Small question regarding a Spotbugs finding I am having a hard time fixing.

In this super simple class:

import io.micrometer.observation.ObservationRegistry;

@Service
public final class MyService {

  private final ObservationRegistry observationRegistry;

  public MyService(final ObservationRegistry registry) {
     this.observationRegistry = registry;
    }

I am getting flagged on the observationRegistry with

may expose internal representation by storing an externally mutable object into MyService.observationRegistry

I tried invoking a possible clone() method on the registry, but no luck.

How do I fix this?

Small question regarding a Spotbugs finding I am having a hard time fixing.

In this super simple class:

import io.micrometer.observation.ObservationRegistry;

@Service
public final class MyService {

  private final ObservationRegistry observationRegistry;

  public MyService(final ObservationRegistry registry) {
     this.observationRegistry = registry;
    }

I am getting flagged on the observationRegistry with

may expose internal representation by storing an externally mutable object into MyService.observationRegistry

I tried invoking a possible clone() method on the registry, but no luck.

How do I fix this?

• java
• findbugs
• micrometer
• spring-micrometer
• spotbugs

Share Improve this question Follow asked Mar 27 at 22:04 PatPandaPatPanda 5,1282828 gold badges116116 silver badges251251 bronze badges 0

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Did you read the whole description? https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ei2-may-expose-internal-representation-by-incorporating-reference-to-mutable-object-ei-expose-rep2

EI2: May expose internal representation by incorporating reference to mutable object (EI_EXPOSE_REP2) This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.

The whole point here is making internal data available externally, I'm not sure this is valid here since "untrusted code" might be able to just "attack" your registered handlers or read their outputs. Also, I might misunderstand this but if your instances can be accessed by "untrusted code", I'm not sure this will save you from anything. I guess the solution here is rather not adding sensitive data to your Observations (and supress the warning).