Bean Validation as per defined by JSR 380 can be triggered programmatically or also executed by the Bean Validation
providers. However something should tell the Bean Validation provider that a variable must be validated otherwise no validation will
happen. This can be achieved by annotating a variable with javax.validation.Valid and unfortunally it’s easy to forget to add this
annotation on complex Beans.
Not annotating a variable with @Valid means Bean Validation will not be triggered for this variable, but readers may
overlook this omission and assume the variable will be validated.
This rule will run by default on all Class'es and therefore can generate a lot of noise. This rule should be restricted to run only on
certain layers. For this reason, the "Restrict Scope of Coding Rules" feature should be used to check for missing @Valid annotations only
on some packages of the application.
Noncompliant code example
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
public class User {
@NotNull
private String name;
}
public class Group {
@NotNull
private List<User> users; // Noncompliant; User instances are not validated
}
public class MyService {
public void login(User user) { // Noncompliant; parameter "user" is not validated
}
}
Compliant solution
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
public class User {
@NotNull
private String name;
}
public class Group {
@Valid
@NotNull
private List<User> users; // Compliant; User instances are validated
@NotNull
// preferred style as of Bean Validation 2.0
private List<@Valid User> users2; // Compliant; User instances are validated
}
public class MyService {
public void login(@Valid User user) { // Compliant
}
}
