SONARJAVA-5493 Implement check for uses of ClassFile.build instead of transformClass (#5222)

Author: romainbrenguier

its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java

@@ -199,7 +199,7 @@ public void javaCheckTestSources() throws Exception {
     softly.assertThat(newDiffs).containsExactlyInAnyOrderElementsOf(knownDiffs.values());
     softly.assertThat(newTotal).isEqualTo(knownTotal);
     softly.assertThat(rulesCausingFPs).hasSize(9);
-    softly.assertThat(rulesNotReporting).hasSize(15);
+    softly.assertThat(rulesNotReporting).hasSize(16);
 
     /**
      * 4. Check total number of differences (FPs + FNs)

its/autoscan/src/test/resources/autoscan/autoscan-diff-by-rules.json

@@ -2854,5 +2854,11 @@
     "hasTruePositives": false,
     "falseNegatives": 0,
     "falsePositives": 0
+  },
+  {
+    "ruleKey": "7478",
+    "hasTruePositives": false,
+    "falseNegatives": 0,
+    "falsePositives": 0
   }
 ]

its/autoscan/src/test/resources/autoscan/diffs/diff_S7478.json

@@ -0,0 +1,6 @@
+{
+  "ruleKey": "S7478",
+  "hasTruePositives": false,
+  "falseNegatives": 0,
+  "falsePositives": 0
+}

java-checks-test-sources/default/src/main/java/checks/UseTransformClassInsteadOfBuildCheckSample.java

@@ -0,0 +1,81 @@
+package checks;
+
+import java.io.IOException;
+import java.lang.classfile.ClassElement;
+import java.lang.classfile.ClassFile;
+import java.lang.classfile.ClassModel;
+import java.lang.classfile.MethodModel;
+import java.lang.classfile.constantpool.ConstantPool;
+import java.lang.classfile.constantpool.ConstantPoolBuilder;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+public class UseTransformClassInsteadOfBuildCheckSample {
+  public static void transformClassFile(Path path) throws IOException {
+    ClassFile classFile = ClassFile.of();
+    ClassModel classModel = classFile.parse(path);
+    byte[] newBytes = classFile.build( // Noncompliant {{Replace this 'build()' call with 'transformClass()'.}}
+      //              ^^^^^^^^^^^^^^^
+      classModel.thisClass().asSymbol(), classBuilder -> {
+        for (ClassElement classElement : classModel) {
+          if (!(classElement instanceof MethodModel methodModel &&
+            methodModel.methodName().stringValue().startsWith("debug"))) {
+            classBuilder.with(classElement);
+
+          }
+        }
+      });
+    Files.write(path, newBytes);
+  }
+  
+  public static void transformClassFileWithConstantPool(Path path) throws IOException {
+    ClassFile classFile = ClassFile.of();
+    ClassModel classModel = classFile.parse(path);
+    ConstantPoolBuilder constantPoolBuilder = ConstantPoolBuilder.of(classModel);
+    byte[] newBytes = classFile.build( // Noncompliant
+      //              ^^^^^^^^^^^^^^^
+      classModel.thisClass(),
+      constantPoolBuilder,
+      classBuilder -> {
+        for (ClassElement classElement : classModel) {
+          if (!(classElement instanceof MethodModel methodModel &&
+            methodModel.methodName().stringValue().startsWith("debug"))) {
+            classBuilder.with(classElement);
+
+          }
+        }
+      });
+    Files.write(path, newBytes);
+  }
+
+  public static void transformClassFileCompliant(Path path) throws IOException {
+    ClassFile classFile = ClassFile.of();
+    ClassModel classModel = classFile.parse(path);
+    byte[] newBytes = classFile.transformClass(
+      classModel, (classBuilder, classElement) -> {
+        if (!(classElement instanceof MethodModel methodModel &&
+          methodModel.methodName().stringValue().startsWith("debug"))) {
+          classBuilder.with(classElement);
+        }
+      });
+    Files.write(path, newBytes);
+  }
+
+  public static void transformClassFileFalseNegative(Path path) throws IOException {
+    var classFile = ClassFile.of();
+    var classModel = classFile.parse(path);
+    byte[] newBytes = classFile.build(
+      // False negative. We don't detect that we could use `transformClass` instead of
+      // `build` because the lambda contains several statements.
+      classModel.thisClass().asSymbol(), classBuilder -> {
+        var methodName = "debug";
+        for (ClassElement classElement : classModel) {
+          if (!(classElement instanceof MethodModel methodModel &&
+            methodModel.methodName().stringValue().startsWith(methodName))) {
+            classBuilder.with(classElement);
+          }
+        }
+      });
+    Files.write(path, newBytes);
+  }
+}

java-checks/src/main/java/org/sonar/java/checks/ClassNameInClassTransformCheck.java

