A lot of false positive issues related to Lombok after Sonarqube upgrade

Must-share information (formatted with Markdown):

• Sonarqube Enterprise Edition Version 10.4 (build 87286)
• Gradle Sonar Plugin 4.4.1.3373
• Java 17
• how is SonarQube deployed: Self Deployed
• We have upgraded Sonarqube Enterprise Edition Version 9.9.1 (build 69595) to Enterprise Edition Version 10.4 (build 87286) and we see a lot of false positive issues like on screenshots below. Also SupressWarnings annotation and others are ignored now. Nothing changed from code point of view, or how we execute scans, only Sonarqube replaced.
  
  
  

  image772×562 34 KB
  
  
  
  

  image798×628 41.5 KB
  
  
  

  image869×323 14.2 KB

Could you please help me to figure out what’s wrong with it?

Hi,

Regarding @SuppressWarnings, you’re hitting

SONAR-21575 Issue Suppression is not working correctly when Analyzer Download Optimization is enabled

It will be fixed in 10.5. In the meantime, you can disable the download optimization.

Regarding Lombok, can you provide a list of the relevant rules? I think we’ve already got a ticket in the backlog that’s relevant to your first screenshot:

SONARJAVA-4614 FP on S2974 if constructors are generated by Lombok

 
Thx,
Ann

I believe I found another topic related to lombok annotations which explains most of issues I posted above Sonar cloud false positive with Lombok : Unused “private” fields should be removed

Regarding screenshots above, rules are following

1. java:S1118
2. java:S1170
3. java:S2160
4. java:S3516
5. java:S1450

Hi,

Thanks for the rule IDs. It’s not clear to me that the ticket in the thread you found covers all these rules, so I started looking at tickets for the specific rules. Just for S1118, I see a couple of closed FP tickets… and yet you still see a FP.

So now could you provide a text-format reproducer for each rule, please?

 
Thx,
Ann

Another rule affected by this problem is java:S1068

Hi @douglasjuniordb1,

Can you provide text-format reproducers for any of these rules?

 
Thx,
Ann

If I set the "sonar.plugins.downloadOnlyRequired" to "true" the false-positive rules starts to appear:

Example:

sonar {
    properties {
        property "sonar.plugins.downloadOnlyRequired", "true"
    }
}

And then:

Screenshot 2024-04-18 at 15.15.13761×588 44.8 KB

SonarQube Versions:

• Community Edition
• Version 10.4.1 (build 88267)

Plugin: id “org.sonarqube” version “5.0.0.4638”

Hi,

Can you provide code, that we can copy/paste into a file for analysis & reproduction on our end?

 
Thx,
Ann

Of course, sorry.

But I think it’s because we are in 10.4 and I just see in the issue tracker that this problem was fixed in 10.5

Sample source file:

package com.my.package;

import lombok.*;

import java.util.Map;

@Getter
@Setter
@NoArgsConstructor
@Data
@EqualsAndHashCode(callSuper = true)
public class MyDTO {
    private Map<String, Object> someData;
}

Hi,

We’re in luck then! 10.5 was released earlier this week.

 

Ann

Hi, this is still happening in 10.7. Is there a particular version we should be on that resolves this?

Hi @temporal,

The tickets referenced in this thread and the linked thread are both still Open:

SONARJAVA-4178 Lombok filter should still work in case of incomplete semantic
SONARJAVA-4614 FP on S2974 if constructors are generated by Lombok

 
HTH,
Ann