search

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
https://find-sec-bugs.github.io/
GNU Lesser General Public License v3.0
2.29k stars 474 forks source link

SpringEntityLeakDetector crashes with Map #705

Open nchandrashekar79 opened 1 year ago

nchandrashekar79 commented 1 year ago

Environment

Component Version
Java 1.8
SpotBugs 4.5.3.0+
FindSecBugs 1.12

Problem

Problem

SpringEntityLeakDetector does not seem to support the case when an argument is a Map:
     java.lang.IllegalArgumentException: Invalid class name 
     java/lang/String;Ljava/util/List<Lcom/test/entity/HelloBean
       At edu.umd.cs.findbugs.classfile.ClassDescriptor.<init>(ClassDescriptor.java:59)
       At edu.umd.cs.findbugs.classfile.DescriptorFactory.getClassDescriptor(DescriptorFactory.java:128)
       At edu.umd.cs.findbugs.AnalysisCacheToRepositoryAdapter.loadClass(AnalysisCacheToRepositoryAdapter.java:90)
       At org.apache.bcel.Repository.lookupClass(Repository.java:65)
       At com.h3xstream.findsecbugs.spring.SignatureParserWithGeneric.typeToJavaClass(SignatureParserWithGeneric.java:75)
       At com.h3xstream.findsecbugs.spring.SignatureParserWithGeneric.getReturnClasses(SignatureParserWithGeneric.java:60)
       At com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector.analyzeMethod(SpringEntityLeakDetector.java:112)
       At com.h3xstream.findsecbugs.spring.SpringEntityLeakDetector.visitClassContext(SpringEntityLeakDetector.java:69)

Code

@Controller
public class SpringEntityLeakController  {

    @RequestMapping("/api1")
    public HashMap<String, List<HelloBean>> getHelloBeans() {

        HashMap<String, List<HelloBean>> map = new HashMap<>();

        List<HelloBean> list = new ArrayList<>();

        list.add(new HelloBean("1", "name1"));
        list.add(new HelloBean("2", "name2"));
        map.put("data", list);
        return map;

    }

}

class HelloBean {
    String id;
    String name;

    public HelloBean(String id, String name) {
        super();
        this.id = id;
        this.name = name;
    }

}
Jaff commented 9 months ago

We have a similar problem, is there a work-around?

JuditKnoll commented 1 month ago

This is a duplicate of https://github.com/find-sec-bugs/find-sec-bugs/issues/679, which got fixed by https://github.com/find-sec-bugs/find-sec-bugs/pull/680.