SONARJAVA-4555 Update rules metadata (#4423)

Author: alban-auzeill

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2154.html

@@ -1,17 +1,49 @@
 <h2>Why is this an issue?</h2>
-<p>If wrapped primitive values (e.g. <code>Integers</code> and <code>Floats</code>) are used in a ternary operator (e.g. <code>a?b:c</code>), both
-values will be unboxed and coerced to a common type, potentially leading to unexpected results. To avoid this, add an explicit cast to a compatible
-type.</p>
-<h3>Noncompliant code example</h3>
-<pre>
+<p>Using boxed values in a ternary operator does not simply return one operand or the other based on the condition. Instead, the values are unboxed
+and coerced to a common type, which can result in a loss of precision when converting one operand from <code>int</code> to <code>float</code> or from
+<code>long</code> to <code>double</code>.</p>
+<p>While this behavior is expected for arithmetic operations, it may be unexpected for the ternary operator. To avoid confusion or unexpected
+behavior, cast to a compatible type explicitly.</p>
+<h2>How to fix it</h2>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<p>Cast one of both operands to a common supertype (e.g., <code>Number</code>) to prevent auto-unboxing and, thus, type coercion.</p>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 Integer i = 123456789;
 Float f = 1.0f;
-Number n = condition ? i : f;  // Noncompliant; i is coerced to float. n = 1.23456792E8
+Number n1 = condition ? i : f;  // Noncompliant, unexpected precision loss, n1 = 1.23456792E8
 </pre>
-<h3>Compliant solution</h3>
-<pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
 Integer i = 123456789;
 Float f = 1.0f;
-Number n = condition ? (Number) i : f;  // n = 123456789
+Number n1 = condition ? (Number) i : f; // Compliant, cast to Number prevents unboxing
+Number n2 = condition ? i : (Number) f; // Compliant, cast to Number prevents unboxing
 </pre>
+<h4>Noncompliant code example</h4>
+<p>If type coercion was your intention, clarify this by casting the operand that would be coerced to the corresponding type explicitly.</p>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+Integer i = 123456789;
+Float f = 1.0f;
+Number n1 = condition ? i : f;  // Noncompliant, unexpected precision loss, n1 = 1.23456792E8
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+Integer i = 123456789;
+Float f = 1.0f;
+Number n = condition ? (float) i : f; // Compliant, intentional type coercion with precision loss
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> <a href="https://docs.oracle.com/javase/tutorial/java/nutsandbolts/op2.html">The Java Tutorials: Equality, Relational, and Conditional
+  Operators</a> </li>
+  <li> <a href="https://docs.oracle.com/javase/tutorial/java/data/autoboxing.html">The Java Tutorials: Autoboxing and Unboxing</a> </li>
+  <li> <a href="https://docs.oracle.com/javase/specs/jls/se7/html/jls-5.html">The Java® Language Specification Java SE 7 Edition: Chapter 5.
+  Conversions and Promotions</a> </li>
+</ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> <a href="https://www.geeksforgeeks.org/coercion-in-java/">GeeksforGeeks: Coercion in Java</a> </li>
+</ul>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2167.html

@@ -1,20 +1,65 @@
 <h2>Why is this an issue?</h2>
-<p>It is the sign, rather than the magnitude of the value returned from <code>compareTo</code> that matters. Returning <code>Integer.MIN_VALUE</code>
-does <em>not</em> convey a higher degree of inequality, and doing so can cause errors because the return value of <code>compareTo</code> is sometimes
-inversed, with the expectation that negative values become positive. However, inversing <code>Integer.MIN_VALUE</code> yields
-<code>Integer.MIN_VALUE</code> rather than <code>Integer.MAX_VALUE</code>.</p>
-<h3>Noncompliant code example</h3>
-<pre>
-public int compareTo(MyClass) {
+<p>The <code>Comparable.compareTo</code> method returns a negative integer, zero, or a positive integer to indicate whether the object is less than,
+equal to, or greater than the parameter. The sign of the return value or whether it is zero is what matters, not its magnitude.</p>
+<p>Returning a positive or negative constant value other than the basic ones (-1, 0, or 1) provides no additional information to the caller. Moreover,
+it could potentially confuse code readers who are trying to understand its purpose.</p>
+<h2>How to fix it</h2>
+<p>Replace any positive constant return value with 1. Replace any negative constant return value with -1.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+public int compareTo(Name name) {
   if (condition) {
-    return Integer.MIN_VALUE;  // Noncompliant
+    return Integer.MIN_VALUE; // Noncompliant
   }
+}
 </pre>
-<h3>Compliant solution</h3>
-<pre>
-public int compareTo(MyClass) {
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+public int compareTo(Name name) {
   if (condition) {
-    return -1;
+    return -1; // Compliant
   }
+}
 </pre>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+public int compareTo(Name name) {
+  if (condition) {
+    return 42; // Noncompliant
+  }
+}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+public int compareTo(Name name) {
+  if (condition) {
+    return 1; // Compliant
+  }
+}
+</pre>
+<h4>Noncompliant code example</h4>
+<p>It is compliant to return other values than -1, 0 or 1 if they are not constants.</p>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+public int compareTo(Name name) {
+  if (condition) {
+    return 42; // Noncompliant
+  }
+}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+public int compareTo(Name name) {
+  if (condition) {
+    return hashCode() - name.hashCode(); // Compliant, not a constant
+  }
+}
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> <a href="https://docs.oracle.com/javase/8/docs/api/java/lang/Comparable.html#compareTo-T-">Java SE 8 API Specification:
+  Comparable.compareTo</a> </li>
+  <li> <a href="https://docs.oracle.com/javase/8/docs/api/java/lang/Integer.html#MIN_VALUE">Java SE 8 API Specification: Integer.MIN_VALUE</a> </li>
+</ul>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2229.html

