Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve @SecureField detection lookup exclusions #40822

Merged
merged 1 commit into from
May 24, 2024
Merged

Improve @SecureField detection lookup exclusions #40822

merged 1 commit into from
May 24, 2024
+13 −6

Conversation

michalvavrik
Copy link
Member

When analyzing #40780 I mentioned the algorithm used for detection of @SecureField is also looking into types that are excluded from lookup in other places of the same algorithm. My thinking is that if someone has a field of one of excluded type (e.g. type from java. package) inside DTO, it is possible that custom subclass could have a field annotated with @SecureField. Nevertheless it is trying to detect IMO very unlikely situation and for now it's better to shorten detection time. Users are advised to tests every secure field they annotate by Quarkus docs.

I'll try to provide better detection with refactoring of this algorithm based on a new Jandex version in the future. That won't be backportable. This PR is.

@michalvavrik michalvavrik changed the title Improve @SecureField detection lookup exclusion Improve @SecureField detection lookup exclusions May 23, 2024
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented May 23, 2024
edited by github-actions bot
Loading

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 0a6c50b.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@michalvavrik michalvavrik requested a review from geoand May 23, 2024 21:30
@geoand
Copy link
Contributor

geoand commented May 24, 2024

I'll try to provide better detection with refactoring of this algorithm based on a new Jandex version in the future. That won't be backportable. This PR is.

Great idea!

geoand
geoand approved these changes May 24, 2024
View reviewed changes
Copy link
Contributor

@geoand geoand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏🏼

@geoand geoand merged commit dccbe20 into quarkusio:main May 24, 2024
31 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.12 - main milestone May 24, 2024
@gsmet gsmet modified the milestones: 3.12 - main, 3.11.1 Jun 4, 2024
@gsmet gsmet modified the milestones: 3.11.1, 3.8.6 Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geoand geoand

Assignees
No one assigned
Labels
area/rest
Projects
None yet
Milestone
3.8.6
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@michalvavrik @geoand @gsmet