Code Smell rule generates findings or both Code Smell and Vulnerability

Must-share information (formatted with Markdown):

  • SonarQube Enterprise version
  • docker

SonarQube rule java:S2384 ( Mutable members should not be stored or returned directly ) is labeled as a Code Smell, but creates findings of both Code Smell and Vulnerability types.

Rules labeled as a Code Smell should only create findings of a Code Smell type, or have some clear method of determining which type will be created.


When you look at the Vulnerability issues for this rule, how old are they?

We continuously audit our own rules and sometimes change the implementations, the descriptions and even sometimes the types.

When a rule’s type is changed from e.g. Vulnerability to Code Smell, new issues raised by the rule will be raised as Code Smells. But previously-raised issues will retain their old types. So they remain Vulnerabilities.

if you like, you can use the Bulk Change feature on the Issues page to catch the old issues up to the rule’s new type.



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.