search

spotbugs / spotbugs

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
https://spotbugs.github.io/
GNU Lesser General Public License v2.1
3.51k stars 592 forks source link

Need to choose a cloning strategy #634

Open ThrawnCA opened 6 years ago

ThrawnCA commented 6 years ago

Currently, the project contains contradictory information about cloning.

Interfaces like StatelessDetector show a clear intent to support standard Java clone, but the SpotBugsBot logs a Blocker-level problem when clone is actually used.

Should we be converting all StatelessDetector implementations to use alternatives to clone? Or should we switch off that SonarQube rule and support clone fully?

ThrawnCA commented 6 years ago

I'm inclined to switch off the SonarQube rule, or at least greatly turn down the severity. The standard clone implementation has some gotchas, but that doesn't make it useless.

shevek commented 6 years ago

Kryo's clone is fast and reliable, you might prefer it over JDK clone.

ThrawnCA commented 6 years ago

I think we'd prefer not to add dependencies, since SpotBugs should be compatible with as many projects and systems as possible. Thanks for the suggestion, though.

KengoTODA commented 6 years ago

I don't like clone() that is slow and outdated. I think copy constructor is enough and intuitive. If we can add dependency, Kryo or protocol buffers would be nice.