False Negative with rule S2230 and S3306 on Spring project

versions used * Community Edition * Version 8.3.1 (build 34397)
For install sonarqube I use command
docker run -d --name sonarqube -p 9000:9000 sonarqube:8.3.1-community

I want that sonarqube search problems in my application on spring Framework. I see that sonar does not find problems with spring.
For example, I repeated the error from rule java:S3306 “Constructor injection should be used instead of field injection”. Sonar did not find it.
After, I repeated the error from rule java:S2230 “Non-public methods should not be @Transactional” and sonar did not find it again.
At the same time, non-spring related errors are found.

Hey,

Can you please provide a reproducer (code sample) which would reproduce your issues (not reporting any issue)?

Also, can you:

  • Make sure the rule is enabled in you quality profile? (By default only rules part of default quality profile are enabled)
  • Make sure that the jars related to spring are passed to analysis ? (should be automatic with maven scanner)

Thank you,
Michael

I push my code on github


Class CarService contain @Transactional on not public method
Class CarController contain @Autowired on field.

For run I use command:
mvn sonar:sonar -Dsonar.projectKey=test -Dsonar.host.url=http://localhost:9000 -Dsonar.login=63924255c249a798abb1ae44209e0adb3c2111ba

I use default quality profile and this rules is enabled in him. I check it.

1 Like

I understand problem with @Transactional. I use javax.transaction.Transactional. But sonar can find problem only if I use org.springframework.transaction.annotation.Transactional. I think it is important Bug.
Also I understand promlem with @Autowired. It is my fault. Rule was deactivated.