Small question regarding a Spotbugs finding I am having a hard time fixing.
In this super simple class:
import io.micrometer.observation.ObservationRegistry;
@Service
public final class MyService {
private final ObservationRegistry observationRegistry;
public MyService(final ObservationRegistry registry) {
this.observationRegistry = registry;
}
I am getting flagged on the observationRegistry with
may expose internal representation by storing an externally mutable object into MyService.observationRegistry
I tried invoking a possible clone() method on the registry, but no luck.
How do I fix this?
Small question regarding a Spotbugs finding I am having a hard time fixing.
In this super simple class:
import io.micrometer.observation.ObservationRegistry;
@Service
public final class MyService {
private final ObservationRegistry observationRegistry;
public MyService(final ObservationRegistry registry) {
this.observationRegistry = registry;
}
I am getting flagged on the observationRegistry with
may expose internal representation by storing an externally mutable object into MyService.observationRegistry
I tried invoking a possible clone() method on the registry, but no luck.
How do I fix this?
Share Improve this question asked Mar 27 at 22:04 PatPandaPatPanda 5,12828 gold badges116 silver badges251 bronze badges 01 Answer
Reset to default 1Did you read the whole description? https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ei2-may-expose-internal-representation-by-incorporating-reference-to-mutable-object-ei-expose-rep2
EI2: May expose internal representation by incorporating reference to mutable object (EI_EXPOSE_REP2) This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
The whole point here is making internal data available externally, I'm not sure this is valid here since "untrusted code" might be able to just "attack" your registered handlers or read their outputs. Also, I might misunderstand this but if your instances can be accessed by "untrusted code", I'm not sure this will save you from anything. I guess the solution here is rather not adding sensitive data to your Observations (and supress the warning).