codeiq/spotbugs-exclude.xml at main · RandomCodeSpace/codeiq · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
<?xml version="1.0" encoding="UTF-8"?>
<!--
  SpotBugs exclude filter for codeiq.

  Philosophy: fail CI on real bugs, not on stylistic or generated-code noise.
  Each entry MUST have a rationale comment. If a rule here ever catches a
  genuine bug in new code, narrow or remove it — never silently live with it.

  Docs: https://spotbugs.readthedocs.io/en/latest/filter.html
-->
<FindBugsFilter>

    <!--
      ANTLR-generated parser sources.
      Regenerated on every `mvn generate-sources` from .g4 files in
      src/main/antlr4/. Fixing findings here is futile. Hand-written ANTLR
      support classes (name ends in `Base`, e.g. CSharpParserBase) are NOT
      excluded — those are ours to fix.
    -->
    <Match>
        <Class name="~io\.github\.randomcodespace\.iq\.grammar\..*(Parser|Lexer|Listener|Visitor)$"/>
    </Match>

    <!--
      NM_METHOD_NAMING_CONVENTION — camelCase/PascalCase warnings.
      730 findings, nearly all from generated parsers and overridden ANTLR
      hooks (e.g. `OnPreprocessorExpressionConditionalEq`). Not actionable
      for new hand-written code; the compiler + review catch real typos.
    -->
    <Match>
        <Bug pattern="NM_METHOD_NAMING_CONVENTION"/>
    </Match>

    <!--
      SF_SWITCH_NO_DEFAULT — stylistic.
      448 findings, dominated by generated ANTLR rule dispatch. Real
      fall-through/dead-store bugs are caught separately by
      SF_SWITCH_FALLTHROUGH and SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH,
      which we DO enforce.
    -->
    <Match>
        <Bug pattern="SF_SWITCH_NO_DEFAULT"/>
    </Match>

    <!--
      EI_EXPOSE_REP / EI_EXPOSE_REP2 — "constructor/getter stores or returns
      internal mutable state". 123 findings across detector result DTOs and
      graph-model records. No trust boundary is crossed here: these objects
      live inside a single JVM and are consumed by trusted pipeline code.
      Defensive copies would add GC cost for no security benefit. If we ever
      expose these across a security boundary, tighten here.
    -->
    <Match>
        <Bug pattern="EI_EXPOSE_REP"/>
    </Match>
    <Match>
        <Bug pattern="EI_EXPOSE_REP2"/>
    </Match>

    <!--
      MS_PKGPROTECT / MS_FINAL_PKGPROTECT — "mutable non-final static field
      could be overwritten by a malicious subclass in the same package".
      80 findings. This JVM runs no untrusted bytecode; there is no
      same-package attacker model. Pure noise.
    -->
    <Match>
        <Bug pattern="MS_PKGPROTECT"/>
    </Match>
    <Match>
        <Bug pattern="MS_FINAL_PKGPROTECT"/>
    </Match>

    <!--
      RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE in hand-written ANTLR parser
      support classes (CSharpParserBase, GoParserBase). Defensive null checks
      carried over verbatim from antlr/grammars-v4 grammar action files. Harmless;
      divergence risk if we "fix" them because upstream may re-sync.
    -->
    <Match>
        <Class name="~io\.github\.randomcodespace\.iq\.grammar\.(csharp\.CSharpParserBase|golang\.GoParserBase)"/>
        <Bug pattern="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"/>
    </Match>

    <!--
      BX_UNBOXING_IMMEDIATELY_REBOXED in CSharpPreprocessorParserBase: grammar
      action code adapted from upstream. Micro-perf, not a correctness issue.
    -->
    <Match>
        <Class name="io.github.randomcodespace.iq.grammar.csharp.CSharpPreprocessorParserBase"/>
        <Bug pattern="BX_UNBOXING_IMMEDIATELY_REBOXED"/>
    </Match>

</FindBugsFilter>