A lot of false positive issues related to Lombok after Sonarqube upgrade

Must-share information (formatted with Markdown):

  • Sonarqube Enterprise Edition Version 10.4 (build 87286)
  • Gradle Sonar Plugin 4.4.1.3373
  • Java 17
  • how is SonarQube deployed: Self Deployed
  • We have upgraded Sonarqube Enterprise Edition Version 9.9.1 (build 69595) to Enterprise Edition Version 10.4 (build 87286) and we see a lot of false positive issues like on screenshots below. Also SupressWarnings annotation and others are ignored now. Nothing changed from code point of view, or how we execute scans, only Sonarqube replaced.
    image

    image

Could you please help me to figure out what’s wrong with it?

Hi,

Regarding @SuppressWarnings, you’re hitting

SONAR-21575 Issue Suppression is not working correctly when Analyzer Download Optimization is enabled

It will be fixed in 10.5. In the meantime, you can disable the download optimization.

Regarding Lombok, can you provide a list of the relevant rules? I think we’ve already got a ticket in the backlog that’s relevant to your first screenshot:

SONARJAVA-4614 FP on S2974 if constructors are generated by Lombok

 
Thx,
Ann

I believe I found another topic related to lombok annotations which explains most of issues I posted above Sonar cloud false positive with Lombok : Unused “private” fields should be removed

Regarding screenshots above, rules are following

  1. java:S1118
  2. java:S1170
  3. java:S2160
  4. java:S3516
  5. java:S1450

Hi,

Thanks for the rule IDs. It’s not clear to me that the ticket in the thread you found covers all these rules, so I started looking at tickets for the specific rules. Just for S1118, I see a couple of closed FP tickets… and yet you still see a FP.

So now could you provide a text-format reproducer for each rule, please?

 
Thx,
Ann

Another rule affected by this problem is java:S1068

Hi @douglasjuniordb1,

Can you provide text-format reproducers for any of these rules?

 
Thx,
Ann

If I set the "sonar.plugins.downloadOnlyRequired" to "true" the false-positive rules starts to appear:

Example:

sonar {
    properties {
        property "sonar.plugins.downloadOnlyRequired", "true"
    }
}

And then:

SonarQube Versions:

  • Community Edition
  • Version 10.4.1 (build 88267)

Plugin: id “org.sonarqube” version “5.0.0.4638”

Hi,

Can you provide code, that we can copy/paste into a file for analysis & reproduction on our end?

 
Thx,
Ann

Of course, sorry.

But I think it’s because we are in 10.4 and I just see in the issue tracker that this problem was fixed in 10.5

Sample source file:

package com.my.package;

import lombok.*;

import java.util.Map;

@Getter
@Setter
@NoArgsConstructor
@Data
@EqualsAndHashCode(callSuper = true)
public class MyDTO {
    private Map<String, Object> someData;
}
1 Like

Hi,

We’re in luck then! 10.5 was released earlier this week.

 
:smiley:
Ann