Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Filtered: 49 rules found

spring

Impact

Clean code attribute

Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract
Code Smell
Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
Code Smell
@EventListener methods should have one parameter at most
Bug
"@Scheduled" annotation should only be applied to no-arg methods
Bug
@InitBinder methods should have void return type
Code Smell
"@Cache*" annotations should only be applied on concrete classes
Code Smell
@Cacheable and @CachePut should not be combined
Code Smell
Injecting data into static fields is not supported by Spring
Code Smell
Use appropriate @DirtiesContext modes
Code Smell
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
Superfluous "@ResponseBody" annotations should be removed
Code Smell
"@Controller" should be replaced with "@RestController"
Code Smell
Non-singleton Spring beans should not be injected into singleton beans
Code Smell
"@Qualifier" should not be used on "@Bean" methods
Bug
Bean names should adhere to the naming conventions
Code Smell
"@Autowired" should be used when multiple constructors are provided
Code Smell
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
"@Value" annotation should inject property or SpEL expression
Code Smell
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
A new session should be created during user authentication
Vulnerability
Allowing user enumeration is security-sensitive
Security Hotspot
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
Spring beans should be considered by "@ComponentScan"
Code Smell
"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Composed "@RequestMapping" variants should be preferred
Code Smell
Spring components should use constructor injection
Code Smell
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
"@RequestMapping" methods should not be "private"
Code Smell
Spring "@Controller" classes should not use "@Scope"
Bug
Members of Spring components should be injected
Code Smell
Constructor injection should be used instead of field injection
Bug
Factory method injection should be used in "@Configuration" classes
Code Smell
Methods with Spring proxying annotations should be public
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot

"@RequestMapping" methods should not be "private"

intentionality - clear

maintainability

Code Smell

spring

Why is this an issue?

More Info

A method with a @RequestMapping annotation part of a class annotated with @Controller (directly or indirectly through a meta annotation - @RestController from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is private, because Spring invokes such methods via reflection, without checking visibility.

So marking a sensitive method private may seem like a good way to control how such code is called. Unfortunately, not all Spring frameworks ignore visibility in this way. For instance, if you’ve tried to control web access to your sensitive, private, @RequestMapping method by marking it @Secured … it will still be called, whether or not the user is authorized to access it. That’s because AOP proxies are not applied to private methods.

In addition to @RequestMapping, this rule also considers the annotations introduced in Spring Framework 4.3: @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @PatchMapping.

Noncompliant code example

@RequestMapping("/greet", method = GET)
private String greet(String greetee) {  // Noncompliant

Compliant solution

@RequestMapping("/greet", method = GET)
public String greet(String greetee) {

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted