Skip to content

Suppress EI_EXPOSE_REP2 warnings for JSON DTO packages#28

Merged
brunoborges merged 2 commits intomainfrom
copilot/fix-expose-rep2-issues
Feb 6, 2026
Merged

Suppress EI_EXPOSE_REP2 warnings for JSON DTO packages#28
brunoborges merged 2 commits intomainfrom
copilot/fix-expose-rep2-issues

Conversation

Copy link
Contributor

Copilot AI commented Feb 6, 2026
edited
Loading

SpotBugs flagged 95 instances of EI_EXPOSE_REP2 (setters storing references to mutable collections) in JSON DTOs and event classes. These are Jackson-deserialized objects where defensive copying adds no security value.

Changes

  • Added spotbugs-annotations dependency (provided scope)
  • Applied package-level @SuppressFBWarnings("EI_EXPOSE_REP2") to:
    • com.github.copilot.sdk.events
    • com.github.copilot.sdk.json
@SuppressFBWarnings(value = "EI_EXPOSE_REP2", justification = "DTOs for JSON deserialization - low risk")
package com.github.copilot.sdk.events;

This eliminates all 95 warnings while maintaining standard Java bean patterns for serialization frameworks.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkstyle.org
    • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/copilot-sdk-java/.codeql-scratch/dbs/java/working/files-to-index12064476891766799141.list --sourceArchiveDir=/home/REDACTED/work/copilot-sdk-java/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/copilot-sdk-java/.codeql-scratch/dbs/java/trap/java sh va/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot node install.js ava/target/copil-c .0.18-8/x64/bin/git status --porcelain --ignore-submodules | head -n 10 va/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot git /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.18-8/x64/bin/--show-toplevel git ndor/bin/git (dns block)
  • https://api.github.com/copilot_internal/user
    • Triggering command: /home/REDACTED/work/copilot-sdk-java/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot /home/REDACTED/work/copilot-sdk-java/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot --server --log-level info --stdio --auth-token-env COPILOT_SDK_AUTH_TOKEN --no-auto-login (http block)
    • Triggering command: /home/REDACTED/work/copilot-sdk-java/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot /home/REDACTED/work/copilot-sdk-java/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot --server --log-level info --stdio --auth-token-env COPILOT_SDK_AUTH_TOKEN --no-auto-login user.email (http block)
    • Triggering command: /home/REDACTED/work/copilot-sdk-java/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot /home/REDACTED/work/copilot-sdk-java/copilot-sdk-java/target/copilot-sdk/test/harness/node_modules/@github/copilot-linux-x64/copilot --server --log-level info --stdio --auth-token-env COPILOT_SDK_AUTH_TOKEN --no-auto-login 79fb18a94f719b57which (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>SpotBugs: Setters incorporate reference to external mutable objects (EI_EXPOSE_REP2, 95 instances)</issue_title>
<issue_description>## SpotBugs Finding: EI_EXPOSE_REP2

Category: MALICIOUS_CODE
Priority: 2 (Normal) | Rank: 18
Bug Type: EI_EXPOSE_REP2
CWE: CWE-374
Instances: 95

Description

Code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, storing a copy of the object is the better approach.

Affected Classes

These are the setter counterparts to the EI_EXPOSE_REP getters — same DTO/event classes:

Events Package (com.github.copilot.sdk.events)

  • AbortEventsetData()
  • AssistantIntentEventsetData()
  • AssistantMessageDeltaEventsetData()
  • AssistantMessageEventsetData(), setToolRequests()
  • AssistantReasoningDeltaEventsetData()
  • AssistantReasoningEventsetData()
  • AssistantTurnEndEventsetData()
  • AssistantTurnStartEventsetData()
  • AssistantUsageEventsetData(), setQuotaSnapshots()
  • HookEndEventsetData()
  • HookStartEventsetData()
  • SessionIdleEventsetData()
  • ToolExecutionEndEventsetData()
  • ToolExecutionStartEventsetData()

JSON Package (com.github.copilot.sdk.json)

  • CreateSessionRequestsetTools(), setMcpServers(), setCustomAgents(), setSkillDirectories(), setDisabledSkills()
  • ResumeSessionConfigsetTools(), setMcpServers(), setCustomAgents(), setSkillDirectories(), setDisabledSkills()
  • ResumeSessionRequestsetTools(), setMcpServers(), setCustomAgents(), setSkillDirectories(), setDisabledSkills()
  • SendMessageRequestsetAttachments()
  • SessionConfigsetTools(), setAvailableTools(), setExcludedTools(), setMcpServers(), setCustomAgents(), setSkillDirectories(), setDisabledSkills()
  • SessionEndHookOutputsetCleanupActions()
  • SessionLifecycleEventsetMetadata()
  • SessionStartHookOutputsetModifiedConfig()
  • ToolResultObjectsetBinaryResultsForLlm(), setToolTelemetry()
  • UserInputRequestsetChoices()

Decision Needed

Same considerations as EI_EXPOSE_REP — for JSON-deserialized DTOs, this is low-risk. See companion issue #19 for options.

Options:

  • Suppress: Add @SuppressFBWarnings("EI_EXPOSE_REP2") to DTO packages
  • Fix with records: Convert simple DTOs to Java records
  • Defensive copy: Store List.copyOf() / Map.copyOf() in setters

Generated from SpotBugs 4.9.8 static analysis</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@brunoborges
Add SpotBugs annotations to suppress EI_EXPOSE_REP2 warnings
010ab76 
Co-authored-by: brunoborges <129743+brunoborges@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix SpotBugs EI_EXPOSE_REP2 issues in setters Suppress EI_EXPOSE_REP2 warnings for JSON DTO packages Feb 6, 2026
Copilot AI requested a review from brunoborges February 6, 2026 02:53
@brunoborges brunoborges marked this pull request as ready for review February 6, 2026 03:03
@brunoborges brunoborges merged commit 2be4be7 into main Feb 6, 2026
2 checks passed
@brunoborges brunoborges deleted the copilot/fix-expose-rep2-issues branch February 16, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brunoborges brunoborges Awaiting requested review from brunoborges

Assignees

@brunoborges brunoborges

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SpotBugs: Setters incorporate reference to external mutable objects (EI_EXPOSE_REP2, 95 instances)

2 participants

@brunoborges