0

I would like some help understanding why am I getting both a UR-anomaly and DR-anomaly from pmd:DataflowAnomalyAnalysis when I am running SonarQube on a code trying to construct a Netty SslContext.

The code works perfectly fine, but I am getting both the UR and the DR on keystorePath and truststorePath variables.

Some pointers please? Thank you

@Value("${server.ssl.key-store}") private String keyStorePath;
    @Value("${server.ssl.key-store-password}") private String keyStorePassPhrase;
    @Value("${server.ssl.key-password}") private String keyPassPhrase;
    @Value("${server.ssl.key-store-type}") private String keyStoreType;
    @Value("${server.ssl.trust-store}") private String trustStorePath;
    @Value("${server.ssl.trust-store-password}") private String trustStorePassPhrase;
    @Value("${server.ssl.trust-store-type}") private String trustStoreType;

    public SslContext getSslContext() {
        try {
            final Path     keystorePath = Paths.get(keyStorePath);
            final KeyStore keyStore     = KeyStore.getInstance(keyStoreType);
            try (InputStream keyStoreFile = Files.newInputStream(keystorePath)) {
                keyStore.load(keyStoreFile, keyStorePassPhrase.toCharArray());
            }
            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, keyPassPhrase.toCharArray());

            final Path     truststorePath = Paths.get(trustStorePath);
            final KeyStore trustStore     = KeyStore.getInstance(trustStoreType);
            try (InputStream trustStoreFile = Files.newInputStream(truststorePath)) {
                trustStore.load(trustStoreFile, trustStorePassPhrase.toCharArray());
            }
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            return SslContextBuilder.forClient().keyManager(keyManagerFactory).trustManager(trustManagerFactory).build();
        } catch (KeyStoreException | IOException | UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException e) {
            e.printStackTrace();
            return null;
        }
    }
PatPatPat
  • 2,380
  • 3
  • 24
  • 80
  • This rule has been deprecated by PMD. – fernal73 Sep 01 '20 at 03:21
  • Thank you for your comment @fernal73. Still, is it possible to help solving this? And would it be possible to know why SonarQube is still using this rile? – PatPatPat Sep 01 '20 at 04:25
  • No idea about Sonar Cube. I have never been exposed to it. As for answering your question, there have been similar queries on StackOverflow wrt the same. Maybe, you'll find your answer there. – fernal73 Sep 01 '20 at 08:44
  • https://stackoverflow.com/questions/16718514/dataflow-anomaly-analysis-warnings-from-pmd?r=SearchResults – fernal73 Sep 01 '20 at 08:52
  • https://stackoverflow.com/a/40104867/3924108 – fernal73 Sep 01 '20 at 08:53
  • https://pmd.github.io/latest/pmd_rules_java_errorprone.html#dataflowanomalyanalysis – fernal73 Sep 01 '20 at 09:37

1 Answers1

0

Based on comments, this rule is indeed deprecated with the latest PMD 7+ version

PatPatPat
  • 2,380
  • 3
  • 24
  • 80