Fix 17 SonarQube issues including string comparison, variable shadowing, and duplication

[sonarqube-agent]

This PR was created because a team member assigned these issues to the Remediation Agent.

This change resolves 17 SonarQube findings across multiple files by replacing unsafe string comparisons with equals(), eliminating variable shadowing issues through strategic renaming, and extracting duplicated string literals into reusable constants. These improvements enhance code quality, reduce maintenance burden, and prevent potential bugs caused by incorrect object comparison and variable name confusion.

View Project in SonarCloud

---

Fixed Issues

java:S4973 - Strings and Boxed types should be compared using "equals()". • MAJOR • View issue

Location: src/main/java/land/oras/Registry.java:148

Why is this an issue?

It’s almost always a mistake to compare two instances of java.lang.String or boxed types like java.lang.Integer using reference equality == or !=, because it is not comparing actual value but locations in memory.

What changed

Replaces the reference equality comparison (==) between two String variables authHeaderSource and authHeaderTarget with explicit null checks (authHeaderSource == null && authHeaderTarget == null). This fixes the bug where Strings were being compared using == instead of equals(), which compares memory locations rather than actual values.

--- a/src/main/java/land/oras/Registry.java
+++ b/src/main/java/land/oras/Registry.java
@@ -148,1 +151,1 @@ public final class Registry extends OCI<ContainerRef> {
-        if (!(authHeaderSource == authHeaderTarget
+        if (!((authHeaderSource == null && authHeaderTarget == null)

java:S1117 - Rename "descriptor" which hides the field declared at line 66. • MAJOR • View issue

Location: src/main/java/land/oras/Index.java:165

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Renames the lambda parameter from 'descriptor' to 'manifestDescriptor' in the filter operation at line 165, eliminating the variable shadowing of the 'descriptor' field declared at line 66 of the Index class.

--- a/src/main/java/land/oras/Index.java
+++ b/src/main/java/land/oras/Index.java
@@ -165,1 +165,1 @@ public final class Index extends Descriptor implements Describable {
-                .filter(descriptor -> comparator.test(descriptor.getPlatform(), platform))
+                .filter(manifestDescriptor -> comparator.test(manifestDescriptor.getPlatform(), platform))

java:S1192 - Define a constant instead of duplicating this literal "%s://%s/%s" 3 times. • CRITICAL • View issue

Location: src/main/java/land/oras/Registry.java:630

Why is this an issue?

Duplicated string literals make the process of refactoring complex and error-prone, as any change would need to be propagated on all occurrences.

What changed

Defines two constants HTTPS and SCHEME_REGISTRY_PATH_FORMAT to replace duplicated string literals "https" (used 4 times) and "%s://%s/%s" (used 3 times). These constants are referenced by other hunks to eliminate the duplicated literals.

--- a/src/main/java/land/oras/Registry.java
+++ b/src/main/java/land/oras/Registry.java
@@ -64,0 +65,3 @@ public final class Registry extends OCI<ContainerRef> {
+    private static final String HTTPS = "https";
+    private static final String SCHEME_REGISTRY_PATH_FORMAT = "%s://%s/%s";
+

java:S1192 - Define a constant instead of duplicating this literal "https" 4 times. • CRITICAL • View issue

Location: src/main/java/land/oras/Registry.java:318

Why is this an issue?

Duplicated string literals make the process of refactoring complex and error-prone, as any change would need to be propagated on all occurrences.

What changed

Defines two constants HTTPS and SCHEME_REGISTRY_PATH_FORMAT to replace duplicated string literals "https" (used 4 times) and "%s://%s/%s" (used 3 times). These constants are referenced by other hunks to eliminate the duplicated literals.

--- a/src/main/java/land/oras/Registry.java
+++ b/src/main/java/land/oras/Registry.java
@@ -64,0 +65,3 @@ public final class Registry extends OCI<ContainerRef> {
+    private static final String HTTPS = "https";
+    private static final String SCHEME_REGISTRY_PATH_FORMAT = "%s://%s/%s";
+

java:S1117 - Rename "descriptor" which hides the field declared at line 66. • MAJOR • View issue

Location: src/main/java/land/oras/Index.java:175

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Renames the lambda parameter from 'descriptor' to 'manifestDescriptor' in the filter operation at line 175, eliminating the variable shadowing of the 'descriptor' field declared at line 66 of the Index class.

--- a/src/main/java/land/oras/Index.java
+++ b/src/main/java/land/oras/Index.java
@@ -175,1 +175,1 @@ public final class Index extends Descriptor implements Describable {
-                .filter(descriptor -> Platform.unspecified(descriptor.getPlatform()))
+                .filter(manifestDescriptor -> Platform.unspecified(manifestDescriptor.getPlatform()))

java:S1117 - Rename "namespace" which hides the field declared at line 74. • MAJOR • View issue

Location: src/main/java/land/oras/ContainerRef.java:132

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Renames the local variable namespace to resolvedNamespace to avoid shadowing the field namespace declared at the class level. This eliminates the confusion and potential bugs caused by a local variable hiding a field with the same name.

