After updating SonarQube version 4.3 to 5.6, I try to migrate all FindBugs rules to Squid rules, because the FindBugs rules are all marked as deprecated.
But I have a problem with FindBugs rule EI_EXPOSE_REP:
Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
which I should migrate to Squid rule S2384:
Mutable objects are those whose state can be changed. For instance, an array is mutable, but a String is not. Mutable class members should never be returned to a caller or accepted and stored directly. Doing so leaves you vulnerable to unexpected changes in your class state.
Instead use an unmodifiable
Collection(viaCollections.unmodifiableCollection,Collections.unmodifiableList, ...) or make a copy of the mutable object, and store or return copy instead.This rule checks that arrays, collections and Dates are not stored or returned directly.
following SonarQube Java Plugin coverage/deprecation of FindBugs:
EI_EXPOSE_REP S2384 Mutable members should not be stored or returned directly EI_EXPOSE_REP2 S2384 Mutable members should not be stored or returned directly EI_EXPOSE_STATIC_REP2 S2384 Mutable members should not be stored or returned directly
With the Squid rule I get a lot of issues for code with type Collection like:
public class MyClass {
private List<String> assetIds;
public List<String> getAssetIds() {
return assetIds;
}
public void setAssetIds(List<String> assetIds) {
this.assetIds = assetIds;
}
}
With FindBugs rule EI_EXPOSE_REP I didn't get this issue. It only checks Date and arrays. Is it a bug of FindBugs?
Is there any way to get rid of all issues for type Collection without changing my legacy code, but still see the issues for Date and arrays?