Skip to content

fix(detector): eliminate regex backtracking — resolve SonarCloud reliability gate#61

Merged
aksOps merged 1 commit into
mainfrom
fix/sonar-reliability-regex-backtracking
Apr 23, 2026
Merged

fix(detector): eliminate regex backtracking — resolve SonarCloud reliability gate#61
aksOps merged 1 commit into
mainfrom
fix/sonar-reliability-regex-backtracking

Conversation

@aksOps
Copy link
Copy Markdown
Contributor

@aksOps aksOps commented Apr 23, 2026

Summary

Only 2 open bugs remained in new code (SonarCloud queried directly): both java:S5998 (MAJOR — reliability) in SqlMigrationDetector.java, same root cause as the 2 unreviewed java:S5852 security hotspots on adjacent lines. Fixing the regex addresses both rule families simultaneously.

Root cause

LQ_CREATE_TABLE_YAML and LQ_ADD_FK_YAML used a reluctant-outer quantifier (?:\s++[^\n]*+\n)*? to skip intermediate indented lines before the target key. The engine could backtrack through the reluctant *? on large input → quadratic/exponential runtime.

Fix

Negative-lookahead + possessive *+: intermediate lines that would match the target key (tableName / baseTableName / referencedTableName) are excluded up front, so the outer match terminates deterministically at the same point the reluctant version did. No semantic change for valid Liquibase YAML.

// Before
"createTable\\s*+:[^\\n]*+\\n(?:\\s++[^\\n]*+\\n)*?\\s++tableName\\s*+:..."

// After
"createTable\\s*+:[^\\n]*+\\n"
    + "(?:(?!\\s++tableName\\s*+:)\\s++[^\\n]*+\\n)*+"
    + "\\s++tableName\\s*+:..."

Tests

  • 16 existing Liquibase-YAML tests still pass (positive case — plain changeSet with createTable + FK)
  • +1 regression test: liquibaseYamlChangeSet_largeIntermediateContent_completesQuickly — 500-line pathological createTable block; detection completes in <1s post-fix (pre-fix would scale quadratically)
  • Full suite: 17/17 in this class, BUILD SUCCESS

Expected gate impact

  • new_reliability_rating C → A (both S5998 bugs resolved)
  • new_security_hotspots_reviewed 97.5% → 100% (same regex patterns flagged by S5852 no longer match the vulnerable shape; if SonarCloud doesn't auto-clear them, they can be manually marked Safe in the UI with reference to this PR)

🤖 Generated with Claude Code

@aksOps @claude
fix(detector): eliminate regex backtracking in Liquibase YAML patterns
961fad0 
SonarCloud S5998 (reliability: stack overflow on large input) + S5852
(security hotspot: ReDoS) both flagged the reluctant-outer quantifier
`(?:\s++[^\n]*+\n)*?` in LQ_CREATE_TABLE_YAML and LQ_ADD_FK_YAML. The
engine was free to backtrack through the reluctant `*?`.

Rewrite with negative-lookahead + possessive `*+`: intermediate lines
that would otherwise match the target key (tableName / baseTableName /
referencedTableName) are excluded up front, so the outer match
terminates deterministically exactly where the reluctant version did.
No semantic change for valid Liquibase YAML.

Adds a regression test exercising a 500-line pathological createTable
block — completes in <1s on the rewritten patterns; the pre-fix
reluctant walk would have scaled quadratically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 23, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
B Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@aksOps aksOps merged commit 4c46a60 into main Apr 23, 2026
8 of 9 checks passed
@aksOps aksOps deleted the fix/sonar-reliability-regex-backtracking branch April 26, 2026 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aksOps