SONARJAVA-5571 Change sonar-java-symbolic-execution-plugin to not embed the java-frontend dependency but use the provided one (#5164)

Author: alban-auzeill

java-symbolic-execution/java-symbolic-execution-plugin/pom.xml

@@ -49,8 +49,8 @@
             <configuration>
               <rules>
                 <requireFilesSize>
-                  <maxsize>15000000</maxsize>
-                  <minsize>10000000</minsize>
+                  <maxsize>1500000</maxsize>
+                  <minsize>900000</minsize>
                   <files>
                     <file>${project.build.directory}/${project.build.finalName}.jar</file>
                   </files>
@@ -86,12 +86,6 @@
                     <exclude>NOTICE*</exclude>
                   </excludes>
                 </filter>
-                <filter>
-                  <artifact>org.sonarsource.java:java-frontend</artifact>
-                  <includes>
-                    <include>**</include>
-                  </includes>
-                </filter>
               </filters>
             </configuration>
           </execution>
@@ -131,6 +125,7 @@
       <groupId>${project.groupId}</groupId>
       <artifactId>java-frontend</artifactId>
       <version>${project.version}</version>
+      <scope>provided</scope>
     </dependency>
     <dependency>
       <groupId>org.sonarsource.api.plugin</groupId>
@@ -160,6 +155,10 @@
       <groupId>org.sonarsource.analyzer-commons</groupId>
       <artifactId>sonar-analyzer-commons</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.sonarsource.java</groupId>
       <artifactId>test-classpath-reader</artifactId>

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/cfg/SELiveVariables.java

@@ -163,7 +163,7 @@ private static Set<Symbol> getUsedVariables(@Nullable Tree syntaxNode, Symbol.Me
     if (syntaxNode == null) {
       return Collections.emptySet();
     }
-    VariableReadExtractor extractorFromClass = new VariableReadExtractor(owner, false);
+    SEVariableReadExtractor extractorFromClass = new SEVariableReadExtractor(owner, false);
     syntaxNode.accept(extractorFromClass);
     return extractorFromClass.usedVariables();
   }

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/cfg/SEVariableReadExtractor.java

@@ -0,0 +1,87 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.cfg;
+
+import java.util.HashSet;
+import java.util.Set;
+import org.sonar.plugins.java.api.semantic.Symbol;
+import org.sonar.plugins.java.api.semantic.Symbol.MethodSymbol;
+import org.sonar.plugins.java.api.tree.AssignmentExpressionTree;
+import org.sonar.plugins.java.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.java.api.tree.ClassTree;
+import org.sonar.plugins.java.api.tree.IdentifierTree;
+import org.sonar.plugins.java.api.tree.LambdaExpressionTree;
+import org.sonar.plugins.java.api.tree.Tree.Kind;
+import org.sonar.plugins.java.api.tree.VariableTree;
+
+public class SEVariableReadExtractor extends BaseTreeVisitor {
+
+  private final MethodSymbol methodSymbol;
+  private final Set<Symbol> used;
+  private final boolean includeFields;
+
+  public SEVariableReadExtractor(MethodSymbol methodSymbol, boolean includeFields) {
+    this.methodSymbol = methodSymbol;
+    this.includeFields = includeFields;
+    used = new HashSet<>();
+  }
+
+  public Set<Symbol> usedVariables() {
+    return used;
+  }
+
+  @Override
+  public void visitAssignmentExpression(AssignmentExpressionTree tree) {
+    //skip writing to a variable or field.
+    if(!tree.variable().is(Kind.IDENTIFIER) && !tree.variable().is(Kind.MEMBER_SELECT)) {
+      scan(tree.variable());
+    }
+    scan(tree.expression());
+  }
+
+  @Override
+  public void visitVariable(VariableTree tree) {
+    // skip variable modifiers and simple name
+    scan(tree.initializer());
+  }
+
+  @Override
+  public void visitClass(ClassTree tree) {
+    // skip modifiers, parameters, simple name and superclass/interface
+    scan(tree.members());
+  }
+
+  @Override
+  public void visitLambdaExpression(LambdaExpressionTree lambdaExpressionTree) {
+    // skip variable declaration
+    scan(lambdaExpressionTree.body());
+  }
+
+  @Override
+  public void visitIdentifier(IdentifierTree tree) {
+    Symbol owner = tree.symbol().owner();
+    if(methodSymbol.equals(owner) || (includeFields && isField(tree.symbol(), methodSymbol.owner()))) {
+      used.add(tree.symbol());
+    }
+    super.visitIdentifier(tree);
+  }
+
+  private static boolean isField(Symbol identifierSymbol, Symbol methodOwnerSymbol) {
+    return methodOwnerSymbol.equals(identifierSymbol.owner()) && !"this".equals(identifierSymbol.name()) && !identifierSymbol.isMethodSymbol();
+  }
+
+}

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/matcher/SEMethodMatcherFactory.java

