Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Filtered: 40 rules found

spring

Impact

Clean code attribute

"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
A new session should be created during user authentication
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
Disabling CSRF protections is security-sensitive
Security Hotspot
Factory method injection should be used in "@Configuration" classes
Code Smell
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
"@Qualifier" should not be used on "@Bean" methods
Bug
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
Methods with Spring proxying annotations should be public
Bug
Allowing user enumeration is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Superfluous "@ResponseBody" annotations should be removed
Code Smell
"@Controller" should be replaced with "@RestController"
Code Smell
Non-singleton Spring beans should not be injected into singleton beans
Code Smell
"@Value" annotation should inject property or SpEL expression
Code Smell
"@RequestMapping" methods should not be "private"
Code Smell
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Bean names should adhere to the naming conventions
Code Smell
"@Autowired" should be used when multiple constructors are provided
Code Smell
Composed "@RequestMapping" variants should be preferred
Code Smell
Spring beans should be considered by "@ComponentScan"
Code Smell
Members of Spring components should be injected
Code Smell
Spring "@Controller" classes should not use "@Scope"
Bug
Constructor injection should be used instead of field injection
Bug
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
Spring components should use constructor injection
Code Smell

Spring beans should be considered by "@ComponentScan"

intentionality - logical

maintainability

Code Smell

CriticalSonarSource default severity
click to learn more

spring
pitfall

Why is this an issue?

Spring beans belonging to packages that are not included in a @ComponentScan configuration will not be accessible in the Spring Application Context. Therefore, it’s likely to be a configuration mistake that will be detected by this rule.

Note: the @ComponentScan is implicit in the @SpringBootApplication annotation, case in which Spring Boot will auto scan for components in the package containing the Spring Boot main class and its sub-packages.

Noncompliant code example

package com.mycompany.app;

@Configuration
@ComponentScan("com.mycompany.app.beans")
public class Application {
...
}

package com.mycompany.app.web;

@Controller
public class MyController { // Noncompliant; MyController belong to "com.mycompany.app.web" while the ComponentScan is looking for beans in "com.mycompany.app.beans" package
...
}

Compliant solution

package com.mycompany.app;

@Configuration
@ComponentScan({"com.mycompany.app.beans","com.mycompany.app.web"})
or
@ComponentScan("com.mycompany.app")
or
@ComponentScan
public class Application {
...
}

package com.mycompany.app.web;

@Controller
public class MyController { // "com.mycompany.app.web" is referenced by a @ComponentScan annotated class
...
}

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted