sonarlint扫描结果的修复记录

Disable XML external entity (XXE) processing’

错误代码

1
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

解决方法

添加如下代码段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// sonar compliant ---- start
// to be compliant, completely disable DOCTYPE declaration:
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// or completely disable external entities declarations:
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// or prohibit the use of all protocols by external entities:
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
// or disable entity expansion but keep in mind that this doesn't prevent fetching external entities
// and this solution is not correct for OpenJDK < 13 due to a bug: https://bugs.openjdk.java.net/browse/JDK-8206132
dbf.setExpandEntityReferences(false);
// sonar compliant ---- end

This accessibility update should be removed.

错误代码

1
field.setAccessible(true);

解决方法

使用反射工具类ReflectionUtils.makeAccessible替换

1
ReflectionUtils.makeAccessible(field);

This accessibility bypass should be removed.

错误代码

1
field.set(obj, value);

解决方法

使用 ReflectionUtils.setField替换

1
ReflectionUtils.setField(field, obj, value);

Use a primitive boolean expression here.

错误代码

1
2
3
4
// getFlag()可能为null,if会报错
if (test.getFlag()) {
xxxx
}

解决方法

1
2
3
if (Boolean.TRUE.equals(test.getFlag())) {
xxxx
}

Merge the previous cases into this one using comma-separated label.

错误代码

1
2
3
4
case a:
case b:
yyyyyyy
break;

解决方法

1
2
3
case a, b:
yyyyyyy
break;
作者

Etsu

发布于

2023-03-06

更新于

2023-03-06

许可协议

评论