Use of VisibleForTesting in production codeΒΆ
ID: java/visible-for-testing-abuse
Kind: problem
Security severity:
Severity: warning
Precision: high
Tags:
- quality
- maintainability
- readability
Query suites:
- java-code-quality.qls
Click to see the query in the CodeQL repository
OverviewΒΆ
Accessing class members annotated with @VisibleForTesting from production code goes against the intention of the annotation and may indicate programmer error.
The @VisibleForTesting annotation serves to increase visibility of methods, fields or classes for the purposes of testing. Accessing these annotated elements in production code (not test code) abuses the intention of the annotation.
RecommendationΒΆ
Only access methods, fields or classes annotated with @VisibleForTesting from test code. If the visibility of the methods, fields or classes should generally be relaxed, use Java language access modifiers.
ExampleΒΆ
public class Annotated {
@VisibleForTesting static int f() { return 42; }
}
/* src/test/java/Test.java */
int i = Annotated.f(); // COMPLIANT
/* src/main/Source.java */
int i = Annotated.f(); // NON_COMPLIANT
Implementation notesΒΆ
This rule alerts on any implementation of the annotation VisibleForTesting, regardless of where it is provided from.
The rule also uses the following logic to determine what an abuse of the annotation is:
If a public or protected member/type is annotated with
@VisibleForTesting, itβs assumed that package-private access is enough for production code. Therefore the rule alerts when a public or protected member/type annotated with@VisibleForTestingis used outside of its declaring package.If a package-private member/type is annotated with
@VisibleForTesting, itβs assumed that private access is enough for production code. Therefore the rule alerts when a package-private member/type annotated with@VisibleForTestingis used outside its declaring class.
ReferencesΒΆ
Javadoc: AssertJ VisibleForTesting.
Javadoc: JetBrains VisibleForTesting.