The latest articles on DEV Community by Sudaraka Jayathilaka (@sudaraka94). https://dev.to/sudaraka94 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1459611%2F3b5d6c73-fffc-49a5-bb6f-7619bd42a975.jpeg https://dev.to/sudaraka94 en Sudaraka Jayathilaka Tue, 30 Apr 2024 17:15:24 +0000 https://dev.to/sudaraka94/handling-eiexposerep-eiexposerep2-1bg9 https://dev.to/sudaraka94/handling-eiexposerep-eiexposerep2-1bg9 <p><a href="https://spotbugs.github.io/">SpotBugs</a> is a great tool for static code analysis. Recently I got two similar warnings in one of the codebases I work on <br> and I had to fix it.</p> <h2> EI_EXPOSE_REP &amp; EI_EXPOSE_REP2 Warning definitions </h2> <p>You can find the official documentation for these two warnings in the SpotBugs documentation.</p> <ul> <li>Warning <a href="https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ei-expose-rep">EI_EXPOSE_REP</a> </li> <li>Warning <a href="https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ei-expose-rep2">EI_EXPOSE_REP2</a> </li> </ul> <h2> EI_EXPOSE_REP </h2> <p>This warning is mainly about exposing a mutable object from a class. Let's take a class which has a <br> mutable object such as a <code>List</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyClass</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">myList</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">MyClass</span><span class="o">()</span> <span class="o">{</span> <span class="n">myList</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;();</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">getMyList</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">myList</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Now you can see that we are exposing the <code>myList</code> object via the <code>getMyList()</code> method. This means that anyone who has access to the<br> <code>MyClass</code> object can modify the <code>myList</code> object. This is a clear violation of the encapsulation principle in OOP. This is where the<br> <code>EI_EXPOSE_REP</code> warning comes in.</p> <h3> The Fix </h3> <p>We can mainly fix this using two approaches. </p> <ol> <li> <p>Return an unmodifiable list from the <code>getMyList()</code> method. You can change the getMyList() method as follows.<br> </p> <pre class="highlight java"><code><span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">getMyList</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">unmodifiableList</span><span class="o">(</span><span class="n">myList</span><span class="o">);</span> <span class="o">}</span> </code></pre> </li> <li> <p>Return a copy of the list from the <code>getMyList()</code> method. You can change the getMyList() method as follows.<br> </p> <pre class="highlight java"><code><span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">getMyList</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">List</span><span class="o">.</span><span class="na">copyOf</span><span class="o">(</span><span class="n">myList</span><span class="o">);</span> <span class="o">}</span> </code></pre> </li> </ol> <h2> EI_EXPOSE_REP2 </h2> <p>This warning is pretty much related to the previous warning. The only difference is that this warning is about keeping<br> a reference to a mutable object within the class. Let's take the same example we used in the previous warning.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyClass</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">myList</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">MyClass</span><span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">myList</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">myList</span> <span class="o">=</span> <span class="n">myList</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the above example you can see how the constructor gets a reference to a mutable List from outside the class and assigns it to the<br> <code>myList</code> field. This means that the caller can modify the <code>myList</code> object from outside of the class. This is again a clear violation of the<br> encapsulation principle and a security risk.</p> <h3> The Fix </h3> <p>The fix for this warning is slightly different from the previous warning. You can fix this by,</p> <ol> <li> <p>Creating a copy of the list when assigning it to the <code>myList</code> variable.<br> </p> <pre class="highlight java"><code><span class="kd">public</span> <span class="nf">MyClass</span><span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">myList</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">myList</span> <span class="o">=</span> <span class="nc">List</span><span class="o">.</span><span class="na">copyOf</span><span class="o">(</span><span class="n">myList</span><span class="o">);</span> <span class="o">}</span> </code></pre> </li> <li> <p>Creating an unmodifiable list when assigning it to the <code>myList</code> variable.<br> </p> <pre class="highlight java"><code><span class="kd">public</span> <span class="nf">MyClass</span><span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">myList</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">myList</span> <span class="o">=</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">unmodifiableList</span><span class="o">(</span><span class="n">myList</span><span class="o">);</span> <span class="o">}</span> </code></pre> </li> </ol> <h2> Conclusion </h2> <p>These warnings can be really helpful given the right context. But in some cases, it might be an overkill to fix these warnings. So<br> it's always better to analyze the context and decide whether to fix these warnings or not. In case you want to ignore these warnings<br> you can use the <code>@SuppressFBWarnings</code> annotation provided by SpotBugs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@SuppressFBWarnings</span><span class="o">(</span><span class="s">"EI_EXPOSE_REP"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MyClass</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">myList</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">MyClass</span><span class="o">()</span> <span class="o">{</span> <span class="n">myList</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;();</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">getMyList</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">myList</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> java spotbug