From f037ec2e77d41cc4ab89389c9bb26e52f0588a5b Mon Sep 17 00:00:00 2001 From: denis-troller Date: Sun, 9 Nov 2025 20:23:55 +0000 Subject: [PATCH 1/3] Create rule S8324 --- rules/S8324/groovy/metadata.json | 25 ++++++++++++++++++ rules/S8324/groovy/rule.adoc | 44 ++++++++++++++++++++++++++++++++ rules/S8324/metadata.json | 2 ++ 3 files changed, 71 insertions(+) create mode 100644 rules/S8324/groovy/metadata.json create mode 100644 rules/S8324/groovy/rule.adoc create mode 100644 rules/S8324/metadata.json diff --git a/rules/S8324/groovy/metadata.json b/rules/S8324/groovy/metadata.json new file mode 100644 index 00000000000..d8db493daa9 --- /dev/null +++ b/rules/S8324/groovy/metadata.json @@ -0,0 +1,25 @@ +{ + "title": "FIXME", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-8324", + "sqKey": "S8324", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "HIGH", + "RELIABILITY": "MEDIUM", + "SECURITY": "LOW" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S8324/groovy/rule.adoc b/rules/S8324/groovy/rule.adoc new file mode 100644 index 00000000000..16a0f60963c --- /dev/null +++ b/rules/S8324/groovy/rule.adoc @@ -0,0 +1,44 @@ +FIXME: add a description + +// If you want to factorize the description uncomment the following line and create the file. +//include::../description.adoc[] + +== Why is this an issue? + +FIXME: remove the unused optional headers (that are commented out) + +//=== What is the potential impact? + +== How to fix it +//== How to fix it in FRAMEWORK NAME + +=== Code examples + +==== Noncompliant code example + +[source,groovy,diff-id=1,diff-type=noncompliant] +---- +FIXME +---- + +==== Compliant solution + +[source,groovy,diff-id=1,diff-type=compliant] +---- +FIXME +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + + +//== Resources +//=== Documentation +//=== Articles & blog posts +//=== Conference presentations +//=== Standards +//=== External coding guidelines +//=== Benchmarks diff --git a/rules/S8324/metadata.json b/rules/S8324/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S8324/metadata.json @@ -0,0 +1,2 @@ +{ +} From bb07bbc5d6c2990b893a30b11e581cde361c57df Mon Sep 17 00:00:00 2001 From: denis-troller Date: Sun, 9 Nov 2025 21:56:12 +0100 Subject: [PATCH 2/3] Update rules/S8324/groovy/rule.adoc in PR #5910 --- rules/S8324/groovy/rule.adoc | 50 ++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/rules/S8324/groovy/rule.adoc b/rules/S8324/groovy/rule.adoc index 16a0f60963c..5b4e88a7b04 100644 --- a/rules/S8324/groovy/rule.adoc +++ b/rules/S8324/groovy/rule.adoc @@ -1,16 +1,24 @@ -FIXME: add a description - -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] +This rule raises an issue when file paths are hardcoded as string literals in the source code. == Why is this an issue? -FIXME: remove the unused optional headers (that are commented out) +Hardcoding file paths directly in source code creates several significant problems that affect code quality and application reliability. + +The most immediate issue is *portability*. Different operating systems use different path conventions - Windows uses backslashes (`\`) and drive letters (`C:`), while Unix-like systems (Linux, macOS) use forward slashes (`/`) and have no drive letters. A path like `"E:\\data\\file.csv"` will only work on Windows systems and will fail on Linux or macOS. + +Hardcoded paths also create *maintainability problems*. When file locations need to change - which happens frequently during deployment to different environments (development, testing, production) - developers must modify and recompile the source code. This violates the principle of separating configuration from code. + +From a *security perspective*, hardcoded paths can expose sensitive information about the system's directory structure. They may also make applications vulnerable to path traversal attacks if the paths are constructed unsafely. + +Finally, hardcoded paths make *testing difficult*. Unit tests cannot easily redirect file operations to temporary directories, making tests dependent on specific file system states. + +=== What is the potential impact? -//=== What is the potential impact? +Applications with hardcoded file paths will fail when deployed to different operating systems or environments. This leads to deployment failures, runtime exceptions, and increased maintenance overhead. The code becomes tightly coupled to specific system configurations, making it difficult to test and deploy reliably. == How to fix it -//== How to fix it in FRAMEWORK NAME + +Use system properties to make file paths configurable. This allows the path to be specified at runtime without changing the code. === Code examples @@ -18,27 +26,31 @@ FIXME: remove the unused optional headers (that are commented out) [source,groovy,diff-id=1,diff-type=noncompliant] ---- -FIXME +FileWriter fw = new FileWriter("E:\\RAF02Nov\\skp.csv") // Noncompliant ---- ==== Compliant solution [source,groovy,diff-id=1,diff-type=compliant] ---- -FIXME +String filePath = System.getProperty("output.file.path", "./output.csv") +FileWriter fw = new FileWriter(filePath) ---- -//=== How does this work? +== Resources + +=== Documentation + + * Groovy File I/O Documentation - https://groovy-lang.org/working-with-io.html[Official Groovy documentation on file handling and I/O operations] + + * Java System Properties - https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html[Oracle documentation on using system properties for configuration] + + * Cross-platform Path Handling - https://docs.oracle.com/javase/8/docs/api/java/nio/file/Paths.html[Java NIO documentation for platform-independent path handling] -//=== Pitfalls +=== Standards -//=== Going the extra mile + * CWE-426: Untrusted Search Path - https://cwe.mitre.org/data/definitions/426.html[Weakness related to using untrusted search paths that can be exploited] +=== Related rules -//== Resources -//=== Documentation -//=== Articles & blog posts -//=== Conference presentations -//=== Standards -//=== External coding guidelines -//=== Benchmarks + * RSPEC-1075 - https://rules.sonarsource.com/java/RSPEC-1075/[URIs should not be hardcoded - related rule for Java] From 36f3c9ee0a3837ba75fe65f810c992c94f5cc938 Mon Sep 17 00:00:00 2001 From: denis-troller Date: Sun, 9 Nov 2025 21:56:16 +0100 Subject: [PATCH 3/3] Update rules/S8324/groovy/metadata.json in PR #5910 --- rules/S8324/groovy/metadata.json | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/rules/S8324/groovy/metadata.json b/rules/S8324/groovy/metadata.json index d8db493daa9..494f4e9adaf 100644 --- a/rules/S8324/groovy/metadata.json +++ b/rules/S8324/groovy/metadata.json @@ -1,25 +1,28 @@ { - "title": "FIXME", + "title": "File paths should not be hardcoded", "type": "CODE_SMELL", "status": "ready", "remediation": { - "func": "Constant\/Issue", - "constantCost": "5min" + "func": "Constant/Issue", + "constantCost": "10 min" }, "tags": [ + "configuration", + "portability" ], - "defaultSeverity": "Major", + "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-8324", "sqKey": "S8324", - "scope": "All", - "defaultQualityProfiles": ["Sonar way"], + "scope": "Main", + "defaultQualityProfiles": [ + "Sonar way" + ], "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", - "RELIABILITY": "MEDIUM", - "SECURITY": "LOW" + "RELIABILITY": "BLOCKER", + "MAINTAINABILITY": "BLOCKER" }, "attribute": "CONVENTIONAL" } -} +} \ No newline at end of file