SpotBugs: Getters expose internal mutable objects (EI_EXPOSE_REP, 95 instances)

## SpotBugs Finding: EI_EXPOSE_REP

**Category:** MALICIOUS_CODE
**Priority:** 2 (Normal) | **Rank:** 18
**Bug Type:** [EI_EXPOSE_REP](https://spotbugs.readthedocs.io/en/stable/bugDescriptions.html#ei-expose-rep)
**CWE:** [CWE-374](https://cwe.mitre.org/data/definitions/374.html)
**Instances:** 95

### Description

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to return a defensive copy.

### Affected Classes

These findings are concentrated in DTO/event classes in the `events` and `json` packages:

#### Events Package (`com.github.copilot.sdk.events`)
- `AbortEvent` — `getData()`
- `AssistantIntentEvent` — `getData()`
- `AssistantMessageDeltaEvent` — `getData()`
- `AssistantMessageEvent` — `getData()`, `getToolRequests()`
- `AssistantReasoningDeltaEvent` — `getData()`
- `AssistantReasoningEvent` — `getData()`
- `AssistantTurnEndEvent` — `getData()`
- `AssistantTurnStartEvent` — `getData()`
- `AssistantUsageEvent` — `getData()`, `getQuotaSnapshots()`
- `HookEndEvent` — `getData()`
- `HookStartEvent` — `getData()`
- `SessionIdleEvent` — `getData()`
- `ToolExecutionEndEvent` — `getData()`
- `ToolExecutionStartEvent` — `getData()`

#### JSON Package (`com.github.copilot.sdk.json`)
- `CreateSessionRequest` — `getTools()`, `getMcpServers()`, `getCustomAgents()`, `getSkillDirectories()`, `getDisabledSkills()`
- `ResumeSessionConfig` — `getTools()`, `getMcpServers()`, `getCustomAgents()`, `getSkillDirectories()`, `getDisabledSkills()`
- `ResumeSessionRequest` — `getTools()`, `getMcpServers()`, `getCustomAgents()`, `getSkillDirectories()`, `getDisabledSkills()`
- `SendMessageRequest` — `getAttachments()`
- `SessionConfig` — `getTools()`, `getAvailableTools()`, `getExcludedTools()`, `getMcpServers()`, `getCustomAgents()`, `getSkillDirectories()`, `getDisabledSkills()`
- `SessionEndHookOutput` — `getCleanupActions()`
- `SessionLifecycleEvent` — `getMetadata()`
- `SessionStartHookOutput` — `getModifiedConfig()`
- `ToolResultObject` — `getBinaryResultsForLlm()`, `getToolTelemetry()`
- `UserInputRequest` — `getChoices()`

### Decision Needed

For DTO/POJO classes used for JSON serialization, this is generally a **low-risk finding** since:
1. These objects are deserialized from JSON-RPC and consumed locally
2. Defensive copying would add overhead without meaningful security benefit
3. Jackson deserialization relies on mutable setters

**Options:**
- **Suppress:** Add `@SuppressFBWarnings("EI_EXPOSE_REP")` to DTO packages
- **Fix with records:** Convert simple DTOs to Java records (immutable by default)
- **Defensive copy:** Return `Collections.unmodifiableList()` / `Map.copyOf()` from getters

---
*Generated from SpotBugs 4.9.8 static analysis*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SpotBugs: Getters expose internal mutable objects (EI_EXPOSE_REP, 95 instances) #19

SpotBugs Finding: EI_EXPOSE_REP

Description

Affected Classes

Events Package (`com.github.copilot.sdk.events`)

JSON Package (`com.github.copilot.sdk.json`)

Decision Needed

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SpotBugs: Getters expose internal mutable objects (EI_EXPOSE_REP, 95 instances) #19

Description

SpotBugs Finding: EI_EXPOSE_REP

Description

Affected Classes

Events Package (com.github.copilot.sdk.events)

JSON Package (com.github.copilot.sdk.json)

Decision Needed

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Events Package (`com.github.copilot.sdk.events`)

JSON Package (`com.github.copilot.sdk.json`)