@@ -1,7 +1,11 @@
 <h2>Why is this an issue?</h2>
-<p>When using Spring proxies, calling a method in the same class (e.g. <code>this.aMethod()</code>) with an incompatible <code>@Transactional</code>
-requirement will result in runtime exceptions because Spring only "sees" the caller and makes no provisions for properly invoking the callee.</p>
-<p>Therefore, certain calls should never be made within the same class:</p>
+<p>Transactional methods have a propagation type parameter in the @Transaction annotation that specifies the requirements about the transactional
+context in which the method can be called and how it creates, appends, or suspends an ongoing transaction.</p>
+<p>When an instance that contains transactional methods is injected, Spring uses proxy objects to wrap these methods with the actual transaction
+code.</p>
+<p>However, if a transactional method is called from another method in the same class, the <code>this</code> argument is used as the receiver instance
+instead of the injected proxy object, which bypasses the wrapper code. This results in specific transitions from one transactional method to another,
+which are not allowed:</p>
 <table>
   <colgroup>
     <col style="width: 50%;">
@@ -48,18 +52,73 @@ <h2>Why is this an issue?</h2>
     </tr>
   </tbody>
 </table>
-<h3>Noncompliant code example</h3>
-<pre>
-@Override
+<h2>How to fix it</h2>
+<p>Change the corresponding functions into a compatible propagation type.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
 public void doTheThing() {
   // ...
-  actuallyDoTheThing();  // Noncompliant
+  actuallyDoTheThing(); // Noncompliant, call from non-transactional to transactional
 }
 
-@Override
 @Transactional
 public void actuallyDoTheThing() {
   // ...
 }
 </pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+@Transactional
+public void doTheThing() {
+  // ...
+  actuallyDoTheThing(); // Compliant
+}
+
+@Transactional
+public void actuallyDoTheThing() {
+  // ...
+}
+</pre>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+@Transactional
+public void doTheThing() {
+  // ...
+  actuallyDoTheThing(); // Noncompliant, call from REQUIRED to REQUIRES_NEW
+}
+
+@Transactional(propagation = Propagation.REQUIRES_NEW)
+public void actuallyDoTheThing() {
+  // ...
+}
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+@Transactional
+public void doTheThing() {
+  // ...
+  actuallyDoTheThing(); // Compliant, call from REQUIRED to MANDATORY
+}
+
+@Transactional(propagation = Propagation.MANDATORY)
+public void actuallyDoTheThing() {
+  // ...
+}
+</pre>
+<h2>Resources</h2>
+<ul>
+  <li> <a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/transaction/annotation/Propagation.html">Spring
+  Framework 6 API: Enum Class propagation</a> </li>
+  <li> <a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/transaction/annotation/Transactional.html">Spring
+  Framework 6 API: Annotation Interface Transactional</a> </li>
+  <li> <a href="https://docs.spring.io/spring-framework/reference/data-access/transaction/declarative/tx-propagation.html">Spring 6 Documentation:
+  Transaction Propagation</a> </li>
+</ul>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li> <a href="https://www.baeldung.com/spring-transactional-propagation-isolation">Baeldung: Transaction Propagation and Isolation in Spring
+  @Transactional</a> </li>
+  <li> <a href="https://dzone.com/articles/spring-transaction-propagation">DZone: Spring Transaction Propagation in a Nutshell</a> </li>
+</ul>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2232.html

