Langauge: Java
Rule: S5542
SonarQube version: 25.6.0.109173
Hi, I used SonarQube to detect S5542 bugs, and found a false negative. The minimized code example is provided below. SonarQube should report this type of warnings at line 10, but no warnings. However, in the code example 2 (equivalent to example 1), SonarQube can report two S5542 warnings. So, this is a false negative bug.
Minimized Code Example 1
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
class SecureEnctyption {
public static void main(String[] args) {
String[] algorithms = {"AES/CBC/PKCS5Padding", "RSA/None/NoPadding"};
for (String alg : algorithms) {
try {
Cipher.getInstance(alg); // should report warnings here, but no warnings
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
}
}
}
}
Equivalent Code Example 2
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
class SecureEnctyption {
public static void main(String[] args) {
try {
Cipher.getInstance("AES/CBC/PKCS5Padding"); // report a warning
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
// ...
}
try {
Cipher.getInstance("RSA/None/NoPadding"); // report a warning
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
// ...
}
}
}