--- a/src/main/java/land/oras/ContainerRef.java
+++ b/src/main/java/land/oras/ContainerRef.java
@@ -132,3 +134,3 @@ public final class ContainerRef extends Ref<ContainerRef> {
-        String namespace = getNamespace(registry);
-        if (namespace != null) {
-            return "%s/%s".formatted(namespace, repository);
+        String resolvedNamespace = getNamespace(registry);
+        if (resolvedNamespace != null) {
+            return "%s/%s".formatted(resolvedNamespace, repository);

java:S1117 - Rename "registry" which hides the field declared at line 64. • MAJOR • View issue

Location: src/main/java/land/oras/ContainerRef.java:153

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Renames the local variable registry to resolvedRegistry to avoid shadowing the field registry declared at the class level, and replaces the string literal "docker.io" with the constant DOCKER_IO to eliminate string duplication.

--- a/src/main/java/land/oras/ContainerRef.java
+++ b/src/main/java/land/oras/ContainerRef.java
@@ -153,2 +155,2 @@ public final class ContainerRef extends Ref<ContainerRef> {
-        String registry = target != null && target.getRegistry() != null ? target.getRegistry() : getRegistry();
-        if (registry.equals("docker.io")) {
+        String resolvedRegistry = target != null && target.getRegistry() != null ? target.getRegistry() : getRegistry();
+        if (resolvedRegistry.equals(DOCKER_IO)) {

java:S1192 - Define a constant instead of duplicating this literal "docker.io" 3 times. • CRITICAL • View issue

Location: src/main/java/land/oras/ContainerRef.java:154

Why is this an issue?

Duplicated string literals make the process of refactoring complex and error-prone, as any change would need to be propagated on all occurrences.

What changed

Introduces the constant DOCKER_IO to replace the duplicated string literal "docker.io" that appears 3 times in the file. This constant is referenced by other hunks to eliminate the duplication, fixing the code smell about duplicating the literal "docker.io".

--- a/src/main/java/land/oras/ContainerRef.java
+++ b/src/main/java/land/oras/ContainerRef.java
@@ -60,0 +61,2 @@ public final class ContainerRef extends Ref<ContainerRef> {
+    private static final String DOCKER_IO = "docker.io";
+

java:S1700 - Rename field "registry" • MAJOR • View issue

Location: src/main/java/land/oras/Registry.java:98

Why is this an issue?

It’s confusing to have a class member with the same name (case differences aside) as its enclosing class. This is particularly so when you consider the common practice of naming a class instance for the class itself.

What changed

Renames the field registry to registryName to avoid confusion with the enclosing class name Registry. This fixes the code smell where a class member has the same name (case differences aside) as its enclosing class.

--- a/src/main/java/land/oras/Registry.java
+++ b/src/main/java/land/oras/Registry.java
@@ -98,1 +101,1 @@ public final class Registry extends OCI<ContainerRef> {
-    private @Nullable String registry;
+    private @Nullable String registryName;

java:S1161 - Add the "@OverRide" annotation above this method signature • MAJOR • View issue

Location: src/main/java/land/oras/Index.java:329

Why is this an issue?

While not mandatory, using the @Override annotation on compliant methods improves readability by making it explicit that methods are overridden.

What changed

Adds the missing @OverRide annotation above the withJson method signature at line 329, making it explicit that this method overrides a parent method and improving code readability as recommended by the rule.

--- a/src/main/java/land/oras/Index.java
+++ b/src/main/java/land/oras/Index.java
@@ -328,0 +329,1 @@ public final class Index extends Descriptor implements Describable {
+    @Override

java:S1161 - Add the "@OverRide" annotation above this method signature • MAJOR • View issue

Location: src/main/java/land/oras/Manifest.java:323

Why is this an issue?

While not mandatory, using the @Override annotation on compliant methods improves readability by making it explicit that methods are overridden.

What changed

This hunk adds the @OverRide annotation above the withJson method in the Manifest class. The method overrides a parent method or implements an interface method, and the static analysis rule requires that such methods be explicitly annotated with @OverRide to improve readability and make the override relationship clear.

--- a/src/main/java/land/oras/Manifest.java
+++ b/src/main/java/land/oras/Manifest.java
@@ -322,0 +323,1 @@ public final class Manifest extends Descriptor implements Describable {
+    @Override

java:S1117 - Rename "path" which hides the field declared at line 55. • MAJOR • View issue

Location: src/main/java/land/oras/OCILayout.java:257

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

This hunk renames the local variable path to indexPath in the method at line 257 of OCILayout.java. The original local variable path was shadowing a field named path declared at line 55 of the same class. By renaming the local variable to indexPath, the shadowing is eliminated, making the code clearer and avoiding potential confusion between the local variable and the class field.

