Incorrect pattern matching - When return object is a class with an import - Results are not correct #3748
Labels
bug
Something isn't working
lang:java
priority:medium
user:external
requested by someone outside of r2c
Describe the bug
Tested on of R2C reles(unrestricted-request-mapping) and found this issue:
When return class of method in pattern matching have class not as void or Java primitives, but class with import, then check is not working properly and False positive is reported. Look for 3rd reported line in example below.
I suppose in this case return class is not correctly checker/matched in $RETURNTYPE section of the rule.
Looks like reproduced only in lates v0.62.0
To Reproduce
https://semgrep.dev/s/nkx1
Expected behavior
Rule working correctly, imported classes in return statement are matched in a right way.
Rules with same $RETURNTYPE should not be in results, no FP should be reported.
Possible future improvement - Use classes with imports/real class names in semGrep.dev(https://semgrep.dev/r?q=unrestricted-request-mapping) and possibly in your tests in the code.
Screenshots
What is the priority of the bug to you?
Environment
Latest v0.62.0
The text was updated successfully, but these errors were encountered: