Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it

Hello,

There was an upgrade to springboot 3.x from 2.7.x. There wasn’t any issue before but after upgrade we received more than 250 critical vulnerability about the same issue. “Annotate this member with “Autowired”, “Resource”, “Inject”, or “Value”, or remove it.” Resource import is changed to jakarta.* package in springboot 3.x. However Sonar says to import javax.annotation.Resource. I guess it should be false positive, right ? Please let me know if it is false positive because of that reason and how can we solve or suppress it ?

Sonar version is: 10.1
Best regards,
Suzan

Hey there.

Describing code instead of pasting a code sample makes it difficult for us to reproduce or see where the issue is. Can you post some sample code that reproduces what you’re talking about?

@Colin
To give more context:
1, sonarcube Enterprise Edition Version 10.2.1 (build 78527)

2, see snapshot on what our sonarcube server reported 2 months ago and still available now on rule java:S3749.

The class is pretty simple with below imports;

import org.springframework.stereotype.Service;
import jakarta.annotation.Resource;
import java.util.List;

Hey there.

I appreciate the additional context. And, I really need a single code file that reproduces the issue, rather than a combo of screenshots and imports.

Hi @Colin
The complete file is quite simple.

import jakarta.annotation.Resource;
import org.springframework.stereotype.Service;

import java.security.Provider;

@Service
public class AttachmentService {

    @Resource
    private Provider.Service providerService;
}

The tricky part we observed, with springboot version 3.x, javax.annotation.Resource is moved to jakarta.annotation.Resource;

When spring annotation @Service or @Component (not a complete list) is used for class level, and the class declared fields with @Resource (jakarta.annotation.Resource), then SonarCube would report this issue.

Hi,

see

according to the Jira ticket
https://sonarsource.atlassian.net/browse/SONARJAVA-4612
it has been fixed with SonarJava 7.26

Sonarqube 10.2.1 ships with
\lib\extensions\sonar-java-plugin-7.24.0.32100.jar

Sonarqube 10.3.0 with
\lib\extensions\sonar-java-plugin-7.27.1.33504.jar

means updating to Sonarqube 10.3.0 should fix your problem.

Gilbert

1 Like