New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix NPE when interface has spring mvc annotations #478
Conversation
This PR fix find-sec-bugs#477 Spring cloud openfeign client uses spring mvc annotation, but these client are not controller. Signed-off-by: Kwangyong Kim <banana.yong@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those OpenFeign interface could be use to implement web controller at the same time..
If it can reduce an important quantity of noise, I am ok with it.
- SpringMvcEndpointDetector.java is not critical.
- However, SpringEntityLeakDetector is very important. **
** Even-though, the code flagged is contain in a client project. It would actually identify something wrong on the back-end.
Have you seen false positive with the second detector (SpringEntityLeakDetector) ?
I have not yet. But, You're right. Client and server can share very same interface for consistency. What about SpringEntityLeakDetector check only annotated class( It's not perfect solution Because Spring supports meta-annotations. But, I think it is best efforts. Thank you! |
@bananayong I would simply remove this exception from the detector SpringEntityLeakDetector. There is something fishy if the client is reusing database classes as DTO. |
You mean that annotated methods should be reported whether it is for feign client or not, Right? Actually, My purpose was to resolve NPE. If NPE is resolved then I can exclude I will modify my PR. |
- Remove feign client related codes. - Use org.apache.bcel.generic.Type directly to prevent NPE Signed-off-by: Kwangyong Kim <banana.yong@gmail.com>
@h3xstream Any plans on getting this merged and released? :) |
I will integrate this change as I see it add a test case for the empty method (from interface). Note: I will push in a moment a PR that makes changes to this detector to support generic and include some other refactoring to better support mass assignment detection. |
The detector was refactored #496 |
This PR fix #477
Use Type instance directly, to prevent NPE.
classContext.getMethodGen(m)
can return null, when interface is scanned.Spring cloud openfeign client uses spring mvc annotation, but these client are not controller.
These classes should be skipped for spring detectors.