Possible false positive - Bad practice - Store of non serializable object into HttpSession

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible false positive - Bad practice - Store of non serializable object into HttpSession

mattadamson

Team

 

We had an interesting occurrence of this violation

 

Bad practice - Store of non serializable object into HttpSession

 

This code seems to be storing a non-serializable object into an HttpSession. If this session is passivated or migrated, an error will result.

findbugs:J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION Reliability > Architecture

 

From this code

 

     IEnterpriseSession enterpriseSession = null;

                                             enterpriseSession = sm.logon(userid, password, host,

                                                            BusinessObjectsEnterpriseConstants.BO_ENTERPRISE_AUTHENTICATION_METHOD);

                                             session.setAttribute(enterpriseSessionKind, enterpriseSession);

 

However this is using a third party library from crystal for reporting.  Here the JavaDoc on IEnterpriseSession indicates it is serializable so I’m unclear why the violation is flagged

 

Do you know how find bugs determines this? Could it be a false positive? Are there any plans to develop this rule in the SQUID engine?

 

Thanks

 

Matt

 

Reply | Threaded
Open this post in threaded view
|

Re: Possible false positive - Bad practice - Store of non serializable object into HttpSession

Nicolas Peru
Hi, 

First let's answer your last question : yes, and in fact it already has been developed : http://jira.codehaus.org/browse/SONARJAVA-899 (version 3.0 is about to be released with this rule).

For your other questions : I guess that findbugs is not able to figure out that the interface used here is serializable (because the implementation is and not the interface) and thus raise an issue. We are very interested if you can tell us some feedback about our implementation of this rule in version 3.0 of Sonar Java Plugin.

Cheers,

Nicolas PERU | SonarSource
Senior Developer
http://sonarsource.com


2015-03-02 22:45 GMT+01:00 Adamson, Matthew <[hidden email]>:

Team

 

We had an interesting occurrence of this violation

 

Bad practice - Store of non serializable object into HttpSession

 

This code seems to be storing a non-serializable object into an HttpSession. If this session is passivated or migrated, an error will result.

findbugs:J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION Reliability > Architecture

 

From this code

 

     IEnterpriseSession enterpriseSession = null;

                                             enterpriseSession = sm.logon(userid, password, host,

                                                            BusinessObjectsEnterpriseConstants.BO_ENTERPRISE_AUTHENTICATION_METHOD);

                                             session.setAttribute(enterpriseSessionKind, enterpriseSession);

 

However this is using a third party library from crystal for reporting.  Here the JavaDoc on IEnterpriseSession indicates it is serializable so I’m unclear why the violation is flagged

 

Do you know how find bugs determines this? Could it be a false positive? Are there any plans to develop this rule in the SQUID engine?

 

Thanks

 

Matt