Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it

Suzan_Yilmaz · September 5, 2023, 8:58am

Hello,

There was an upgrade to springboot 3.x from 2.7.x. There wasn’t any issue before but after upgrade we received more than 250 critical vulnerability about the same issue. “Annotate this member with “Autowired”, “Resource”, “Inject”, or “Value”, or remove it.” Resource import is changed to jakarta.* package in springboot 3.x. However Sonar says to import javax.annotation.Resource. I guess it should be false positive, right ? Please let me know if it is false positive because of that reason and how can we solve or suppress it ?

Sonar version is: 10.1
Best regards,
Suzan

Colin · September 5, 2023, 1:10pm

Hey there.

Describing code instead of pasting a code sample makes it difficult for us to reproduce or see where the issue is. Can you post some sample code that reproduces what you’re talking about?

wxqsly · November 21, 2023, 7:13am

@Colin
To give more context:
1, sonarcube Enterprise Edition Version 10.2.1 (build 78527)

2, see snapshot on what our sonarcube server reported 2 months ago and still available now on rule java:S3749.

The class is pretty simple with below imports;

import org.springframework.stereotype.Service;
import jakarta.annotation.Resource;
import java.util.List;

Colin · November 21, 2023, 9:54am

Hey there.

I appreciate the additional context. And, I really need a single code file that reproduces the issue, rather than a combo of screenshots and imports.

wxqsly · November 23, 2023, 8:25am

Hi @Colin
The complete file is quite simple.

import jakarta.annotation.Resource;
import org.springframework.stereotype.Service;

import java.security.Provider;

@Service
public class AttachmentService {

    @Resource
    private Provider.Service providerService;
}

The tricky part we observed, with springboot version 3.x, javax.annotation.Resource is moved to jakarta.annotation.Resource;

When spring annotation @Service or @Component (not a complete list) is used for class level, and the class declared fields with @Resource (jakarta.annotation.Resource), then SonarCube would report this issue.

anon67236913 · November 23, 2023, 9:16am

Hi,

see

according to the Jira ticket
https://sonarsource.atlassian.net/browse/SONARJAVA-4612
it has been fixed with SonarJava 7.26

Sonarqube 10.2.1 ships with
\lib\extensions\sonar-java-plugin-7.24.0.32100.jar

Sonarqube 10.3.0 with
\lib\extensions\sonar-java-plugin-7.27.1.33504.jar

means updating to Sonarqube 10.3.0 should fix your problem.

Gilbert

Topic		Replies	Views
java:S3749 'Members of Spring components should be injected' must be extended for Spring 3 Report False-positive / False-negative...	2	2183	October 6, 2023
Sonarqube quality check does not recognize Jakarta import libraries SonarQube Server / Community Build java , sonarqube , scanner	2	614	September 28, 2023
Java SpringBoot @Resource not detected Report False-positive / False-negative... java , sonarqube-cloud	12	87	August 27, 2025
Getting a lot of false positives for Java S3749 Report False-positive / False-negative... java , spring	2	2844	February 28, 2023
S3749: FP when a class is annotated with @ConfigurationProperties (Spring-boot project) Report False-positive / False-negative... java , sonarqube	1	1443	September 23, 2020

Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it

Related topics