False Negative for rule RSPEC-6216

Hi Team,

I will like to bring this potential issue to your attention. Reference Images 1 and 2 below, where image 1 is the original and image 2 is a variant. Image 1 correctly flags the bug rule violation from this rule RSPEC-6216 in lines 10 and 17. While Image 2 shows a variant of the original which was scanned the same way but the bug rule violations were not picked up in lines 10 and 17 as expected.

The bug rule RSPEC-6216 indicates the violation of the encapsulation principle.

Sonarqube version: 9.9.0.65466
SonarScanner version: 5.0.1.3006
SonarQube Community Edition
Related language: Java

image716×371 39.8 KB

image713×490 47.4 KB

Thanks for you time and consideration

Hey there.

Please take a look at this post on reporting false-positives.

You’ll need to provide a text-based snippet of code, and make sure the issue can be reproduced on the latest version of SonarQube’s Community Build.

Only the latest version of SonarQube Community Build is considered active, so you’ll need to upgrade and see if the false-negative can still be produced!

Your upgrade path is:

9.9.0 → 24.12 → 25.5

You may find these resources helpful:

• Upgrade Guide
• Upgrade notes for 9.9 to 10.7 (when SonarQube Community Edition switched to SonarQube Community Bulid)
• SonarQube Community Build Upgrade Notes (all upgrade notes since the switch)

Hello,

A rescan has been done on the code snippet with version SonarQube 10.7 and the violation of bug RSPEC-6216 was not flagged.

Scanned code below:

import java.lang.reflect.Field;

class Main {
    record Person(String name, int age) {}
    public static void main(String[] args) throws Exception {
        Person person = newPerson("A", 26);
        Field field = Person.class.getDeclaredField("name");
        field.setAccessible(true); // secondary
        field.set(person, "B"); 
    }
    public static String showBug() throws Exception {
        Person person = new Person("A", 26);
        Field field = Person.class.getDeclaredField("name");
        field.setAccessible(true);
        field.set(person, "B"); // Noncompliant
        return person.name();
    }
    public static void mutant() {
        boolean condition = false;
        if (condition) {
            System.out.println("This is an unreachable statement.");
        }
    }
}

Note: To recreate use sonar-scanner command to scan the code snippet above and validate if the bug rule violation was flagged.

Screenshot from the sonarqube scan window - code snippet that violates the bug rule but this violation was not flagged

image1254×523 40.8 KB

code snippet where the bug rule violation was correctly scanned. This shows the scan of two code snippets that violate the bug rule with sonar flagging this violation in one code snippet while not flagging it in the other

image1260×554 41.3 KB

Like I said, you need to reproduce this on the latest version. 25.5.

Well, now it’s:

10.7 → 24.12 → 25.5