SONARJAVA-6523 Don't raise S2092 on Cookie subtype self-instantiation#5781
Merged
nils-werner-sonarsource merged 1 commit intoJul 13, 2026
Merged
Conversation
Bridge/wrapper Cookie subclasses that instantiate themselves (typically in clone()) to delegate secure-flag handling to an inner cookie were flagged as if constructing a plain insecure cookie. Skip reporting when the instantiated type exactly matches the enclosing class, since the type comparison already fails safe on unresolved types.
Contributor
Code Review ✅ ApprovedPrevents false-positive S2092 reports on Cookie subtype self-instantiation by tracking lexically enclosing types. This update preserves existing reporting behavior for unresolved types to ensure safe execution. OptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change the behavior for this request:
Was this helpful? React with 👍 / 👎 | Gitar |
|
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.




Problem
S2092(SecureCookieCheck) flags cookie construction that lacks an explicitsecureflag. It has a high false-positive rate on bridge/wrapper classes: aCookiesubtype that instantiates itself inside one of its own methods (typicallyclone()) purely to delegate cookie behavior — includingsetSecure— to an inner wrapped cookie. The rule fires on that self-instantiation as if it were a "naked"new Cookie(...), even though the secure flag is actually managed by the delegate cookie, not by this constructor call.SONARJAVA-6523
Approach
Guiding principle: favor fewer false positives — the new suppression must fail safe, i.e. if either the instantiated type or the enclosing class's type can't be resolved, don't suppress (preserve prior reporting behavior).
Deque<Symbol.TypeSymbol>, pushed/popped onTree.Kind.CLASS(mirrors the existing pattern inDebugFeatureEnabledCheckin the same package). IncheckConstructor, skip adding tocookieConstructorswhen theNewClassTree's resolved type equals the enclosing class's type.Type.equals(Type)?Type.equals(Type)— matches the existing idiom used elsewhere in this codebase (e.g.SingletonUsageCheck) for comparing two resolved types, and avoids unnecessary string materialization.isSelfInstantiationalso need to check that the enclosing class is itself a tracked Cookie subtype?checkConstructoralready gates onisCookieClass(tree.symbolType()); if the instantiated type equals the enclosing class's type, the enclosing class is necessarily that same cookie subtype too.Type.UNKNOWNis a shared singleton with default (reference)equals(), so two unrelated unresolved types would compare as "equal"!tree.symbolType().isUnknown()guard so unresolved types never trigger suppression. This directly encodes the fail-safe requirement rather than relying on the upstreamisCookieClassgate as an implicit (and less obvious) invariant.Type.equals()(exact type identity), notisSubtypeOf(), so a different Cookie subtype instantiated inside another Cookie subtype still raises.Implementation
SecureCookieCheck.java: addedTree.Kind.CLASStonodesToVisit(), aDeque<Symbol.TypeSymbol> enclosingClassfield maintained viavisitNode/leaveNode, and a newisSelfInstantiationguard incheckConstructor. No new abstractions or dependencies beyond what's needed.Tests
Extended the existing
SecureCookieCheckSampleBclass (alreadyextends Cookiewith a matching constructor) inSecureCookieCheckSample.java:clone()-style method returningnew SecureCookieCheckSampleB(...)— self-instantiation, compliant (no issue).new Cookie(...)from within the same class — different type than the enclosing class, still// Noncompliant(pins the out-of-scope carve-out).Test plan
mvn -pl java-checks test -Dtest="SecureCookieCheckTest#test,SecureCookieCheckTest#test_jakarta,SecureCookieCheckTest#test_non_compiling"— all passSecureCookieCheckTest#test_with_spring_3_2fails identically on unmodifiedmaster(pre-existing, unrelated to this change)org.sonar.java.checks.security.*Testsuite on bothmasterand this branch — identical set of 14 pre-existing unrelated failures (Android/WebView checks) on both; no new regressions introduced