@@ -0,0 +1,78 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.matcher;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.sonar.plugins.java.api.semantic.MethodMatchers;
+
+public class SEMethodMatcherFactory {
+
+  private static final Pattern CLASS_PATTERN = Pattern.compile("^(\\w+[\\.\\w+]*(?:\\[\\])?)(\\()?");
+  private static final Pattern METHOD_PATTERN = Pattern.compile("^([a-zA-Z_0-9$]+(?:\\.[a-zA-Z_0-9$]+)*+(?:\\[])?)#(\\w+)(\\()?");
+  private static final Pattern ARGUMENT_PATTERN = Pattern.compile("\\G(\\w+(?:\\.\\w+)*+(?:\\[])?)([,)])");
+
+  private SEMethodMatcherFactory() {
+    // no instances, only static, factory methods
+  }
+
+  public static MethodMatchers constructorMatcher(String descriptor) {
+    Matcher matcher = CLASS_PATTERN.matcher(descriptor);
+    if (!matcher.find()) {
+      throw new IllegalArgumentException("Illegal constructor specification: " + descriptor);
+    }
+    MethodMatchers.ParametersBuilder constructorMatcher = MethodMatchers.create().ofTypes(matcher.group(1)).constructor();
+    return collectArguments(descriptor, matcher, 2, constructorMatcher);
+  }
+
+  public static MethodMatchers methodMatchers(String descriptor) {
+    Matcher matcher = METHOD_PATTERN.matcher(descriptor);
+    if (!matcher.find()) {
+      throw new IllegalArgumentException("Illegal method specification: " + descriptor);
+    }
+    MethodMatchers.ParametersBuilder methodMatcher = MethodMatchers.create().ofTypes(matcher.group(1)).names(matcher.group(2));
+    return collectArguments(descriptor, matcher, 3, methodMatcher);
+  }
+
+  public static MethodMatchers collectArguments(String descriptor, Matcher initialMatcher, int groupOffset, MethodMatchers.ParametersBuilder methodMatcher) {
+    if ("(".equals(initialMatcher.group(groupOffset))) {
+      String remainder = descriptor.substring(initialMatcher.group().length());
+      if (!")".equals(remainder)) {
+        Matcher matcher = ARGUMENT_PATTERN.matcher(remainder);
+        int matchedLength = 0;
+        List<String> argumentTypes = new ArrayList<>();
+        while (matcher.find()) {
+          argumentTypes.add(matcher.group(1));
+          matchedLength = matcher.end();
+        }
+        if (matchedLength < remainder.length()) {
+          throw new IllegalArgumentException("Illegal method or constructor arguments specification: " + descriptor);
+        }
+        return methodMatcher.addParametersMatcher(argumentTypes.toArray(new String[0])).build();
+      } else {
+        return methodMatcher.addWithoutParametersMatcher().build();
+      }
+    } else {
+      if (initialMatcher.end() < descriptor.length()) {
+        throw new IllegalArgumentException("Illegal method or constructor arguments specification: " + descriptor);
+      }
+      return methodMatcher.withAnyParameters().build();
+    }
+  }
+}

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/matcher/package-info.java

@@ -0,0 +1,22 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+@ParametersAreNonnullByDefault
+@MethodsAreNonnullByDefault
+package org.sonar.java.matcher;
+
+import javax.annotation.ParametersAreNonnullByDefault;
+import org.sonar.plugins.java.api.tree.MethodsAreNonnullByDefault;

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/se/ExplodedGraphWalker.java

@@ -33,7 +33,6 @@
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
 import org.sonar.java.Preconditions;
-import org.sonar.java.annotations.VisibleForTesting;
 import org.sonar.java.cfg.SELiveVariables;
 import org.sonar.java.model.CFGUtils;
 import org.sonar.java.model.SEExpressionUtils;
@@ -108,7 +107,7 @@ public class ExplodedGraphWalker {
   private static final int MAX_STARTING_STATES = 1_024;
   private static final Set<String> THIS_SUPER = SetUtils.immutableSetOf("this", "super");
 
-  @VisibleForTesting
+  // VisibleForTesting
   static final int MAX_EXEC_PROGRAM_POINT = 2;
 
   private static final MethodMatchers SYSTEM_EXIT_MATCHER = MethodMatchers.create().ofTypes("java.lang.System").names("exit").addParametersMatcher("int").build();
@@ -133,19 +132,19 @@ public class ExplodedGraphWalker {
 
   private ExplodedGraph explodedGraph;
 
-  @VisibleForTesting
+  // VisibleForTesting
   Deque<ExplodedGraph.Node> workList;
   ExplodedGraph.Node node;
   ProgramPoint programPosition;
   ProgramState programState;
   private SELiveVariables liveVariables;
-  @VisibleForTesting
+  // VisibleForTesting
   CheckerDispatcher checkerDispatcher;
   private Block exitBlock;
 
   private final Sema semanticModel;
   private final BehaviorCache behaviorCache;
-  @VisibleForTesting
+  // VisibleForTesting
   int steps;
 
   ConstraintManager constraintManager;
@@ -181,7 +180,7 @@ public MaximumStartingStatesException(String s) {
     }
   }
 