@@ -20,6 +20,7 @@
 import java.util.function.Predicate;
 
 import org.sonar.check.Rule;
+import org.sonar.java.matcher.TreeMatcher;
 import org.sonar.java.checks.helpers.QuickFixHelper;
 import org.sonar.java.reporting.JavaQuickFix;
 import org.sonar.java.reporting.JavaTextEdit;
@@ -28,12 +29,16 @@
 import org.sonar.plugins.java.api.tree.Arguments;
 import org.sonar.plugins.java.api.tree.ExpressionTree;
 import org.sonar.plugins.java.api.tree.IdentifierTree;
-import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
 import org.sonar.plugins.java.api.tree.MethodInvocationTree;
 import org.sonar.plugins.java.api.tree.Tree;
 
 import javax.annotation.Nullable;
 
+import static org.sonar.java.matcher.TreeMatcher.calls;
+import static org.sonar.java.matcher.TreeMatcher.invokedOn;
+import static org.sonar.java.matcher.TreeMatcher.isIdentifier;
+import static org.sonar.java.matcher.TreeMatcher.withArgument;
+
 @Rule(key = "S7477")
 public class ClassNameInClassTransformCheck extends IssuableSubscriptionVisitor {
   private static final String CLASS_ENTRY_CLASSNAME = "java.lang.classfile.constantpool.ClassEntry";
@@ -139,13 +144,6 @@ static class CallMatcher {
       this.methodInvocationTree = methodInvocationTree;
     }
 
-    ExpressionMatcher onExpression() {
-      if (methodInvocationTree != null && methodInvocationTree.methodSelect() instanceof MemberSelectExpressionTree mset) {
-        return new ExpressionMatcher(mset.expression());
-      }
-      return new ExpressionMatcher(null);
-    }
-
     ExpressionMatcher withArgument(int argumentIndex) {
       if (methodInvocationTree != null && methodInvocationTree.arguments().size() >= argumentIndex) {
         return new ExpressionMatcher(methodInvocationTree.arguments().get(argumentIndex));
@@ -170,7 +168,7 @@ public void visitNode(Tree tree) {
       ExpressionTree classModel = mit.arguments().get(0);
       ExpressionTree classDesc = mit.arguments().get(1);
       if (classModel instanceof IdentifierTree classModelId &&
-        (isThisClassOf(classModelId).test(classDesc) || isDescriptorOf(classModelId).test(classDesc))) {
+        (isThisClassOf(classModelId).or(isDescriptorOf(classModelId)).check(classDesc))) {
 
         QuickFixHelper.newIssue(context)
           .forRule(this)
@@ -191,25 +189,26 @@ private static JavaQuickFix computeQuickFix(Arguments arguments) {
   }
 
   /** The expression may be of the form `model.thisClass().asInternalName()` or `model.thisClass().name().stringValue(). */
-  private Predicate<ExpressionTree> isInternalNameOf(IdentifierTree classModel) {
-    return expression -> check(expression).calls(internalNameMatcher).onExpression().matches(isThisClassOf(classModel))
-      || check(expression).calls(stringValueMatcher).onExpression().calls(nameMatcher).onExpression().matches(isThisClassOf(classModel));
+  private TreeMatcher<ExpressionTree> isInternalNameOf(IdentifierTree classModel) {
+    return calls(internalNameMatcher, invokedOn(isThisClassOf(classModel)))
+            .or(calls(stringValueMatcher, invokedOn(calls(nameMatcher, invokedOn(isThisClassOf(classModel))))));
   }
 
   /** 
    * The expression may be of the form:
    *   - `model.thisClass().asSymbol()` 
    *   - or `Desc.ofInternalName(internalName)` where `internalName` is the result of `model.thisClass().asInternalName()`
    *   - or `Desc.ofDescriptorString(desc.descriptorString())` where `desc` itself has the form of a descriptor. */
-  private Predicate<ExpressionTree> isDescriptorOf(IdentifierTree classModel) {
-    return descTree -> check(descTree).calls(asSymbolMatcher).onExpression().matches(isThisClassOf(classModel))
-      || check(descTree).calls(ofInternalNameMatcher).withArgument(0).matches(isInternalNameOf(classModel))
-      || check(descTree).calls(ofDescriptorMatcher).withArgument(0)
-        .calls(descriptorStringMatcher).onExpression().matches(isDescriptorOf(classModel));
+  private TreeMatcher<ExpressionTree> isDescriptorOf(IdentifierTree classModel) {
+    return TreeMatcher.recursive(self ->
+      calls(asSymbolMatcher, invokedOn(isThisClassOf(classModel)))
+        .or(calls(ofInternalNameMatcher, withArgument(0, isInternalNameOf(classModel))))
+        .or(calls(ofDescriptorMatcher,
+          withArgument(0, calls(descriptorStringMatcher, invokedOn(self))))));
   }
 
