Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object
Date
is mutable
Using that setter, someone can modify the date instance from outside unintentionally
Consider this
class MyClass {
private Date billDate;
public void setBillDate(Date billDate) {
this.billDate = billDate;
}
}
now some one can set it
MyClass m = new MyClass();
Date dateToBeSet = new Date();
m.setBillDate(dateToBeSet); //The actual dateToBeSet is set to m
dateToBeSet.setYear(...);
//^^^^^^^^ Un-intentional modification to dateToBeSet, will also modify the m's billDate
To avoid this, you may want to Deep-copy before setting
public void setBillDate(Date billDate) {
this.billDate = new Date(billDate.getTime());
}
Malicious code vulnerability - May expose internal representation by returning reference to mutable object
As the error message states, you're returning internal state (chkBox is - most likely - part of the internal state of an object even though you're not showing its definition)
This can cause problems if you - for example - do
String[] box = obj.chkBox();
box[0] = null;
Since an array object, as all Java objects, is passed by reference, this will change the original array stored inside your object as well.
What you most likely want to do to fix this is a simple
return (String[])chkBox.clone();
which returns a copy of the array instead of the actual array.
Spotbugs + Java: may expose internal representation by storing an externally mutable object into QuestionPojo.map
may expose internal representation by storing an externally mutable object into QuestionPojo.map
What this is telling you is that the internal state of an instance of this class can be changed outside the class.
For example:
Map<String, String> map = new HashMap<>();
map.put("hello", "world");
QuestionPojo qp = new QuestionPojo(map);
// Both of these lines change the map stored inside qp.
map.clear();
qp.getMap().put("silly", "silly");
As to whether this external change of state is important depends on the semantics of your class - in general it is undesirable, however, because it makes it hard to reason about its behavior, because the map can be changed from afar (i.e. anywhere that has a reference to the QuestionPojo, or the map).
The solution to this is defensive copying: take a copy of the map in the constructor:
public QuestionPojo(Map<String, String> map) {
this.map = new HashMap<>(map);
}
and return a copy of the map in the getter:
public Map<String, String> getMap() {
return new HashMap<>(map);
}
This means that nothing outside the class has access to the map stored inside the class.
How to Fix FindBug error 'May expose internal representation by incorporating reference to mutable object' while setting Array of Objects?
You should change your member to private :
private final Hello objs[];
While declaring the member as final prevents it from being assigned after first being initialized, it doesn't prevent its individual entries from being assigned by simply writing :
Hello[] harr = {new Hello(), new Hello()};
HelloWorld hw = new HelloWorld(harr);
hw.objs[1] = new Hello(); // this would mutate the contents of your array member
Malicious code vulnerability - May expose internal representation by returning reference to mutable object - With what objects?
Sonar is not smart enough to know if an object is mutable or not. Especially if you're returning a List
, it can't tell if what you're actually returning is an ArrayList
, an ImmutableList
or an unmodifiable list. So it doesn't emit any warning to avoid flooding you with false positives.
Arrays and Date, on the other hand, are well-known standard classes that are mutable, and for which it can safely emist this warning.
Related Topics
How to Save User Settings in Java Application
Are Thread.Sleep(0) and Thread.Yield() Statements Equivalent
Case Insensitive JSON to Pojo Mapping Without Changing the Pojo
Maximum Size of a Method in Java
How to Take Screenshots Fast in Java
Printf %F with Only 2 Numbers After the Decimal Point
Efficient Way to Divide a List into Lists of N Size
In Java How to Re-Open System.In After Closing It
How to Exit a While Loop in Java
How to Pass a Value from One Jsp to Another Jsp Page
Java: Local Variable Mi Defined in an Enclosing Scope Must Be Final or Effectively Final
When Using Mokito, Differencebetween the Actual Object and the Mocked Object