-  @VisibleForTesting
+  // VisibleForTesting
   public ExplodedGraphWalker(BehaviorCache behaviorCache, JavaFileScannerContext context) {
     List<SECheck> checks = Arrays.asList(new NullDereferenceCheck(), new DivisionByZeroCheck(),
       new UnclosedResourcesCheck(), new LocksNotUnlockedCheck(), new NonNullSetToNullCheck(), new NoWayOutLoopCheck());
@@ -191,13 +190,13 @@ public ExplodedGraphWalker(BehaviorCache behaviorCache, JavaFileScannerContext c
     this.semanticModel = (Sema) context.getSemanticModel();
   }
 
-  @VisibleForTesting
+  // VisibleForTesting
   ExplodedGraphWalker(BehaviorCache behaviorCache, JavaFileScannerContext context, boolean cleanup) {
     this(behaviorCache, context);
     this.cleanup = cleanup;
   }
 
-  @VisibleForTesting
+  // VisibleForTesting
   protected ExplodedGraphWalker(List<SECheck> seChecks, BehaviorCache behaviorCache, JavaFileScannerContext context) {
     this.alwaysTrueOrFalseExpressionCollector = new AlwaysTrueOrFalseExpressionCollector();
     this.checkerDispatcher = new CheckerDispatcher(this, seChecks, context);
@@ -1293,7 +1292,7 @@ private void checkExplodedGraphTooBig(ProgramState programState) {
     }
   }
 
-  @VisibleForTesting
+  // VisibleForTesting
   protected int maxSteps() {
     return MAX_STEPS;
   }
@@ -1309,7 +1308,7 @@ AlwaysTrueOrFalseExpressionCollector alwaysTrueOrFalseExpressionCollector() {
    */
   public static class ExplodedGraphWalkerFactory {
 
-    @VisibleForTesting
+    // VisibleForTesting
     final List<SECheck> seChecks = new ArrayList<>();
 
     public ExplodedGraphWalkerFactory(List<SECheck> activeSEChecks) {

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/se/ProgramState.java

@@ -28,7 +28,6 @@
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
 import org.sonar.java.Preconditions;
-import org.sonar.java.annotations.VisibleForTesting;
 import org.sonar.java.se.checks.CustomUnclosedResourcesCheck;
 import org.sonar.java.se.checks.LocksNotUnlockedCheck;
 import org.sonar.java.se.checks.StreamConsumedCheck;
@@ -347,7 +346,7 @@ public ProgramState removeConstraintsOnDomain(SymbolicValue sv, Class<? extends
    * To be used only by the ExplodedGraphWalker only, when manipulating program states.
    * Only made 'public' because of some method yield tests.
    */
-  @VisibleForTesting
+  // VisibleForTesting
   public ProgramState put(Symbol symbol, SymbolicValue value) {
     if (symbol.isUnknown() || isVolatileField(symbol)) {
       return this;

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/se/SymbolicExecutionVisitor.java

@@ -21,7 +21,6 @@
 import java.util.List;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.sonar.java.annotations.VisibleForTesting;
 import org.sonar.java.se.checks.SECheck;
 import org.sonar.java.se.xproc.BehaviorCache;
 import org.sonar.java.se.xproc.MethodBehavior;
@@ -36,7 +35,7 @@ public class SymbolicExecutionVisitor extends BaseTreeVisitor implements JavaFil
   private static final Logger LOG = LoggerFactory.getLogger(SymbolicExecutionVisitor.class);
   protected JavaFileScannerContext context;
 
-  @VisibleForTesting
+  // VisibleForTesting
   public final BehaviorCache behaviorCache;
   private final ExplodedGraphWalker.ExplodedGraphWalkerFactory egwFactory;
 
@@ -86,7 +85,7 @@ public void execute(MethodTree methodTree) {
     }
   }
 
-  @VisibleForTesting
+  // VisibleForTesting
   protected ExplodedGraphWalker getWalker() {
     return egwFactory.createWalker(behaviorCache, context);
   }

java-symbolic-execution/java-symbolic-execution-plugin/src/main/java/org/sonar/java/se/checks/CustomUnclosedResourcesCheck.java

@@ -21,7 +21,7 @@
 import javax.annotation.Nullable;
 import org.sonar.check.Rule;
 import org.sonar.check.RuleProperty;
-import org.sonar.java.matcher.MethodMatcherFactory;
+import org.sonar.java.matcher.SEMethodMatcherFactory;
 import org.sonar.java.se.CheckerContext;
 import org.sonar.java.se.ExplodedGraph;
 import org.sonar.java.se.Flow;
@@ -139,7 +139,7 @@ private static String name(Tree tree) {
 
   private static MethodMatchers createMethodMatchers(String rule) {
     if (rule.length() > 0) {
-      return MethodMatcherFactory.methodMatchers(rule);
+      return SEMethodMatcherFactory.methodMatchers(rule);
     } else {
       return MethodMatchers.none();
     }
@@ -248,7 +248,7 @@ private MethodMatchers constructorClasses() {
       if (classConstructor == null) {
         classConstructor = MethodMatchers.none();
         if (constructor.length() > 0) {
-          classConstructor = MethodMatcherFactory.constructorMatcher(constructor);
+          classConstructor = SEMethodMatcherFactory.constructorMatcher(constructor);
         }
       }
       return classConstructor;