   /** Check whether the given expression is of the form: `classModel.thisClass()`. */
-  private Predicate<ExpressionTree> isThisClassOf(IdentifierTree classModel) {
-    return expression -> check(expression).calls(thisClassMatcher).onExpression().isIdentifier(classModel);
+  private TreeMatcher<ExpressionTree> isThisClassOf(IdentifierTree classModel) {
+    return calls(thisClassMatcher, invokedOn(isIdentifier(classModel)));
   }
 }

java-checks/src/main/java/org/sonar/java/checks/UseTransformClassInsteadOfBuildCheck.java

@@ -0,0 +1,83 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.checks;
+
+import java.util.List;
+import org.sonar.check.Rule;
+import org.sonar.java.matcher.TreeMatcher;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.semantic.MethodMatchers;
+import org.sonar.plugins.java.api.tree.ExpressionTree;
+import org.sonar.plugins.java.api.tree.MethodInvocationTree;
+import org.sonar.plugins.java.api.tree.Tree;
+
+import static org.sonar.java.matcher.TreeMatcher.forEachStatement;
+import static org.sonar.java.matcher.TreeMatcher.hasSize;
+import static org.sonar.java.matcher.TreeMatcher.matching;
+import static org.sonar.java.matcher.TreeMatcher.statementAt;
+import static org.sonar.java.matcher.TreeMatcher.withBody;
+import static org.sonar.java.matcher.TreeMatcher.withExpression;
+
+@Rule(key = "S7478")
+public class UseTransformClassInsteadOfBuildCheck extends IssuableSubscriptionVisitor {
+
+  private static final String CLASS_MODEL_CLASSNAME = "java.lang.classfile.ClassModel";
+  private static final String CLASS_DESC_CLASSNAME = "java.lang.constant.ClassDesc";
+  private static final String CONSUMER_CLASSNAME = "java.util.function.Consumer";
+  private static final String CLASS_ENTRY_CLASSNAME = "java.lang.classfile.constantpool.ClassEntry";
+
+  private final MethodMatchers classFileBuildMatcher = MethodMatchers.create()
+    .ofTypes("java.lang.classfile.ClassFile")
+    .names("build")
+    .addParametersMatcher(
+      CLASS_DESC_CLASSNAME,
+      CONSUMER_CLASSNAME)
+    .addParametersMatcher(
+      CLASS_ENTRY_CLASSNAME,
+      "java.lang.classfile.constantpool.ConstantPoolBuilder",
+      CONSUMER_CLASSNAME)
+    .build();
+
+  /**
+   * Matcher for expressions of the form `x -> { for (ClassModel cm : m) { ... } }`.
+   *  Note that we handle only lambda expressions here, not method references. 
+   */
+  private final TreeMatcher<ExpressionTree> treeMatcher = TreeMatcher
+    .isLambdaExpression(
+      withBody(
+        hasSize(1).and(
+          statementAt(0,
+            forEachStatement(
+              withExpression(
+                matching(e -> e.symbolType().fullyQualifiedName().equals(CLASS_MODEL_CLASSNAME))))))));
+
+  @Override
+  public List<Tree.Kind> nodesToVisit() {
+    return List.of(Tree.Kind.METHOD_INVOCATION);
+  }
+
+  @Override
+  public void visitNode(Tree tree) {
+    MethodInvocationTree methodInvocation = (MethodInvocationTree) tree;
+    if (classFileBuildMatcher.matches(methodInvocation) && !methodInvocation.arguments().isEmpty()) {
+      ExpressionTree lastArgument = methodInvocation.arguments().get(methodInvocation.arguments().size() - 1);
+      if (treeMatcher.check(lastArgument)) {
+        reportIssue(methodInvocation.methodSelect(), "Replace this 'build()' call with 'transformClass()'.");
+      }
+    }
+  }
+}

java-checks/src/test/java/org/sonar/java/checks/UseTransformClassInsteadOfBuildCheckTest.java

@@ -0,0 +1,42 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+import org.sonar.java.checks.verifier.TestUtils;
+
+class UseTransformClassInsteadOfBuildCheckTest {
+
+  @Test
+  void test() {
+    CheckVerifier.newVerifier()
+      .onFile(TestUtils.mainCodeSourcesPath("checks/UseTransformClassInsteadOfBuildCheckSample.java"))
+      .withCheck(new UseTransformClassInsteadOfBuildCheck())
+      .verifyIssues();
+  }
+
+  @Test
+  void testWithoutSemantic() {
+    CheckVerifier.newVerifier()
+      .onFile(TestUtils.mainCodeSourcesPath("checks/UseTransformClassInsteadOfBuildCheckSample.java"))
+      .withCheck(new UseTransformClassInsteadOfBuildCheck())
+      .withoutSemantic()
+      .verifyIssues();
+  }
+
+}