Create rule S6832: Spring beans should not be injected in an incompatible scope

Angelo Buono · Angelo Buono · commit 773cfe006cf7 · 2023-10-24T13:59:09.000+02:00
diff --git a/rules/S6832/java/metadata.json b/rules/S6832/java/metadata.json
@@ -1,25 +1,24 @@
 {
-  "title": "FIXME",
+  "title": "Non-singleton Spring beans should not be injected using @Autowired in Singleton beans",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "5min"
   },
   "tags": [
+    "spring"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6832",
   "sqKey": "S6832",
   "scope": "All",
   "defaultQualityProfiles": ["Sonar way"],
-  "quickfix": "unknown",
+  "quickfix": "infeasible",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH",
-      "RELIABILITY": "MEDIUM",
-      "SECURITY": "LOW"
+      "RELIABILITY": "MEDIUM"
     },
-    "attribute": "CONVENTIONAL"
+    "attribute": "LOGICAL"
   }
 }
diff --git a/rules/S6832/java/rule.adoc b/rules/S6832/java/rule.adoc
@@ -1,44 +1,165 @@
-FIXME: add a description
 
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+In Spring Boot the scope of a bean defines the lifecycle and visibility of that bean in the Spring container.
+There are six scopes:
+
+- *Singleton*: default, one instance per Spring container
+- *Prototype*: a new instance per bean request
+- *Request*: a new instance per HTTP request
+- *Session*: a new instance per HTTP session
+- *Application*: a new instance per ServletContext
+- *Websocket*: a new instance per Websocket session
+
+The last four scopes mentioned, request, session, application and websocket, are only available in a web-aware application.
 
 == Why is this an issue?
 
-FIXME: remove the unused optional headers (that are commented out)
+In Spring Boot, Singleton beans and their dependencies are initialized when the application context is created.
+
+If a Singleton bean depends on a bean with a shorter-lived scope (like a Request or Session scoped bean),
+it retains the same instance of that bean, even when new instances are created for each Request or Session.
+This mismatch can cause unexpected behavior and bugs, as the Singleton bean doesn't interact correctly with the new instances of the shorter-lived bean.
+
+This rule raises an issue for the injection of non-Singleton beans in a Singleton bean.
+
+=== What is the potential impact?
 
-//=== What is the potential impact?
+When a Singleton bean has a dependency on a bean with a shorter-lived scope, it can lead to the following issues:
+
+- *Data inconsistency*: any state change in the shorter-lived bean will not be reflected in the Singleton bean.
+
+- *Incorrect behavior*: using the same instance of the shorter-lived bean, when a new instance is supposed to be created for each new request or session.
+
+- *Memory leaks*: preventing garbage collection of a shorter-lived bean that allocates a significant amount of data over time.
 
 == How to fix it
-//== How to fix it in FRAMEWORK NAME
+
+Inject a shorter-lived bean into a Singleton bean using *ApplicationContext*, *Factories* or *Providers*.
 
 === Code examples
 
 ==== Noncompliant code example
 
-[source,text,diff-id=1,diff-type=noncompliant]
+When a Singleton bean auto-wires a Request scoped bean, the dependency is resolved at instantiation time and thus the same instance is used for each HTTP request.
+
+[source,java,diff-id=1,diff-type=noncompliant]
+----
+@Component
+@Scope(value = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
+public class RequestBean {
+    //...
+}
+
+public class SingletonBean {
+    @Autowired
+    private final RequestBean requestBeanFactory; // Noncompliant, the same instance of RequestBean is used for each HTTP request.
+
+    public RequestBean getRequestBean() {
+        return requestBeanFactory;
+    }
+}
+----
+
+==== Compliant solution
+
+Using as injection point a `ObjectFactory<RequestBean>`, s `ObjectProvider<RequestBean>` or a `Provider<RequestBean>` (as for JSR-330).
+
+Such a dependency is resolved at runtime, allowing for actual injection of a new instance of the shorter-lived bean on each HTTP request.
+
+[source,java,diff-id=1,diff-type=compliant]
+----
+@Component
+@Scope(value = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
+public class RequestBean {
+    //...
+}
+
+public class SingletonBean {
+    private final ObjectFactory<RequestBean> requestBeanFactory;
+
+    @Autowired
+    public SingletonBean(ObjectFactory<RequestBean> requestBeanFactory) {
+        this.requestBeanFactory = requestBeanFactory;
+    }
+
+    public RequestBean getRequestBean() {
+        return requestBeanFactory.getObject();
+    }
+}
+----
+
+
+==== Noncompliant code example
+
+When a Singleton bean auto-wires a Prototype bean, the dependency is resolved at instantiation time and thus the same instance is used for each bean request.
+
+[source,java,diff-id=2,diff-type=noncompliant]
 ----
-FIXME
+@Component
+@Scope("prototype")
+public class PrototypeBean {
+    public Object execute() {
+      //...
+    }
+}
+
+public class SingletonBean {
+    private PrototypeBean prototypeBean;
+
+    @Autowired
+    public SingletonBean(PrototypeBean prototypeBean) { // Noncompliant, the same instance of PrototypeBean is used for each bean request.
+      this.prototypeBean = prototypeBean;
+    }
+
+    public Object process() {
+        return prototypeBean.execute();
+    }
+}
 ----
 
 ==== Compliant solution
 
-[source,text,diff-id=1,diff-type=compliant]
+Using the `ApplicationContext` to retrieve a new instance of a Prototype bean on each bean request.
+
+[source,java,diff-id=2,diff-type=compliant]
 ----
-FIXME
+
+@Component
+@Scope("prototype")
+public class PrototypeBean {
+    public Object execute() {
+      //...
+    }
+}
+
+public class SingletonBean implements ApplicationContextAware {
+    private ApplicationContext applicationContext;
+
+    @Autowired
+    public SingletonBean(ApplicationContext applicationContext) {
+      this.applicationContext = applicationContext;
+    }
+
+    public Object process() {
+        PrototypeBean prototypeBean = createPrototypeBean();
+        return prototypeBean.execute();
+    }
+
+    protected PrototypeBean createPrototypeBean() {
+        return this.applicationContext.getBean("prototypeBean", PrototypeBean.class);
+    }
+}
 ----
 
-//=== How does this work?
 
-//=== Pitfalls
+== Resources
+
+=== Documentation
+
+* Spring Framework - https://docs.spring.io/spring-framework/reference/core/beans/factory-scopes.html[Factory Scopes]
+* Spring Framework - https://docs.spring.io/spring-framework/reference/core/beans/standard-annotations.html#beans-inject-named[Beans Inject Named]
+* Spring Framework - https://docs.spring.io/spring-framework/reference/core/beans/dependencies/factory-method-injection.html[Method Injection]
 
-//=== Going the extra mile
+=== Articles & blog posts
 
+* Baeldung - https://www.baeldung.com/spring-bean-scopes[Spring Bean Scopes]
 
-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
