fix static analysis warnings by LGTM

INRIA / spoon

Spoon is a metaprogramming library to analyze and transform Java source code. :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

http://spoon.gforge.inria.fr/

Other

1.74k stars 345 forks source link

fix static analysis warnings by LGTM #4180

Closed monperrus closed 2 years ago

monperrus commented 2 years ago

FYI, activated static analysis by LGTM, out of curiosity

https://github.com/marketplace/lgtm

Will deactivate if annoying

monperrus commented 2 years ago

FYI, the current LGTM report: https://lgtm.com/projects/g/INRIA/spoon?mode=tree&id=java%2Fcontradictory-type-checks%2Cjava%2Fdereferenced-value-may-be-null%2Cjava%2Finconsistent-equals-and-hashcode%2Cjava%2Findex-out-of-bounds%2Cjava%2Foutput-resource-leak%2Cjava%2Funchecked-cast-in-equals%2Cjava%2Funknown-javadoc-parameter%2Cjava%2Funused-container%2Cjava%2Fuseless-type-test%2Cjava%2Fzipslip&tag=external%2Fcwe%2Fcwe-022%2Cexternal%2Fcwe%2Fcwe-193%2Cexternal%2Fcwe%2Fcwe-404%2Cexternal%2Fcwe%2Fcwe-476%2Cexternal%2Fcwe%2Fcwe-561%2Cexternal%2Fcwe%2Fcwe-581%2Cexternal%2Fcwe%2Fcwe-772

1 alert of Arbitrary file write during archive extraction ("Zip Slip") 1 alert of Array index out of bounds in SnippetCompilationHelper.java 2 alerts of Container contents are never accessed across 2 files 2 alerts of Inconsistent equals and hashCode across 2 files 17 alerts of Dereferenced variable may be null across 4 files 2 alerts of Potential output resource leak across 2 files 1 alert of Useless type test i nClassTypingContext.java

MartinWitt commented 2 years ago

I created PRs for the following problems: 1 alert of Arbitrary file write during archive extraction ("Zip Slip") #4199 1 alert of Useless type test i nClassTypingContext.java #4196 2 alerts of Potential output resource leak across 2 files #4197 2 alerts of Container contents are never accessed across2 files #4198

PS: Could we add either add hacktoberfest to the topic or create a label hacktoberfest-accepted. Either will let my PRs count for the project.

A repository/project is considered to be participating in Hacktoberfest if the 'hacktoberfest' topic is present and is accepting public contributions via pull requests. An individual pull request can also be opted-in directly by adding the 'hacktoberfest-accepted' label.

MartinWitt commented 2 years ago

I could fix the rest, but I would leave them as a free Hacktoberfest opportunity for some java starters. If no one fixes them I go back to them in November.

monperrus commented 2 years ago

Nice! Your work is much appreciated.

FYI, it is planned to add support for automatically repairing LGTM warnings in Sorald, see https://github.com/SpoonLabs/sorald/issues/607 (maybe a master's thesis topic?)

MackieRitz commented 2 years ago

Can i try this one?

MartinWitt commented 2 years ago

Sure, go ahead.

monperrus commented 2 years ago

Per https://github.com/INRIA/spoon/issues/4275#issuecomment-967286718 and https://github.com/INRIA/spoon/issues/4275#issuecomment-967437353 we are now deactivating lgtm.

slarse commented 2 years ago

So, feels like we should close this as we don't use LGTM anymore.