Customizing a builtin rule


I’m trying to implement a custom version of the following builtin rule.

@Rule(key = "S2259")
public class NullDereferenceCheck extends SECheck {

I just copied this class to my maven module and renamed it. (I might extend the original class later, but copied just for now)

@Rule(key = "MyCustomRule")
public class MyCustomRule extends SECheck {

I copied the metadata json file and html file as well.

Now I can see the rule and even attach it to quality profiles. But it does not detect any issues. I even disabled the builtin java:S2259 rule which detects a few issues in my code.

I appreciate any clues to help me solve/debug this.

Hey @Bhathiya

It’s not possible to build custom rules based on our symbolic execution engine.

Maybe your customization would benefit many users, and we could consider building it into the core of our Java anaysis? What are you trying to achieve with your custom rule?

Hey Colin,

After some debugging I found my rule does not go beyond this point due to class loader differences. So I guessed that could be the case. Thanks for the confirmation.

What I’m trying to achieve is, in our code we have custom util classes that do null checks but they are ignored by the rule. So the inbuilt rule gives many false positives. I was trying see if I can fix that.

What are your thoughts on this? Do you think it make sense and technically possible to take a custom utils list as an input (maybe as a Rule Property) to the inbuilt rule and use it?


Let me ask some experts. I know some big changes to these rules are coming soon, maybe this case is covered.


Hello @Bhathiya,

As Colin mentioned, it is unfortunately not currently possible to write custom rules using the Symbolic Execution (SE) engine.

A few questions for you:

  • Do you use annotations such as @Nonnull for your util methods?
  • Are they methods that simply return a boolean to indicate if the argument was null or not?
  • Do the utility classes live in the same module or a different module or dependency than the code using them?

Depending on your answers and corresponding needs, I can open a ticket to track this need on our side.

Otherwise, I don’t have a fix for you right now, unfortunately, that doesn’t involve developing your own custom plugin with an SE engine or modifying the sonar-java plugin itself, both of which we cannot provide support for.

Hello Johann,

Thanks for the response. Here are the answers to your questions.

  1. We use @Nonnull in some of our code.
  2. Yes they simply return boolean (however some utils do more than null checks)
  3. Mostly in a different util module.


I’ve opened a ticket to track this need to customize S2259. I unfortunately cannot give you an ETA for it at the moment.

In summary, there is no easy way to do what you are trying to do. Depending on how pressing it is and how much resources you can invest, you can have a look at the Java analyzer itself, as it is open-source, and in principle, you could open a PR on it. We unfortunately cannot provide much support for this path, though, so if it is not urgent, you may want to watch the ticket for the time being.


Thanks for the update Johann.

As this approach doesn’t work, we’re now trying out a more reactive approach to detect and resolve false positives.