Issue #387 Add deprecated jsp rule key #391
Conversation
|
Hello @KengoTODA, Pull request #386 is also ready for review when someone has time |
|
@pethers could you please review this PR? |
|
Not sure why https://github.com/spotbugs/sonar-findbugs/runs/3948483294?check_suite_focus=true is failing but will review the code changes. |
|
Thanks @pethers @KengoTODA, is there a suggested workflow before merging PRs? Like getting two reviews, waiting a bit for potential comments, etc? I looked at some old outstanding PR and if I hypothetically wanted to merge them I do not seem to have the rigths: |
Between version 3.3 and 3.4 of the plugin rules XSS_JSP_PRINT and XSS_REQUEST_PARAMETER_TO_JSP_WRITER have been moved from the Java findsecbugs repository to the JSP findsecbugs-jsp repository.
When a rule key is modified the plugin should apparently declare it's "deprecated key(s)" to let SonarQube know, see: https://javadocs.sonarsource.org/7.1/apidocs/org/sonar/api/server/rule/RulesDefinition.Rule.html#deprecatedRuleKeys--
The database was left in an apparently inconsistent state for SQ installations where the plugin had been upgraded from <= 3.3 to >= 3.4
Then when the API used to load profiles was changed in #369 (to make the plugin compatible with SQ 9) the server crashed on startup with error:
BadRequestException: java rule findsecbugs:XSS_JSP_PRINT cannot be activated on jsp profile FindBugs Security JSPThis PR adds the "deprecated keys" (i.e. the old rules ID) for these two rules and prevent the plugin from trying to activate a removed rule into a profile.