@@ -1,20 +1,41 @@
 <h2>Why is this an issue?</h2>
-<p>There are several reasons to avoid <code>ResultSet.isLast()</code>. First, support for this method is optional for <code>TYPE_FORWARD_ONLY</code>
-result sets. Second, it can be expensive (the driver may need to fetch the next row to answer the question). Finally, the specification is not clear
-on what should be returned when the <code>ResultSet</code> is empty, so some drivers may return the opposite of what is expected.</p>
-<h3>Noncompliant code example</h3>
-<pre>
-stmt.executeQuery("SELECT name, address FROM PERSON");
-ResultSet rs = stmt.getResultSet();
-while (! rs.isLast()) { // Noncompliant
-  // process row
+<p>There are several reasons to avoid using this method:</p>
+<ol>
+  <li> It is optionally available only for result sets of type <code>ResultSet.TYPE_FORWARD_ONLY</code>. Database drivers will throw an exception if
+  not supported. </li>
+  <li> The method can be expensive to execute as the database driver may need to fetch ahead one row to determine whether the current row is the last
+  in the result set. The documentation of the method explicitly mentions this fact. </li>
+  <li> What "the cursor is on the last row" means for an empty <code>ResultSet</code> is unclear. Database drivers may return <code>true</code> or
+  <code>false</code> in this case . </li>
+</ol>
+<p><code>ResultSet.next()</code> is a good alternative to <code>ResultSet.isLast()</code> as it does not have the mentioned issues. It is always
+supported and, as per specification, returns <code>false</code> for empty result sets.</p>
+<h2>How to fix it</h2>
+<p>Refactor your code to use <code>ResultSet.next()</code> instead of <code>ResultSet.isLast()</code>. Be cautious of its different semantics and side
+effects on cursor positioning in the result set. Verify that your program logic is still valid under these side effects and otherwise adjust it.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+ResultSet results = stmt.executeQuery("SELECT name, address FROM PERSON");
+StringBuilder sb = new StringBuilder();
+while (results.next() &amp;&amp; !results.isLast()) { // Noncompliant
+  sb.append(results.getString("name") + ", ");
 }
+sb.append(results.getString("name"));
+String formattedNames = sb.toString();
 </pre>
-<h3>Compliant solution</h3>
-<pre>
-ResultSet rs = stmt.executeQuery("SELECT name, address FROM PERSON");
-while (rs.next()) {
-  // process row
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+ResultSet results = stmt.executeQuery("SELECT name, address FROM PERSON");
+List&lt;String&gt; names = new ArrayList&lt;&gt;();
+while (results.next()) { // Compliant, and program logic refactored
+  names.add(results.getString("name"));
 }
+String formattedNames =  names.stream().collect(Collectors.joining(", "));
 </pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> <a href="https://docs.oracle.com/javase/8/docs/api/java/sql/ResultSet.html#isLast--">Java SE 8 API Specification: ResultSet.isLast()</a> </li>
+</ul>
 

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2254.html

@@ -6,20 +6,20 @@ <h2>Why is this an issue?</h2>
 </blockquote>
 <p>The session ID it returns is either transmitted in a cookie or a URL parameter so by definition, nothing prevents the end-user from manually
 updating the value of this session ID in the HTTP request.</p>
-<p>Here is an example of a updated HTTP header:</p>
+<p>Here is an example of an updated HTTP header:</p>
 <pre>
 GET /pageSomeWhere HTTP/1.1
 Host: webSite.com
 User-Agent: Mozilla/5.0
 Cookie: JSESSIONID=Hacked_Session_Value'''"&gt;
 </pre>
-<p>Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G.
-Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated.
-Moreover, this session ID should never be logged as is but using a one-way hash to prevent hijacking of active sessions.</p>
+<p>Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (e.g.
+Tomcat or Jetty) to see if the value matches the ID of an existing session. If it does not, the user should be considered unauthenticated. Moreover,
+this session ID should never be logged as is but logged using a one-way hash to prevent hijacking of active sessions.</p>
 <h3>Noncompliant code example</h3>
 <pre>
-if(isActiveSession(request.getRequestedSessionId()) ){
-  ...
+if (isActiveSession(request.getRequestedSessionId())) {
+  // ...
 }
 </pre>
 <h2>Resources</h2>

java-checks/src/main/resources/org/sonar/l10n/java/rules/java/S2272.html

@@ -4,26 +4,30 @@ <h2>Why is this an issue?</h2>
 <code>Iterator</code>.</p>
 <h3>Noncompliant code example</h3>
 <pre>
-public class MyIterator implements Iterator&lt;String&gt;{
+public class MyIterator implements Iterator&lt;String&gt; {
   ...
-  public String next(){
-    if(!hasNext()){
+  public String next() {
+    if (!hasNext()) {
       return null;
     }
-    ...
+    // ...
   }
 }
 </pre>
 <h3>Compliant solution</h3>
 <pre>
-public class MyIterator implements Iterator&lt;String&gt;{
+public class MyIterator implements Iterator&lt;String&gt; {
   ...
-  public String next(){
-    if(!hasNext()){
+  public String next() {
+    if (!hasNext()) {
       throw new NoSuchElementException();
     }
-    ...
+    // ...
   }
 }
 </pre>
+<h2>Resources</h2>
+<ul>
+  <li> <a href="https://docs.oracle.com/javase/8/docs/api/java/util/Iterator.html#next--">JavaDoc 8 - java.util.Iterator</a> </li>
+</ul>
 

sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "JAVA"
   ],
-  "latest-update": "2023-07-21T13:20:27.121561Z",
+  "latest-update": "2023-07-24T15:48:48.266201Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": false