SONARJAVA-4426 S5778 allow calling factory methods to create empty collections

[tomasz-tylenda-sonarsource]

Expand the list of methods that we can safely ignore.

---

Summary by Gitar

• Rule update:
  • Extended OneExpectedRuntimeExceptionCheck to ignore Collections.singleton, Collections.singletonList, and Collections.singletonMap method calls.
• Test update:
  • Added test cases in OneExpectedRuntimeExceptionCheckSample to verify the exclusion of Collections.singleton* methods.
  • Updated its/autoscan/src/test/resources/autoscan/diffs/diff_S5961.json to reflect new false negative count for rule S5961.

_{This will update automatically on new commits.}

[hashicorp-vault-sonar-prod]

SONARJAVA-4426

[rombirli]

It seems quite difficult to maintain an exhaustive list of all commonly used functions that never throw an exception. It might make more sense to rethink the underlying implementation of this rule in the future. That said, I'm approving this PR anyway, as it should still eliminate a solid number of false positives.

[rombirli]

I'm not sure to understand correctly what this value is, but is it expected that we have more FN than before? Even if TPs are missclassified as FNs we shouldn't have more issues raised than before by just expanding the whitelist

[tomasz-tylenda-sonarsource]

For some reason, this check does not work without semantics, so nothing is reported in autoscan. The new false negatives are the additional test cases that I added.

[rombirli]

Ah I understand, thanks for this explanation.

[rombirli]

Looks good, I've seen your comment under the jira ticket, but there are many otheres non-raising functions, here are a few commonly used that could make sense to add.

• Arrays.asList(...)
• Collections.singleton* : Collections.singleton(o) / Collections.singletonList(o) / Collections.singletonMap(k, v)...
• *.of: Stream.of(t) / Optional.ofNullable(v)...
• boxing functions :Byte.valueOf(b), Boolean.valueOf(b), Integer.valueOf(i)
• ...
  I'm not requesting any change, just proposing very commonly used functions you can add if you think it makes sense

[tomasz-tylenda-sonarsource]

I added Collections.singleton*. Arrays.asList can throw NPE. While the other examples can lead to FPs, I don't think we should be adding a large collection of cases unless we have some evidence that they happen in practice.

I think we can validate this PR on Peachee and follow up if we see more cases worth excluding.

[rombirli]

Sounds good!

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[gitar-bot]

Code Review ✅ Approved

Expands the list of ignored factory methods in OneExpectedRuntimeExceptionCheck to include Collections.singleton variants. No issues found.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}