phase a/fixups spotbugs#43
Merged
Merged
Conversation
aksOps
commented
Apr 17, 2026
aksOps
commented
Contributor
- chore(baseline): scaffold baseline dirs and gitignore
- chore(baseline): add seed-repo fetch script with pinned commits
- chore(baseline): add Maven verify + JaCoCo capture script
- chore(baseline): add flaky-test scan (N repeated runs)
- chore(baseline): add SpotBugs baseline capture
- chore(baseline): add dependency-tree + license snapshot capture
- chore(baseline): add frontend audit (npm audit + Vite + Playwright)
- chore(baseline): add index/enrich/serve-smoke pipeline capture
- chore(baseline): run pipeline on realworld-express
- chore(baseline): add OWASP dependency-check baseline capture (NVD sync needs retry)
- chore(baseline): add consolidator and publish first BASELINE.md
- build(spotbugs): add exclude filter for generated parsers and known noise rules
- fix(spotbugs): address 4 priority-1 findings in core code
- fix(spotbugs): concurrency and correctness priority-2 findings
- build(spotbugs): narrow-suppress 2 parser-base RCN + 1 BX finding, record triage result
- fix(cache): extend nested-try-finally lock release to remaining AnalysisCache methods
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 32 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (13)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…oise rules Reduces SpotBugs findings 1,492 -> 51 (96.6%) by excluding: - ANTLR-generated parser/lexer/listener/visitor classes (regenerated from .g4) - NM_METHOD_NAMING_CONVENTION (noise from generated code and ANTLR hooks) - SF_SWITCH_NO_DEFAULT (stylistic; SF_SWITCH_FALLTHROUGH still enforced) - EI_EXPOSE_REP / EI_EXPOSE_REP2 (internal DTOs, no trust boundary crossed) - MS_PKGPROTECT / MS_FINAL_PKGPROTECT (no same-package attacker model) Each exclusion carries a rationale comment in spotbugs-exclude.xml.
- Analyzer.getGitHead: decode `git rev-parse HEAD` bytes as UTF-8 instead of platform default (DM_DEFAULT_ENCODING). - IndexCommand.call: narrow the cache-delete catch from blanket `Exception ignored` to `IOException` with a debug log line so silent data-loss is traceable (DE_MIGHT_IGNORE). - PluginsCommand.categoryDescription: remove dead `Set<String> frameworks` local that was assigned and never read (DLS_DEAD_LOCAL_STORE). - AntlrParserFactory.parse: replace identity-compare (`==`) of cache key with `.equals()`; cache behavior is unchanged because the parse tree is a deterministic function of content, so equal content yields an equivalent tree (ES_COMPARING_PARAMETER_STRING_WITH_EQ). Verified `mvn compile` clean on phase-a/fixups-spotbugs.
- AnalysisCache.removeFile: guarantee rwLock.writeLock().unlock() on all exception paths by wrapping the finally's conn.setAutoCommit(true) in its own try-finally. Previously, a non-SQLException thrown by setAutoCommit (RuntimeException/Error) would escape the finally block before unlock ran, leaking the write lock. (UL_UNRELEASED_LOCK_EXCEPTION_PATH) Note: the same setAutoCommit-in-finally-then-unlock pattern appears in two other methods in this class; SpotBugs only flagged removeFile, but they likely share the same risk. Out of scope for this PR; file a follow-up. - CodeIqApplication.main: collapse three identical else-if branches (isIndex / isEnrich / default) into one else with a combined rationale comment. (DB_DUPLICATE_BRANCHES) - BundleCommand: remove unused private 4-arg writeEntry(zos, name, content, lineEnding) that delegated to the 3-arg overload and silently discarded lineEnding. (UPM_UNCALLED_PRIVATE_METHOD) - PluginsCommand.SuggestSubcommand: iterate languageCounts.entrySet() instead of keySet() + get(). (WMI_WRONG_MAP_ITERATOR) - GitLabCiDetector.detect: iterate data.entrySet() instead of keySet() + get(). (WMI_WRONG_MAP_ITERATOR) - CSharpPreprocessorParserBase: replace reference-compare (== / !=) on expression values with Objects.equals(). The compared values are String literals 'true'/'false' produced by sibling methods, so logical equality is the intended semantic; using == only worked coincidentally via string interning. (ES_COMPARING_STRINGS_WITH_EQ x2) - VersionCommand.resolveVersion: narrow the outer catch from Exception to IOException since that is the only checked exception props.load can throw. Updated comment to document that the branch is an intentional fallthrough to the manifest-based lookup. (REC_CATCH_EXCEPTION) Verified mvn compile clean.
…cord triage result Added narrow exclude rules (class + pattern pair, not global) for: - RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in CSharpParserBase and GoParserBase — hand-written ANTLR parser support classes carried over from antlr/grammars-v4. Defensive null checks are harmless; touching them risks divergence if we re-sync upstream. - BX_UNBOXING_IMMEDIATELY_REBOXED in CSharpPreprocessorParserBase — same origin, micro-perf, not correctness. Updated BASELINE.md to mark the SpotBugs gap as RESOLVED with final counts (1,492 -> 38; priority-1: 8 -> 0) and a pointer to the post-triage summary JSON.
…sisCache methods Follow-up to 798bccf. That commit fixed UL_UNRELEASED_LOCK_EXCEPTION_PATH in AnalysisCache.removeFile and flagged the same lock-leak pattern in two other methods that SpotBugs did not surface (likely because they differ subtly in what's inside the outer try body). Both methods — storeResults (the INSERT nodes/edges path) and the replace-with-enriched-data path — had: } finally { try { conn.setAutoCommit(true); } catch (SQLException ignored) {} rwLock.writeLock().unlock(); } If conn.setAutoCommit(true) throws anything other than SQLException (RuntimeException or Error), execution exits the finally before rwLock.writeLock().unlock() runs, leaving the write lock held and freezing all subsequent cache writers. Wrap setAutoCommit in a nested try-finally so unlock is always reached: } finally { try { try { conn.setAutoCommit(true); } catch (SQLException ignored) {} } finally { rwLock.writeLock().unlock(); } } All three lock-holding paths (removeFile, storeResults, replace-with- enriched) now share the same exception-safe pattern. mvn test -Dtest= AnalysisCacheTest passes.
aksOps
force-pushed
the
phase-a/fixups-spotbugs
branch
from
5f2fb6e to
942ca98
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.