False negaitve about the rule RSPEC-2658

Hi, I am using SonarQube and SonarScanner which are latest version. I tried some cases in the document (vulnerability category), but SonarQube failed to report them.

The following figure shows a RSPEC-2658 example:

public class Main {
    public static void main(String[] args) throws Exception {
        String className = System.getProperty("messageClassName");
        Class clazz = Class.forName(className); // should report a warning, but no warnings.
        System.out.println(clazz);
    }
}

This is the analysis results:


There are also no warnings in security hotspots.

Hey there!

This rule is not included in the built-in Quality Profile (the “Sonar Way”). Have you made sure to assign this project to a QP where the rule is turned on?

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.