Add explanatory comments to empty certificate validation methods

[sonarqube-agent]

This PR was automatically created by the Remediation Agent's Scheduled backlog remediation feature.

Why these issues? Selected for their CRITICAL severity and well-defined rule (java:S1186) with a clear mechanical fix pattern. The issues are concentrated in a single production file and involve a cohesive set of related empty methods that all require the same remediation approach, enabling high-confidence resolution.

This change adds nested comments to five intentionally empty certificate validation methods in the HttpClient class, explaining that they are part of an insecure trust manager that accepts all certificates. These comments resolve critical SonarQube violations (java:S1186) that flag empty method bodies as potential code smells.

View Project in SonarCloud

---

Fixed Issues

java:S1186 - Add a nested comment explaining why this method is empty, throw an UnsupportedOperationException or complete the implementation. • CRITICAL • View issue

Location: src/main/java/land/oras/auth/HttpClient.java:808

Why is this an issue?

An empty method is generally considered bad practice and can lead to confusion, readability, and maintenance issues. Empty methods bring no functionality and are misleading to others as they might think the method implementation fulfills a specific and identified requirement.

What changed

Adds a comment to the empty checkClientTrusted(X509Certificate[], String) method at line 808, explaining that it is intentionally empty because this is an insecure trust manager that accepts all client certificates. This resolves the static analysis warning about an empty method body by providing the required nested comment.

--- a/src/main/java/land/oras/auth/HttpClient.java
+++ b/src/main/java/land/oras/auth/HttpClient.java
@@ -808,1 +808,3 @@ public final class HttpClient {
-        public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+        public void checkClientTrusted(X509Certificate[] chain, String authType) {
+            // Intentionally empty: insecure trust manager that accepts all client certificates
+        }

java:S1186 - Add a nested comment explaining why this method is empty, throw an UnsupportedOperationException or complete the implementation. • CRITICAL • View issue

Location: src/main/java/land/oras/auth/HttpClient.java:811

Why is this an issue?

An empty method is generally considered bad practice and can lead to confusion, readability, and maintenance issues. Empty methods bring no functionality and are misleading to others as they might think the method implementation fulfills a specific and identified requirement.

What changed

Adds a comment to the empty checkServerTrusted(X509Certificate[], String) method at line 811, explaining that it is intentionally empty because this is an insecure trust manager that accepts all server certificates. This resolves the static analysis warning about an empty method body by providing the required nested comment.

--- a/src/main/java/land/oras/auth/HttpClient.java
+++ b/src/main/java/land/oras/auth/HttpClient.java
@@ -811,1 +813,3 @@ public final class HttpClient {
-        public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+        public void checkServerTrusted(X509Certificate[] chain, String authType) {
+            // Intentionally empty: insecure trust manager that accepts all server certificates
+        }

java:S1186 - Add a nested comment explaining why this method is empty, throw an UnsupportedOperationException or complete the implementation. • CRITICAL • View issue

Location: src/main/java/land/oras/auth/HttpClient.java:814

Why is this an issue?

An empty method is generally considered bad practice and can lead to confusion, readability, and maintenance issues. Empty methods bring no functionality and are misleading to others as they might think the method implementation fulfills a specific and identified requirement.

What changed

Adds a comment to the empty checkClientTrusted(X509Certificate[], String, Socket) method at line 814, explaining that it is intentionally empty because this is an insecure trust manager that accepts all client certificates. This resolves the static analysis warning about an empty method body by providing the required nested comment.

--- a/src/main/java/land/oras/auth/HttpClient.java
+++ b/src/main/java/land/oras/auth/HttpClient.java
@@ -814,1 +818,3 @@ public final class HttpClient {
-        public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) {}
+        public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) {
+            // Intentionally empty: insecure trust manager that accepts all client certificates
+        }

java:S1186 - Add a nested comment explaining why this method is empty, throw an UnsupportedOperationException or complete the implementation. • CRITICAL • View issue

Location: src/main/java/land/oras/auth/HttpClient.java:817

Why is this an issue?

An empty method is generally considered bad practice and can lead to confusion, readability, and maintenance issues. Empty methods bring no functionality and are misleading to others as they might think the method implementation fulfills a specific and identified requirement.

What changed

Adds a comment to the empty checkServerTrusted(X509Certificate[], String, Socket) method at line 817, explaining that it is intentionally empty because this is an insecure trust manager that accepts all server certificates. This resolves the static analysis warning about an empty method body by providing the required nested comment.

--- a/src/main/java/land/oras/auth/HttpClient.java
+++ b/src/main/java/land/oras/auth/HttpClient.java
@@ -817,1 +823,3 @@ public final class HttpClient {
-        public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) {}
+        public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) {
+            // Intentionally empty: insecure trust manager that accepts all server certificates
+        }

java:S1186 - Add a nested comment explaining why this method is empty, throw an UnsupportedOperationException or complete the implementation. • CRITICAL • View issue

Location: src/main/java/land/oras/auth/HttpClient.java:820

Why is this an issue?

An empty method is generally considered bad practice and can lead to confusion, readability, and maintenance issues. Empty methods bring no functionality and are misleading to others as they might think the method implementation fulfills a specific and identified requirement.

What changed

Adds a comment to the empty checkClientTrusted(X509Certificate[], String, SSLEngine) method at line 820, explaining that it is intentionally empty because this is an insecure trust manager that accepts all client certificates. This resolves the static analysis warning about an empty method body by providing the required nested comment.

--- a/src/main/java/land/oras/auth/HttpClient.java
+++ b/src/main/java/land/oras/auth/HttpClient.java
@@ -820,1 +828,3 @@ public final class HttpClient {
-        public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {}
+        public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
+            // Intentionally empty: insecure trust manager that accepts all client certificates
+        }

Have a suggestion or found an issue? Share your feedback here.

---

SonarQube Remediation Agent uses AI. Check for mistakes.

[sonarqubecloud]

Quality Gate failed

Failed conditions
D Security Rating on New Code (required ≥ A)

🛠️ Remediation Agent ready

• Fix automatically
  Creates a separate PR with fixes for eligible issues

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE