Which product(s) you’re using
SonarQube 8.7
Which rule is affected
java:S1191
Why you believe it’s a false-positive / false-negative
While it is correct, that sun.*
packages are considered an implementation detail and should not be used according to FAQ - Sun Packages, the same is not true for com.sun.*
packages. There are many com.sun.*
classes (if not all) that should be ok to be used. This does not only packages included in the JRE like the built-in HTTP server and quite some other classes, but also additional libraries. The rule description itself for example has as a non-compliant example import com.sun.jna.Native; // Noncompliant
. But if you want to use JNA, which classes should you use then? JNA only consists of that package.
Imho the rule should adhere to its intention from its name and just forbid sun.*
and not com.sun.*
.