False positve CT_CONSTRUCTOR_THROW for "Compliant Solution (Java SE 6, Public and Private Constructors)" #3417
Description
False positve CT_CONSTRUCTOR_THROW for "Compliant Solution (Java SE 6, Public and Private Constructors)"
To reproduce:
git clone https://github.com/apache/commons-imaging.git
cd commons-imaging
Apply:
diff --git a/src/conf/spotbugs-exclude-filter.xml b/src/conf/spotbugs-exclude-filter.xml
index c86373d..90ffdda 100644
--- a/src/conf/spotbugs-exclude-filter.xml
+++ b/src/conf/spotbugs-exclude-filter.xml
@@ -188,8 +188,8 @@
<Bug pattern="SE_COMPARATOR_SHOULD_BE_SERIALIZABLE" />
</Match>
<!-- https://github.com/spotbugs/spotbugs/issues/2710 -->
- <Match>
- <Class name="~.*" />
- <Bug pattern="CT_CONSTRUCTOR_THROW" />
- </Match>
+<!-- <Match> -->
+<!-- <Class name="~.*" /> -->
+<!-- <Bug pattern="CT_CONSTRUCTOR_THROW" /> -->
+<!-- </Match> -->
</FindBugsFilter>
Run:
mvn spotbugs:check -Dcommons.spotbugs.impl.version=4.9.3 -Dcommons.spotbugs.plugin.version=4.9.3.0
Which gives you:
[INFO] --- spotbugs:4.9.3.0:check (default-cli) @ commons-imaging ---
[INFO] BugInstance size is 3
[INFO] Error size is 0
[INFO] Total bugs: 3
[ERROR] Medium: Exception thrown in class org.apache.commons.imaging.formats.jpeg.segments.AbstractGenericSegment at new org.apache.commons.imaging.formats.jpeg.segments.AbstractGenericSegment(int, int, InputStream) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.commons.imaging.formats.jpeg.segments.AbstractGenericSegment, org.apache.commons.imaging.formats.jpeg.segments.AbstractGenericSegment] At AbstractGenericSegment.java:[line 38]At AbstractGenericSegment.java:[line 38] CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class org.apache.commons.imaging.formats.tiff.AbstractTiffRasterData at new org.apache.commons.imaging.formats.tiff.AbstractTiffRasterData(int, int, int) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.commons.imaging.formats.tiff.AbstractTiffRasterData, org.apache.commons.imaging.formats.tiff.AbstractTiffRasterData] At AbstractTiffRasterData.java:[line 52]At AbstractTiffRasterData.java:[line 52] CT_CONSTRUCTOR_THROW
[ERROR] Medium: Exception thrown in class org.apache.commons.imaging.formats.webp.chunks.AbstractWebPChunk at new org.apache.commons.imaging.formats.webp.chunks.AbstractWebPChunk(int, int, byte[]) will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks. [org.apache.commons.imaging.formats.webp.chunks.AbstractWebPChunk, org.apache.commons.imaging.formats.webp.chunks.AbstractWebPChunk] At AbstractWebPChunk.java:[line 68]At AbstractWebPChunk.java:[line 68] CT_CONSTRUCTOR_THROW
[INFO]
This report is for AbstractWebPChunk which implements the "Compliant Solution (Java SE 6, Public and Private Constructors)" from https://wiki.sei.cmu.edu/confluence/display/java/OBJ11-J.+Be+wary+of+letting+constructors+throw+exceptions
While errors reported for AbstractGenericSegment and AbstractTiffRasterData might be valid despite these being abstract classes (are the errors valid?), it seems that the one for AbstractWebPChunk is a false positive.
Please advise...
TY!
Metadata
Metadata
Assignees
Labels
No labels