Check and test project for ambiguous resolution of @Autowired'd @component

tomasz-tylenda-sonarsource · tomasz-tylenda-sonarsource · commit 271f514c94d4 · 2025-06-05T14:59:09.000+02:00
diff --git a/java-checks-test-sources/default/src/main/java/checks/spring/innovation/A.java b/java-checks-test-sources/default/src/main/java/checks/spring/innovation/A.java
@@ -0,0 +1,11 @@
+package checks.spring.innovation;
+
+import org.springframework.stereotype.Component;
+
+@Component
+public class A implements Named {
+  @Override
+  public String getName() {
+    return "A";
+  }
+}
diff --git a/java-checks-test-sources/default/src/main/java/checks/spring/innovation/B.java b/java-checks-test-sources/default/src/main/java/checks/spring/innovation/B.java
@@ -0,0 +1,11 @@
+package checks.spring.innovation;
+
+import org.springframework.stereotype.Component;
+
+@Component
+public class B implements Named {
+  @Override
+  public String getName() {
+    return "B";
+  }
+}
diff --git a/java-checks-test-sources/default/src/main/java/checks/spring/innovation/DemoApplication.java b/java-checks-test-sources/default/src/main/java/checks/spring/innovation/DemoApplication.java
@@ -0,0 +1,28 @@
+package checks.spring.innovation;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.CommandLineRunner;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class DemoApplication implements CommandLineRunner {
+
+  @Autowired
+  Named nameSource; // Noncompliant
+
+  @Autowired
+  A a;
+
+  @Autowired
+  Named second; // Noncompliant
+
+  public static void main(String[] args) {
+    SpringApplication.run(DemoApplication.class, args);
+  }
+
+  @Override
+  public void run(String... args) throws Exception {
+    System.out.println("Hello,  " + nameSource.getName() + "!");
+  }
+}
diff --git a/java-checks-test-sources/default/src/main/java/checks/spring/innovation/Named.java b/java-checks-test-sources/default/src/main/java/checks/spring/innovation/Named.java
@@ -0,0 +1,5 @@
+package checks.spring.innovation;
+
+public interface Named {
+  String getName();
+}
diff --git a/java-checks/src/main/java/org/sonar/java/checks/spring/SpringBeansShouldBeAccessibleCheck.java b/java-checks/src/main/java/org/sonar/java/checks/spring/SpringBeansShouldBeAccessibleCheck.java
@@ -47,7 +47,7 @@
 import org.sonar.plugins.java.api.tree.Tree;
 import org.sonarsource.analyzer.commons.collections.SetUtils;
 
-@Rule(key = "S4605")
+//@Rule(key = "S4605")
 public class SpringBeansShouldBeAccessibleCheck extends IssuableSubscriptionVisitor implements EndOfAnalysis {
 
