SONARJAVA-6492: Implement S8912 - CredentialsProvider implementations should be annotated with @Unremovable#5707
SONARJAVA-6492: Implement S8912 - CredentialsProvider implementations should be annotated with @Unremovable#5707romainbrenguier wants to merge 8 commits into
Conversation
f1d1c88 to
5aefe2c
Compare
- Added diff_S8912.json and updated autoscan-diff-by-rules.json with the new rule S8912 (FN=8) and corrected FN counts for S1128 (30→31), S1168 (24→25), and S6813 (66→67) - Fixed Sonar_way_profile.json by sorting rule keys numerically (by integer value) instead of lexicographically, as required by MetadataTest.ensure_sane_Sonar_way_profile - Sorted ruleKeys in Sonar_way_profile.json by numeric value instead of lexicographic order to fix MetadataTest.ensure_sane_Sonar_way_profile
Code Review ✅ Approved 2 resolved / 2 findingsImplements rule S8912 to enforce the use of ✅ 2 resolved✅ Quality: S8912.html is raw AsciiDoc wrapped in a single
|
| Auto-apply | Compact |
|
|
Was this helpful? React with 👍 / 👎 | Gitar
| "jakarta.enterprise.context.ApplicationScoped", | ||
| "jakarta.enterprise.context.RequestScoped", | ||
| "jakarta.enterprise.context.SessionScoped", | ||
| "jakarta.enterprise.context.Dependent", | ||
| "jakarta.inject.Singleton" |
There was a problem hiding this comment.
Maybe we should also add the javax equivalent here?
There was a problem hiding this comment.
Since version 3.0, Quarkus is based on Jakarta EE 10 and I think it is mandatory to use the jakarta.* packages, so I don't know if it is necessary to add the javax variant
There was a problem hiding this comment.
You're correct that Quarkus 3.0+ is based on Jakarta EE 10 and requires jakarta.* packages. However, I included the javax variants following the pattern used in other rules in this codebase (e.g., JEEThreadCheck at java-checks/src/main/java/org/sonar/java/checks/JEEThreadCheck.java:48-52, which supports both javax and jakarta variants for EJB annotations).
The rationale is that SonarJava analyzes existing codebases, some of which may still be using Quarkus 2.x with javax packages. Supporting both variants ensures the rule works across different Quarkus versions, which is helpful for users in the process of migrating from Quarkus 2 to 3.
That said, if the team's policy is to only support current framework versions (Quarkus 3.x+), I can remove the javax variants. What's your preference?
There was a problem hiding this comment.
Good point. While Quarkus 3.0+ requires Jakarta EE 10, following the codebase convention seen in other rules (e.g., AtLeastOneConstructorCheck, ServletInstanceFieldCheck, Spring checks), I've added the javax equivalents to support potential legacy code or older Quarkus versions:
"javax.enterprise.context.ApplicationScoped",
"javax.enterprise.context.RequestScoped",
"javax.enterprise.context.SessionScoped",
"javax.enterprise.context.Dependent",
"javax.inject.Singleton"There was a problem hiding this comment.
Sorry about the verbose replies, that comes from the vibe-bot 😅
NoemieBenard
left a comment
There was a problem hiding this comment.
Just a few comments
| } | ||
|
|
||
| reportIssue( | ||
| classTree.simpleName(), |
There was a problem hiding this comment.
Not sure it matters here, but this can be null
| "quickfix": "unknown", | ||
| "code": { | ||
| "impacts": { | ||
| "SECURITY": "MEDIUM", |
There was a problem hiding this comment.
I thought we were not supposed to do security rules, did you ask code security about this rule? We could just keep the "reliability" impact, as it is probably the most important for this rule.
There was a problem hiding this comment.
It's clearly a rule more about reliability than security, I'll remove the "SECURITY" entry from the rspec.
There was a problem hiding this comment.
I did the update on the rspec side. It will be taken into account by the next "update metadata" run
| "ruleSpecification": "RSPEC-8912", | ||
| "sqKey": "S8912", | ||
| "scope": "All", | ||
| "quickfix": "unknown", |
There was a problem hiding this comment.
The rule is probably a good candidate for a quickfix, we can put it as "targeted" so that it will be easier to find it if we want to implement quickfixes later
| @@ -0,0 +1,16 @@ | |||
| package checks; | |||
|
|
|||
| import io.quarkus.arc.Unremovable; | |||
There was a problem hiding this comment.
This import is unused
| import io.quarkus.arc.Unremovable; |
…ava/org/sonar/java/checks/CredentialsProviderUnremovableCheck.java Comment: Maybe we should also add the javax equivalent here?
…/org/sonar/java/checks/CredentialsProviderUnremovableCheck.java Comment: Not sure it matters here, but this can be null
…n/resources/org/sonar/l10n/java/rules/java/S8912.json Comment: The rule is probably a good candidate for a quickfix, we can put it as "targeted" so that it will be easier to find it if we want to implement quickfixes later
…default/src/main/java/checks/CredentialsProviderUnremovableCheckSampleMinimal.java Comment: This import is unused ```suggestion ```
…in diff_S1128.json and autoscan-diff-by-rules.json to match actual autoscan results after adding the S8912 test source file
|




Summary
CredentialsProviderimplementations in Quarkus should be annotated with@Unremovablewhen they have a CDI scope annotation, to prevent them from being removed by Quarkus's bean pruning mechanism.io.quarkus.credentials.CredentialsProviderthat are missing the@io.quarkus.arc.Unremovableannotation.io.quarkus.arc.Unremovableandio.quarkus.credentials.CredentialsProvider(no external library dependency added to pom.xml), following the same pattern as S8911.Rspec PR: https://github.com/SonarSource/rspec/pull/7153
Test plan
@Unremovableon CDI-scopedCredentialsProviderimplementations@Unremovable, or without CDI scope) are not flaggedwithoutSemantic()test verifies no issues raised without semantic analysisJavaAgenticWayProfileTestpasses🤖 Generated with Claude Code