--- a/src/main/java/land/oras/OCILayout.java
+++ b/src/main/java/land/oras/OCILayout.java
@@ -257,2 +257,2 @@ public final class OCILayout extends OCI<LayoutRef> {
-        Path path = getIndexPath();
-        return Index.fromPath(path);
+        Path indexPath = getIndexPath();
+        return Index.fromPath(indexPath);

java:S1117 - Rename "descriptor" which hides the field declared at line 66. • MAJOR • View issue

Location: src/main/java/land/oras/Index.java:244

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Renames the for-loop variable from 'descriptor' to 'existingDescriptor' at line 244, eliminating the variable shadowing of the 'descriptor' field declared at line 66 of the Index class.

--- a/src/main/java/land/oras/Index.java
+++ b/src/main/java/land/oras/Index.java
@@ -244,1 +244,1 @@ public final class Index extends Descriptor implements Describable {
-        for (ManifestDescriptor descriptor : manifests) {
+        for (ManifestDescriptor existingDescriptor : manifests) {

java:S1117 - Rename "registry" which hides the field declared at line 64. • MAJOR • View issue

Location: src/main/java/land/oras/ContainerRef.java:173

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Eliminates the local variable registry entirely by inlining the call to getRegistry(), which fixes the shadowing of the class field registry. Also replaces the string literal "docker.io" with the constant DOCKER_IO to eliminate string duplication.

--- a/src/main/java/land/oras/ContainerRef.java
+++ b/src/main/java/land/oras/ContainerRef.java
@@ -173,2 +175,1 @@ public final class ContainerRef extends Ref<ContainerRef> {
-        String registry = getRegistry();
-        if (namespace == null && registry.equals("docker.io")) {
+        if (namespace == null && getRegistry().equals(DOCKER_IO)) {

java:S1192 - Define a constant instead of duplicating this literal "$manifest" 3 times. • CRITICAL • View issue

Location: src/main/java/land/oras/Annotations.java:119

Why is this an issue?

Duplicated string literals make the process of refactoring complex and error-prone, as any change would need to be propagated on all occurrences.

What changed

Defines two constants MANIFEST_KEY and CONFIG_KEY to replace the duplicated string literals "$manifest" and "$config" respectively. This is the foundational change that enables all other hunks to reference these constants instead of repeating the literal strings, directly addressing both duplicated string literal warnings.

--- a/src/main/java/land/oras/Annotations.java
+++ b/src/main/java/land/oras/Annotations.java
@@ -112,0 +113,3 @@ public record Annotations(
+        private static final String MANIFEST_KEY = "$manifest";
+        private static final String CONFIG_KEY = "$config";
+

java:S1192 - Define a constant instead of duplicating this literal "$config" 3 times. • CRITICAL • View issue

Location: src/main/java/land/oras/Annotations.java:128

Why is this an issue?

Duplicated string literals make the process of refactoring complex and error-prone, as any change would need to be propagated on all occurrences.

What changed

Defines two constants MANIFEST_KEY and CONFIG_KEY to replace the duplicated string literals "$manifest" and "$config" respectively. This is the foundational change that enables all other hunks to reference these constants instead of repeating the literal strings, directly addressing both duplicated string literal warnings.

--- a/src/main/java/land/oras/Annotations.java
+++ b/src/main/java/land/oras/Annotations.java
@@ -112,0 +113,3 @@ public record Annotations(
+        private static final String MANIFEST_KEY = "$manifest";
+        private static final String CONFIG_KEY = "$config";
+

java:S1117 - Rename "builder" which hides the field declared at line 89. • MAJOR • View issue

Location: src/main/java/land/oras/auth/HttpClient.java:609

Why is this an issue?

Shadowing occurs when a local variable has the same name as a variable or a field in an outer scope.

What changed

Renames the local variable 'builder' to 'requestBuilder' to avoid shadowing the class field 'builder' declared at line 89. This directly fixes the code smell where a local variable hides a field with the same name, eliminating potential confusion and unintended behavior.

--- a/src/main/java/land/oras/auth/HttpClient.java
+++ b/src/main/java/land/oras/auth/HttpClient.java
@@ -609,1 +609,1 @@ public final class HttpClient {
-            HttpRequest.Builder builder = HttpRequest.newBuilder().uri(uri).method(method, bodyPublisher);
+            HttpRequest.Builder requestBuilder = HttpRequest.newBuilder().uri(uri).method(method, bodyPublisher);

Have a suggestion or found an issue? Share your feedback here.

---

SonarQube Remediation Agent uses AI. Check for mistakes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud