False-positive and confusion on JpaRepository.getById() nulleness, impacting java:S2583

Hi,

Using latest version of SonarLint, 7.4.0, and the following Java source code (with SonarLint markers):

(2) String res = (1) testRepo.getById(Long.valueOf(0));
return ( (3) res == null) ? null : res.trim();

where testRepo is a Spring JpaRepository, we get the following ‘bug’

Change this condition so that it does not always return “false”
1: ‘getById()’ can return not null.
2: Implies ‘res’ can be not null.
3: Expression is always false.

I fail to see how 2 leads to 3. If ‘res’ can be not null, then how is (res == null) always false?

The attachment contains an Eclipse Maven project demonstrating the issue. The latest versions of SonarQube (9.4.0) and SonarScanner (4.7.0) also report the same bug.

Thanks,
Gilles

PS: I greatly enjoy your products!

sonarlintbug1.zip (4.5 KB)

Hi Gilles,

Thank you for the report! Based only on the code you provided, I can’t quite reproduce the issue. Could you provide a simple piece of code that will compile without proprietary dependencies to reproduce the FP?

This is a rule based on symbolic execution and it is quite possible that something is going wrong somewhere – to properly identify the cause a stand-alone reproducer would help a lot.

Hi Johann,

Thank you for looking at this issue. There is actually no proprietary dependencies, just regular Spring jars. If you import the project as an ‘existing Maven project’ in Eclipse (File, Import, Maven, Existing Maven Projects, then point at the folder where the pom.xml is), it should automatically download all dependencies, and compile.

Please let me know if this works for you.

Thanks,
Gilles