   private static final Logger LOG = LoggerFactory.getLogger(SpringBeansShouldBeAccessibleCheck.class);
diff --git a/java-checks/src/main/java/org/sonar/java/checks/spring/SpringInnovationCheck.java b/java-checks/src/main/java/org/sonar/java/checks/spring/SpringInnovationCheck.java
@@ -0,0 +1,118 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.checks.spring;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.sonar.check.Rule;
+import org.sonar.java.model.DefaultJavaFileScannerContext;
+import org.sonar.java.model.DefaultModuleScannerContext;
+import org.sonar.java.reporting.AnalyzerMessage;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.ModuleScannerContext;
+import org.sonar.plugins.java.api.internal.EndOfAnalysis;
+import org.sonar.plugins.java.api.semantic.Symbol;
+import org.sonar.plugins.java.api.semantic.SymbolMetadata;
+import org.sonar.plugins.java.api.semantic.Type;
+import org.sonar.plugins.java.api.tree.ClassTree;
+import org.sonar.plugins.java.api.tree.Tree;
+import org.sonar.plugins.java.api.tree.VariableTree;
+
+@Rule(key = "S4605")
+public class SpringInnovationCheck extends IssuableSubscriptionVisitor implements EndOfAnalysis {
+
+  private static final String[] SPRING_BEAN_ANNOTATIONS = {
+    "org.springframework.stereotype.Component"
+  };
+
+  private static final String[] SPRING_INJECTION_ANNOTATIONS = {
+    "org.springframework.beans.factory.annotation.Autowired"
+  };
+
+  record Location(AnalyzerMessage analyzerMessage) {}
+
+  Map<String, Set<Location>> injections = new HashMap<>();
+  Map<String, Set<String>> availableImpls = new HashMap<>();
+
+  @Override
+  public List<Tree.Kind> nodesToVisit() {
+    return List.of(Tree.Kind.CLASS);
+  }
+
+  @Override
+  public void visitNode(Tree tree) {
+    if (tree instanceof ClassTree classTree) {
+      SymbolMetadata classSymbolMetadata = classTree.symbol().metadata();
+      if (hasAnnotation(classSymbolMetadata, SPRING_BEAN_ANNOTATIONS)) {
+        Symbol.TypeSymbol symbol = classTree.symbol();
+        Set<String> types = getTypes(symbol);
+        for (String type : types) {
+          Set<String> impls = availableImpls.computeIfAbsent(type, k -> new HashSet<>());
+          impls.add(symbol.type().fullyQualifiedName());
+        }
+      }
+
+      DefaultJavaFileScannerContext defaultContext = (DefaultJavaFileScannerContext) context;
+
+      for (Tree member: classTree.members()) {
+        if (member instanceof VariableTree variableTree) {
+          if (hasAnnotation(variableTree.symbol().metadata(), SPRING_INJECTION_ANNOTATIONS)) {
+            String typeFqn = variableTree.symbol().type().fullyQualifiedName();
+
+            Set<Location> locations = injections.computeIfAbsent(typeFqn, k -> new HashSet<>());
+
+            // Just on the `simpleName()`, because for simplicity we don't want to include the annotation.
+            AnalyzerMessage message = defaultContext.createAnalyzerMessage(this, variableTree.simpleName(), "More than one candidate implementation");
+            locations.add(new Location(message));
+          }
+        }
+      }
+    }
+  }
+
+  private static boolean hasAnnotation(SymbolMetadata classSymbolMetadata, String... annotationName) {
+    return Arrays.stream(annotationName).anyMatch(classSymbolMetadata::isAnnotatedWith);
+  }
+
+  private static Set<String> getTypes(Symbol.TypeSymbol symbol) {
+    var result = new HashSet<String>();
+    result.add(symbol.type().fullyQualifiedName());
+    for (Type iface: symbol.interfaces()) {
+      result.add(iface.fullyQualifiedName());
+    }
+    return result;
+  }
+
+  @Override
+  public void endOfAnalysis(ModuleScannerContext context) {
+    var defaultContext = (DefaultModuleScannerContext) context;
+
+    for(Map.Entry<String,Set<Location>> entry : injections.entrySet()) {
+      String typeFqn = entry.getKey();
+      Set<Location> locations = entry.getValue();
+      if (availableImpls.get(typeFqn).size() > 1) {
+        for(Location location :locations) {
+          defaultContext.reportIssue(location.analyzerMessage());
+        }
+      }
+    }
+  }
+}
diff --git a/java-checks/src/test/java/org/sonar/java/checks/spring/SpringInnovationCheckTest.java b/java-checks/src/test/java/org/sonar/java/checks/spring/SpringInnovationCheckTest.java
@@ -0,0 +1,44 @@
+/*
+ * SonarQube Java
+ * Copyright (C) 2012-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.java.checks.spring;
+
+import java.util.Arrays;
+import java.util.List;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPath;
+
+class SpringInnovationCheckTest {
+
+  private static final String BASE_PATH = "checks/spring/innovation/";
+
+  @Test
+  void testComponentScan() {
+    final String testFolder = BASE_PATH;
+    List<String> files = Arrays.asList(
+      mainCodeSourcesPath(testFolder + "A.java"),
+      mainCodeSourcesPath(testFolder + "B.java"),
+      mainCodeSourcesPath(testFolder + "Named.java"),
+      mainCodeSourcesPath(testFolder + "DemoApplication.java"));
+
+    CheckVerifier.newVerifier()
+      .onFiles(files)
+      .withCheck(new SpringInnovationCheck())
+      .verifyIssues();
+  }
+}
