.class, jo); | |||
| if (isTrim() && value!=null) { | |||
| if (isTrim()) { | |||
There was a problem hiding this comment.
As of #5275
means that this can no longer be null.
| @@ -355,7 +355,7 @@ public String toString() { | |||
| */ | |||
| public static final Sid ANONYMOUS = new PrincipalSid(ANONYMOUS_USERNAME); | |||
|
|
|||
| protected static final Sid[] AUTOMATIC_SIDS = new Sid[]{EVERYONE,ANONYMOUS}; | |||
| static final Sid[] AUTOMATIC_SIDS = new Sid[]{EVERYONE,ANONYMOUS}; | |||
There was a problem hiding this comment.
Triggers MS_PKGPROTECT because this is protected (as opposed to package-private) and mutable. SpotBugs has a point. Nothing else in the ecosystem is using it, so might as well restrict this for better hygiene and to keep SpotBugs happy.
| @@ -209,7 +210,7 @@ public DescriptorImpl getDescriptor() { | |||
| * Returns the file that records the last/current polling activity. | |||
| */ | |||
| public File getLogFile() { | |||
| return new File(job.getRootDir(),"scm-polling.log"); | |||
| return new File(Objects.requireNonNull(job).getRootDir(),"scm-polling.log"); | |||
There was a problem hiding this comment.
Chases away NP_NULL_ON_SOME_PATH.
| @@ -691,7 +692,7 @@ public boolean equals(Object that) { | |||
|
|
|||
| @Override | |||
| public int hashCode() { | |||
| return job.hashCode(); | |||
| return Objects.requireNonNull(job).hashCode(); | |||
There was a problem hiding this comment.
Chases away NP_NULL_ON_SOME_PATH.
| @@ -76,6 +77,7 @@ public int size() { | |||
| */ | |||
| int lowlink; | |||
|
|
|||
| @SuppressFBWarnings(value = "URF_UNREAD_FIELD", justification = "no big deal") | |||
There was a problem hiding this comment.
Technically unused, but useful when reading the code and following along in Tarjan's algorithm.
basil
added
the
squash-merge-me
| @@ -1240,6 +1240,7 @@ public void postValidate(DownloadJob job, File src) throws IOException { | |||
| * @throws IOException if there were problems downloading the resource. | |||
| * @see DownloadJob | |||
| */ | |||
| @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_SHA1", justification = "SHA-1 is only used as a fallback if SHA-256/SHA-512 are not available") | |||
There was a problem hiding this comment.
I think we might better drop SHA-1 totally.
There was a problem hiding this comment.
Possibly, though I have no idea what constraints there are regarding compatibility and testing. Better left for a future PR I think.
| @@ -52,6 +53,7 @@ public JSONSignatureValidator(String name) { | |||
| /** | |||
| * Verifies the signature in the update center data file. | |||
| */ | |||
| @SuppressFBWarnings(value = "WEAK_MESSAGE_DIGEST_SHA1", justification = "SHA-1 is only used as a fallback if SHA-512 is not available") | |||
There was a problem hiding this comment.
I think we might better drop SHA-1 totally.
| <Bug pattern="NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR"/> | ||
| <Class name="jenkins.util.SystemProperties"/> |
There was a problem hiding this comment.
BTW I do not follow why entries like this were ever added to begin with. Simpler to just add @SuppressFBWarnings to the class in question with a justification?
There was a problem hiding this comment.
Try removing these entries and adding @SuppressFBWarnings annotations for untriaged violations and see how long it takes you.
There was a problem hiding this comment.
Well, I meant for the entries that have just one or two <Class>es.
There was a problem hiding this comment.
I don't suppose it matters much either way, but I find it easier to triage stuff if the list of stuff to triage is in one place. I did add ~25 @SuppressFBWarnings(value = "[…]", justification = "TODO needs triage") annotations to various files where I couldn't easily suppress the warnings from spotbugs-excludes.xml (for example, because it was for an anonymous inner class that I couldn't easily refer to), but for the most part I added untriaged stuff to spotbugs-excludes.xml to keep the list in one place. I find it convenient to have it organized by violation type and class name in one file. Makes it easy to pick off a section and tackle it one area at a time.
|
This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback. Please see the merge process documentation for more information about the merge process. Thanks! |
basil
added
the
ready-for-merge
This PR triages the following SpotBugs violations …
DM_NUMBER_CTORDP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGEDMS_MUTABLE_COLLECTION_PKGPROTECTMS_OOI_PKGPROTECTMS_PKGPROTECTNP_NULL_ON_SOME_PATHRCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPESBSC_USE_STRINGBUFFER_CONCATENATIONSWL_SLEEP_WITH_LOCK_HELDURF_UNREAD_FIELDWA_AWAIT_NOT_IN_LOOPWA_NOT_IN_LOOP… and the following FindSecBugs violations …
GROOVY_SHELLWEAK_MESSAGE_DIGEST_SHA1XXE_DOCUMENTXXE_DTD_TRANSFORM_FACTORYXXE_XSLT_TRANSFORM_FACTORYProposed changelog entries
N/A
Proposed upgrade guidelines
N/A
Submitter checklist
Proposed changelog entriessection only if there are breaking changes or other changes which may require extra steps from users during the upgradeDesired reviewers
@mention
Maintainer checklist
Before the changes are marked as
ready-for-merge:Proposed changelog entriesare correctupgrade-guide-neededlabel is set and there is aProposed upgrade guidelinessection in the PR title. (example)lts-candidateto be considered (see query).