SONARJAVA-5101 Fix FP on S5860 when Regex are used in lambdas (#5119)

There is an existing mechanism to track regex that escape analysis when they are passed in a constructor to another class or returned. We use the same mechanism to exclude regex used in lambdas and method references.

Author: tomasz-tylenda-sonarsource

java-checks-test-sources/default/src/main/java/checks/regex/UnusedGroupNamesCheck.java

@@ -1,7 +1,11 @@
 package checks.regex;
 
+import java.util.List;
+import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 abstract class UnusedGroupNamesCheck {
 
@@ -296,4 +300,78 @@ void useMatcher() {
   @org.hibernate.validator.constraints.URL(regexp = "(?<group>[a-z])") // Noncompliant
   String url;
 
+  static class GroupUsedViaMethodReference {
+    private static final Pattern NAME_WITH_QUOTED_VALUE =
+      Pattern.compile("^(?<name>[a-zA-Z_:][a-zA-Z0-9_:]*)=\"(?<value>.*)\"$"); // Compliant
+
+    public static Map<String, String> hiddenUsage(List<String> strings) {
+      return strings.stream()
+        .map(NAME_WITH_QUOTED_VALUE::matcher)
+        .filter(Matcher::matches)
+        .collect(Collectors.toMap(
+          nv -> nv.group("name"),
+          nv -> nv.group("value"))
+        );
+    }
+  }
+
+  // Do not consider RE escaping if the method reference is not "leaking" it
+  // (matcher replaced with flags).
+  static class GroupNotUsedViaMethodReference {
+    private static final Pattern NAME_WITH_QUOTED_VALUE =
+      Pattern.compile("^(?<name>[a-zA-Z_:][a-zA-Z0-9_:]*)=\"(?<value>.*)\"$"); // Noncompliant
+
+    public static int noUsage(List<String> strings) {
+      return Stream.generate(NAME_WITH_QUOTED_VALUE::flags)
+        .limit(1)
+        .findFirst()
+        .get();
+    }
+  }
+
+  static class GroupUsedViaLambda {
+    private static final Pattern NAME_WITH_QUOTED_VALUE =
+      Pattern.compile("^(?<name>[a-zA-Z_:][a-zA-Z0-9_:]*)=\"(?<value>.*)\"$"); // Compliant
+
+    public static Map<String, String> hiddenUsage(List<String> strings) {
+      return strings.stream()
+        .map(s -> NAME_WITH_QUOTED_VALUE.matcher(s))
+        .filter(Matcher::matches)
+        .collect(Collectors.toMap(
+          nv -> nv.group("name"),
+          nv -> nv.group("value"))
+        );
+    }
+  }
+
+  static class GroupUsedViaBlockInLambda {
+    private static final Pattern NAME_WITH_QUOTED_VALUE =
+      Pattern.compile("^(?<name>[a-zA-Z_:][a-zA-Z0-9_:]*)=\"(?<value>.*)\"$"); // Compliant
+
+    public static Map<String, String> hiddenUsage(List<String> strings) {
+      return strings.stream()
+        .map(s -> {
+          System.out.println("testing usage inside a block in a lambda");
+          return NAME_WITH_QUOTED_VALUE.matcher(s);
+        })
+        .filter(Matcher::matches)
+        .collect(Collectors.toMap(
+          nv -> nv.group("name"),
+          nv -> nv.group("value"))
+        );
+    }
+  }
+
+  // Do not consider RE escaping if the method in lambda is not "leaking" it
+  // (matcher replaced with hashCode).
+  static class GroupNotUsedViaLambda {
+    private static final Pattern NAME_WITH_QUOTED_VALUE =
+      Pattern.compile("^(?<name>[a-zA-Z_:][a-zA-Z0-9_:]*)=\"(?<value>.*)\"$"); // Noncompliant
+
+    public static Map<String, String> noUsage(List<String> strings) {
+      return strings.stream()
+        .map(s -> NAME_WITH_QUOTED_VALUE.hashCode())
+        .collect(Collectors.toMap(hc -> hc.toString(), unused -> "s"));
+    }
+  }
 }

java-checks/src/main/java/org/sonar/java/checks/regex/AbstractRegexCheckTrackingMatchers.java

@@ -35,6 +35,7 @@
 import org.sonar.plugins.java.api.tree.IdentifierTree;
 import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
 import org.sonar.plugins.java.api.tree.MethodInvocationTree;
+import org.sonar.plugins.java.api.tree.MethodReferenceTree;
 import org.sonar.plugins.java.api.tree.NewClassTree;
 import org.sonar.plugins.java.api.tree.ReturnStatementTree;
 import org.sonar.plugins.java.api.tree.Tree;
@@ -114,6 +115,7 @@ public List<Tree.Kind> nodesToVisit() {
     nodes.add(Tree.Kind.NEW_CLASS);
     nodes.add(Tree.Kind.RETURN_STATEMENT);
     nodes.add(Tree.Kind.COMPILATION_UNIT);
+    nodes.add(Tree.Kind.METHOD_REFERENCE);
     return nodes;
   }
 
@@ -137,6 +139,8 @@ public void leaveNode(Tree tree) {
       if (PATTERN_OR_MATCHER_ARGUMENT.matches((NewClassTree) tree)) {
         onConstructorFound((NewClassTree) tree);
       }
+    } else if (tree.is(Tree.Kind.METHOD_REFERENCE)) {
+      onMethodReferenceFound((MethodReferenceTree) tree);
     } else {
       super.visitNode(tree);
     }
@@ -176,6 +180,20 @@ protected void onMethodInvocationFound(MethodInvocationTree mit) {
     }
   }
 
+  /**
+   * When method reference is used on a pattern, we can no longer analyze it,
+   * and therefore must add it to the {@link #escapingRegexes}.
+   */
+  private void onMethodReferenceFound(MethodReferenceTree methodReference) {
+    Optional.of(methodReference)
+      .filter(matchers::matches)
+      .map(MethodReferenceTree::expression)
+      .filter(ExpressionTree.class::isInstance)
+      .map(ExpressionTree.class::cast)
+      .flatMap(this::getRegex)
+      .ifPresent(escapingRegexes::add);
+  }
+
   private Optional<RegexParseResult> getRegex(ExpressionTree tree) {
     if (tree.is(Tree.Kind.METHOD_INVOCATION)) {
       MethodInvocationTree mit = (MethodInvocationTree) tree;
@@ -223,6 +241,10 @@ public void checkRegex(RegexParseResult regexForLiterals, ExpressionTree methodI
     }
   }
 
+  /**
+   * Track ownership of pattern when they are assigned to variables and
+   * add them to {@link #escapingRegexes}, when we cannot track them.
+   */
   private void handleAssignment(MethodInvocationTree mit, RegexParseResult regex) {
     Tree parent = mit.parent();
     if (parent.is(Tree.Kind.VARIABLE, Tree.Kind.ASSIGNMENT)) {
@@ -237,6 +259,8 @@ private void handleAssignment(MethodInvocationTree mit, RegexParseResult regex)
       if (!grandParent.is(Tree.Kind.METHOD_INVOCATION) || !trackedMethodMatchers().matches((MethodInvocationTree) grandParent)) {
         escapingRegexes.add(regex);
       }
+    } else if (parent.is(Tree.Kind.LAMBDA_EXPRESSION)) {
+      escapingRegexes.add(regex);
     }
   }