Alternative to BeanUtils Java (error SonarQube)

Question

I'm currently looking for a way to set dynamically a property into a Object, I have this:

public static void assign(Object instance, String attribute, Object value) {
    try {
        if (value != null) {
            BeanUtils.setProperty(instance, attribute, value);
        }
    } catch (IllegalAccessException | InvocationTargetException ex) {
        throw new TechnicalException(ex.getMessage(), ex);
    }
}

But Sonarqube throw me an error:

"Make sure that setting JavaBean properties is safe here."

So I need an alternative to fill my object dynamically or a way to avoid the exception in "BeanUtils.setProperty" (Avoid the exception because due to the nature of the project there are no risks of vulnerabilities).

Or some way to receive an object, and assign a field with a specific value by converting the data type of the value dynamically.

Any idea?

Beforehand thank you very much.

Answer 1

The message by sonarqube is more of a warning that you have potential safety problems with your code. This is the case when you let a user pass an argument, that is directly injected in this property. When this is your usecase, you need to validate/clean the user input as to avoid potential risks.

When you validated that this is not a risk, and it seems this is your case

because due to the nature of the project there are no risks of vulnerabilities

Within code

You can annotate your method with SuppressWarnings, and the reference of the warning you want to ignore

@java.lang.SuppressWarnings("java:S4512")

Within sonarqube

As this is a security hotspot, you could also mark it in sonarqube that this is checked and secure. You can do this in the failed security hotspots of your project, and mark it as 'safe'