semgrep / semgrep-rules

Semgrep rules registry
https://semgrep.dev/registry
Other
817 stars 399 forks source link

False Positives in java.lang.correctness.eqeq.eqeq #1364

Closed Noah0120 closed 3 years ago

Noah0120 commented 3 years ago

Describe the bug The rule java.lang.correctness.eqeq.eqeq produces false positives, when one of the operands is null or another primitive value.

Firstly, in my opinion, the purpose of this rule may be to detect the cases that return always true by comparing the same value.

However, this rule detects the comparison between a certain variable and a primitive value even if the certain variable may not be primitive value. I think it would be better to be fixed.

To Reproduce In, accumulo/core/src/main/java/org/apache/accumulo/core/clientImpl/lexicoder/ByteUtils.java

int escapeCount = 0;
    for (byte value : in) {
      if (value == 0x00 || value == 0x01) {
        escapeCount++;
      }
    }

    if (escapeCount == 0) //detected
      return in;

In, camel/components/camel-web3j/src/main/java/org/apache/camel/component/web3j/Web3jHelper.java

DefaultBlockParameter defaultBlockParameter = null;
        if (block != null) {
            for (DefaultBlockParameterName defaultBlockParameterName : DefaultBlockParameterName.values()) {
                if (block.equalsIgnoreCase(defaultBlockParameterName.getValue())) {
                    defaultBlockParameter = defaultBlockParameterName;
                }
            }

            if (defaultBlockParameter == null) { //detected
                defaultBlockParameter = DefaultBlockParameter.valueOf(new BigInteger(block));
            }
        }

Expected behavior Didn't show any alarm when there is a possible assignment to the variable.

Priority I think it would be false positives and please check these cases. Thank you:)

ievans commented 3 years ago

Tagging @IagoAbal

IagoAbal commented 3 years ago

What version of Semgrep are you using @Noah0120 ? There was such a bug in an older version (returntocorp/semgrep#3155), but this now works as expected: https://semgrep.dev/s/owbx.

Noah0120 commented 3 years ago

Thanks for your quick response.

I used version 0.53.0 and it had been fixed already!

Thank you for checking this!

IagoAbal commented 3 years ago

Thank you for reporting the issue!