This rule is deprecated, and will eventually be removed.
-We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.
A reference to null should never be dereferenced/accessed. Doing so will cause a NullPointerException to be thrown. At
best, such an exception will cause abrupt program termination. At worst, it could expose debugging information that would be useful to an attacker, or
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json
index 8af0ec16035..996c08831db 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2259.json
@@ -7,12 +7,16 @@
},
"attribute": "LOGICAL"
},
- "status": "deprecated",
+ "status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "10min"
},
- "tags": [],
+ "tags": [
+ "cwe",
+ "cert",
+ "symbolic-execution"
+ ],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-2259",
"sqKey": "S2259",
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html
index 64a067ce286..7ed81864ec5 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S2583.html
@@ -1,6 +1,3 @@
-
This rule is deprecated, and will eventually be removed.
-We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.
Conditional expressions which are always true or false can lead to unreachable code.
This rule is deprecated, and will eventually be removed.
-We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open -Source for the community as a separate plugin and will receive no further updates by SonarSource.
Gratuitous boolean expressions are conditions that do not change the evaluation of a program. This issue can indicate logical errors and affect the correctness of an application, as well as its maintainability.
The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE attacks if an attacker can control the XML file that is processed.
-DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant --
Protection from XXE can be done in several different ways. Choose one depending on how the affected parser object is used in your code.
-1. The first way is to completely disable DOCTYPE declarations:
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-// - SchemaFactory
-factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+public void decode() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // Noncompliant
+}
-2. Disable external entity declarations completely:
-
-// Applicable to:
-// - DocumentBuilderFactory
-// - SAXParserFactory
-factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+import javax.xml.stream.XMLInputFactory;
-// For XMLInputFactory:
-factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+public void decode() {
+ XMLInputFactory factory = XMLInputFactory.newInstance(); // Noncompliant
+}
-3. Prohibit the use of all protocols by external entities:
-
-// `setAttribute` variant, applicable to:
-// - DocumentBuilderFactory
-// - TransformerFactory
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+Compliant solution
+For DocumentBuilderFactory, SAXParserFactory, TransformerFactory, and SchemaFactory set
+XMLConstants.FEATURE_SECURE_PROCESSING to true.
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
-// `setProperty` variant, applicable to:
-// - XMLInputFactory
-// - SchemaFactory
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+public void decode() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+}
+
+For XMLInputFactory set SUPPORT_DTD to false.
+
+import javax.xml.stream.XMLInputFactory;
-// For SAXParserFactory, the prohibition is done on child objects:
-SAXParser parser = factory.newSAXParser();
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+public void decode() {
+ XMLInputFactory factory = XMLInputFactory.newInstance();
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+}
+Other combinations of settings are secure, but in general, it is recommendable to use the approaches shown here, as they are the most clear.
How does this work?
Disable external entities
The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for
@@ -88,7 +79,7 @@
Code examples
The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE
attacks if an attacker can control the XML file that is processed.
Noncompliant code example
-
+
import org.dom4j.io.SAXReader;
public void decode() {
@@ -96,7 +87,7 @@ Noncompliant code example
}
Compliant solution
-
+
import org.dom4j.io.SAXReader;
public void decode() {
@@ -131,7 +122,38 @@ Compliant solution
public void decode() {
SAXBuilder builder = new SAXBuilder();
builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
- builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+}
+
+How does this work?
+Disable external entities
+The most effective approach to prevent XXE vulnerabilities is to disable external entity processing entirely, unless it is explicitly required for
+specific use cases. By default, XML parsers should be configured to reject the processing of external entities. This can be achieved by setting the
+appropriate properties or options in your XML parser library or framework.
+If external entity processing is necessary for certain scenarios, adopt a whitelisting approach to restrict the entities that can be resolved
+during XML parsing. Create a list of trusted external entities and disallow all others. This approach ensures that only known and safe entities are
+processed.
You should rely on features provided by your XML parser to restrict the external entities.
+How to fix it in SAX
+Code examples
+The following code contains examples of XML parsers that have external entity processing enabled. As a result, the parsers are vulnerable to XXE
+attacks if an attacker can control the XML file that is processed.
+Noncompliant code example
+
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public void decode() {
+ XMLReader reader = XMLReaderFactory.createXMLReader(); // Noncompliant
+}
+
+Compliant solution
+Set disallow-doctype-decl to true.
+
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public void decode() {
+ XMLReader reader = XMLReaderFactory.createXMLReader();
+ reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
}
How does this work?
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html
index 70c5efefa77..4606b5c6e94 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.html
@@ -1,6 +1,3 @@
-This rule is deprecated, and will eventually be removed.
-We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.
If the denominator to an integer division or remainder operation is zero, a ArithmeticException is thrown.
This error will crash your program in most cases. To fix it, you need to ensure that the denominator value in all division operations is always
non-zero, or check the value against zero before performing the division.
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json
index 3a87d8bf167..705cd54208a 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3518.json
@@ -7,12 +7,17 @@
},
"attribute": "LOGICAL"
},
- "status": "deprecated",
+ "status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5 min"
},
- "tags": [],
+ "tags": [
+ "cwe",
+ "denial-of-service",
+ "cert",
+ "symbolic-execution"
+ ],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-3518",
"sqKey": "S3518",
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html
index 1fe428a716e..65425e88561 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.html
@@ -1,6 +1,3 @@
-This rule is deprecated, and will eventually be removed.
-We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.
Why is this an issue?
Optional value can hold either a value or not. The value held in the Optional can be accessed using the
get() method, but it will throw a
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json
index 18f019bcdfb..3df00f4ec4d 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3655.json
@@ -7,12 +7,15 @@
},
"attribute": "COMPLETE"
},
- "status": "deprecated",
+ "status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "10min"
},
- "tags": [],
+ "tags": [
+ "cwe",
+ "symbolic-execution"
+ ],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3655",
"sqKey": "S3655",
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html
index 560fec93157..ca7ea71c547 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.html
@@ -1,5 +1,3 @@
-We are deprecating our legacy symbolic execution engine in favor of our more advanced commercial engine. The legacy engine will remain Open
-Source for the community as a separate plugin and will receive no further updates by SonarSource.
Why is this an issue?
Stream operations are divided into intermediate and terminal operations, and are combined to form stream pipelines. After the terminal operation is
performed, the stream pipeline is considered consumed, and cannot be used again. Such a reuse will yield unexpected results.
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json
index f4cd2d0cf42..9f52687f34e 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/S3959.json
@@ -7,12 +7,15 @@
},
"attribute": "LOGICAL"
},
- "status": "deprecated",
+ "status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "10min"
},
- "tags": [],
+ "tags": [
+ "java8",
+ "symbolic-execution"
+ ],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3959",
"sqKey": "S3959",
diff --git a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json
index aa8d52dff25..bf73889643a 100644
--- a/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json
+++ b/java-symbolic-execution/java-symbolic-execution-plugin/src/main/resources/org/sonar/l10n/java/rules/javase/Sonar_way_profile.json
@@ -4,13 +4,19 @@
"S2095",
"S2189",
"S2222",
+ "S2259",
+ "S2583",
+ "S2589",
"S2637",
"S2689",
"S2755",
"S3065",
"S3516",
+ "S3518",
+ "S3655",
"S3824",
"S3958",
+ "S3959",
"S4165",
"S4449",
"S6373",
diff --git a/java-symbolic-execution/sonarpedia.json b/java-symbolic-execution/sonarpedia.json
index 946a3fec84a..77e5b4f41f7 100644
--- a/java-symbolic-execution/sonarpedia.json
+++ b/java-symbolic-execution/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"JAVA"
],
- "latest-update": "2024-08-30T06:58:12.220861855Z",
+ "latest-update": "2024-09-09T13:33:21.851483206Z",
"options": {
"no-language-in-filenames": true,
"preserve-filenames": false