Add spotbugs and findsecbugs #185
Conversation
jelly/src/main/java/org/kohsuke/stapler/jelly/ResourceBundle.java
Outdated
Show resolved
Hide resolved
groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovierJellyScript.java
Outdated
Show resolved
Hide resolved
| @@ -163,7 +163,7 @@ public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOExceptio | |||
| return; | |||
| } | |||
| // remember URLs that we can serve. but don't remember error ones, as it might be unbounded | |||
| allowedResources.put(path,path); | |||
| allowedResources.putIfAbsent(path,path); | |||
There was a problem hiding this comment.
Why? We already checked !allowedResources.containsKey(path).
Cleaner would be to use ConcurrentSkipListSet and
if (allowedResources.add(path)) {
// body…
}There was a problem hiding this comment.
AT_OPERATION_SEQUENCE_ON_CONCURRENT_ABSTRACTION : "This code contains a sequence of calls to a concurrent abstraction (such as a concurrent hash map). These calls will not be executed atomically."
The operations of !allowedResources.containsKey(path) and allowedResources.put(path,path) are not atomic when combined together so there is a potential multithreading issue in the middle of the sequence. The putIfAbsent is designed for that purpose.
But, a set is the correct semantic and we can change to ConcurrentSkipListSet.
jelly/src/main/java/org/kohsuke/stapler/jelly/CopyStreamTag.java
Outdated
Show resolved
Hide resolved
jelly/src/main/java/org/kohsuke/stapler/jelly/JellyClassLoaderTearOff.java
Outdated
Show resolved
Hide resolved
core/src/main/java/org/kohsuke/stapler/config/ConfigurationLoader.java
Outdated
Show resolved
Hide resolved
| @@ -163,7 +163,7 @@ public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOExceptio | |||
| return; | |||
| } | |||
| // remember URLs that we can serve. but don't remember error ones, as it might be unbounded | |||
| allowedResources.put(path,path); | |||
| allowedResources.putIfAbsent(path,path); | |||
There was a problem hiding this comment.
AT_OPERATION_SEQUENCE_ON_CONCURRENT_ABSTRACTION : "This code contains a sequence of calls to a concurrent abstraction (such as a concurrent hash map). These calls will not be executed atomically."
The operations of !allowedResources.containsKey(path) and allowedResources.put(path,path) are not atomic when combined together so there is a potential multithreading issue in the middle of the sequence. The putIfAbsent is designed for that purpose.
But, a set is the correct semantic and we can change to ConcurrentSkipListSet.
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
This reverts commit f243a367065e21772c2b9eb2fe02ac0c256cb1fa.
|
Not really sure what to do about these two new findings that were introduced in the recently merged PR introducing a new cache. @jglick any ideas? |
jelly/src/main/java/org/kohsuke/stapler/framework/adjunct/AdjunctManager.java
Show resolved
Hide resolved
| if(destFile.exists() && !destFile.delete()) | ||
| throw new IOException("Unable to delete "+destFile); |
There was a problem hiding this comment.
Could also use NIO here for better error reporting.
jelly/src/main/java/org/kohsuke/stapler/framework/adjunct/AdjunctManager.java
Outdated
Show resolved
Hide resolved
Oh I see, new |
|
|
||
| import java.io.File; | ||
| import java.net.URI; | ||
| import java.net.URISyntaxException; | ||
|
|
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
|
Builds fully again with another new suppression. |
|
It seems the PR is already reviewed by two persons, so I do not plan to add another review. |
|
Hmm ... it's passing locally. Let's see what a rebuild does. |
|
Build is passing now. |
Add spotbugs and findsecbugs to Stapler as part of the long, ongoing effort to improve static code analysis. Stapler didn't even have standard spotbugs configured so this PR contains findings relating to general items and to security.
I took it to the Medium level (threshold), which seems to be about right for Stapler. This corrects or points out areas that might be of concern but isn't getting too esoteric.
I suppose there could be an argument that it isn't worthwhile to make these improvements in Stapler, because it isn't in active development. But, we sure seem to make a lot of changes to Stapler. I find that having spotbugs helps us to avoid introducing yet more issues, such as further instances of the public, non-final flag. And it brings better awareness to areas that could be an issue or where we need to tread carefully. Therefore, I believe it is better to introduce this analysis to help better support future work.