Handle spotbugs warning post (#6)

content/posts/2024-04-29-handling-ei-expose-rep/index.mdx

@@ -0,0 +1,111 @@
+---
+title: Handling EI_EXPOSE_REP & EI_EXPOSE_REP2
+author: Sudaraka Jayathilaka
+date: 2024-04-29
+hero: ./images/hero.png
+excerpt: SpotBugs is a great tool for static code analysis. It can help you find bugs, security vulnerabilities, and performance issues in your Java code.
+---
+
+[SpotBugs](https://spotbugs.github.io/) is a great tool for static code analysis. Recently I got two similar warnings in one of the codebases I work on 
+and I had to fix it.
+
+## EI_EXPOSE_REP & EI_EXPOSE_REP2 Warning definitions
+
+You can find the official documentation for these two warnings in the SpotBugs documentation.
+- Warning [EI_EXPOSE_REP](https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ei-expose-rep)
+- Warning [EI_EXPOSE_REP2](https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ei-expose-rep2)
+
+## EI_EXPOSE_REP
+
+This warning is mainly about exposing a mutable object from a class. Let's take a class which has a 
+mutable object such as a `List`. 
+
+```java
+public class MyClass {
+    private List<String> myList;
+
+    public MyClass() {
+        myList = new ArrayList<>();
+    }
+
+    public List<String> getMyList() {
+        return myList;
+    }
+}
+```
+
+Now you can see that we are exposing the `myList` object via the `getMyList()` method. This means that anyone who has access to the
+`MyClass` object can modify the `myList` object. This is a clear violation of the encapsulation principle in OOP. This is where the
+`EI_EXPOSE_REP` warning comes in.
+
+### The Fix
+We can mainly fix this using two approaches. 
+1. Return an unmodifiable list from the `getMyList()` method. You can change the getMyList() method as follows.
+    ```java
+    public List<String> getMyList() {
+        return Collections.unmodifiableList(myList);
+    }
+    ```
+2. Return a copy of the list from the `getMyList()` method. You can change the getMyList() method as follows.
+    ```java
+    public List<String> getMyList() {
+        return List.copyOf(myList);
+    }
+    ```
+
+## EI_EXPOSE_REP2
+
+This warning is pretty much related to the previous warning. The only difference is that this warning is about keeping
+a reference to a mutable object within the class. Let's take the same example we used in the previous warning.
+
+```java
+public class MyClass {
+    private List<String> myList;
+
+    public MyClass(List<String> myList) {  
+        this.myList = myList;
+    }
+}
+```
+
+In the above example you can see how the constructor gets a reference to a mutable List from outside the class and assigns it to the
+`myList` field. This means that the caller can modify the `myList` object from outside of the class. This is again a clear violation of the
+encapsulation principle and a security risk.
+
+### The Fix
+
+The fix for this warning is slightly different from the previous warning. You can fix this by,
+
+1. Creating a copy of the list when assigning it to the `myList` variable.
+    ```java
+    public MyClass(List<String> myList) {  
+        this.myList = List.copyOf(myList);
+    }
+    ```
+2. Creating an unmodifiable list when assigning it to the `myList` variable.
+    ```java
+    public MyClass(List<String> myList) {  
+        this.myList = Collections.unmodifiableList(myList);
+    }
+    ```
+
+## Conclusion
+
+These warnings can be really helpful given the right context. But in some cases, it might be an overkill to fix these warnings. So
+it's always better to analyze the context and decide whether to fix these warnings or not. In case you want to ignore these warnings
+you can use the `@SuppressFBWarnings` annotation provided by SpotBugs.
+
+```java
+@SuppressFBWarnings("EI_EXPOSE_REP")
+public class MyClass {
+    private List<String> myList;
+
+    public MyClass() {
+        myList = new ArrayList<>();
+    }
+
+    public List<String> getMyList() {
+        return myList;
+    }
+}
+```

package.json

@@ -10,7 +10,7 @@
     "deploy": "gatsby build && gh-pages -d public -b main"
   },
   "dependencies": {
-    "@sudaraka94/gatsby-theme-novela": "^1.1.5",
+    "@sudaraka94/gatsby-theme-novela": "^1.1.7",
     "gatsby": "^5.13.3",
     "gatsby-plugin-google-gtag": "^5.13.1",
     "gatsby-plugin-manifest": "^5.13.1",

yarn.lock

@@ -2436,10 +2436,10 @@
     unfurl.js "^5.1.0"
     unist-util-select "^3.0.1"
 
-"@sudaraka94/gatsby-theme-novela@^1.1.5":
-  version "1.1.5"
-  resolved "https://registry.yarnpkg.com/@sudaraka94/gatsby-theme-novela/-/gatsby-theme-novela-1.1.5.tgz#846a653dcd03df3a7d388928f1a10597cdcfbdb0"
-  integrity sha512-6NVsPKQodlfQDno/C1TboIQvXKPrfwvxqt011i2CrjcJU7LPl1Sdu+5eu9oY9yE79aHhB0keW1u3Lus4/6MRIg==
+"@sudaraka94/gatsby-theme-novela@^1.1.7":
+  version "1.1.7"
+  resolved "https://registry.yarnpkg.com/@sudaraka94/gatsby-theme-novela/-/gatsby-theme-novela-1.1.7.tgz#c6cc781033bd5569ff5ab5c91eedcab4feaa16d7"
+  integrity sha512-AaGcc7THsFb3ZNqVQP0XA7FqGu/94WP9dvrLOJ0hMdWqEwTz1yaY1S+p2rRsCqfzYMCxJ7f2lrtjUdY90WWkaQ==
   dependencies:
     "@emotion/react" "^11.11.4"
     "@emotion/styled" "^11.11.0"
@@ -2477,6 +2477,7 @@
     gatsby-transformer-yaml "^5.13.1"
     lodash "^4.17.21"
     prism-react-renderer "^2.3.1"
+    prismjs "^1.29.0"
     react-helmet "^6.1.0"
     react-live "^4.1.6"
     react-medium-image-zoom "^5.1.11"
@@ -11911,6 +11912,11 @@ prism-react-renderer@^2.0.6, prism-react-renderer@^2.3.1:
     "@types/prismjs" "^1.26.0"
     clsx "^2.0.0"
 
+prismjs@^1.29.0:
+  version "1.29.0"
+  resolved "https://registry.yarnpkg.com/prismjs/-/prismjs-1.29.0.tgz#f113555a8fa9b57c35e637bba27509dcf802dd12"
+  integrity sha512-Kx/1w86q/epKcmte75LNrEoT+lX8pBpavuAbvJWRXar7Hz8jrtF+e3vY751p0R8H9HdArwaCTNDDzHg/ScJK1Q==
+
 probe-image-size@^7.2.3:
   version "7.2.3"
   resolved "https://registry.yarnpkg.com/probe-image-size/-/probe-image-size-7.2.3.tgz#d49c64be540ec8edea538f6f585f65a9b3ab4309"