False positive at java:S2695


I want to report a false positive for “PreparedStatement” and “ResultSet” methods should be called with valid indices.

Sonarqube (Community Edition)
Java code in language level 17.

Sample code:
As you can see in the screenshot, it occurred for a prepared statement where the query itself is defined in a constant:

private static final String SQL_GET_USERS_BY_SSO_TOKEN = "select p.person_id, b.ben_person_id, b.benutzerkennung, "
                    + "u2a.application_id, b.passwort from personen p, benutzer b, USER2APPLICATION u2a "
                    + "where p.person_id = b.pij_person_id AND b.BEN_PERSON_ID = u2a.USER_BEN_PERSON_ID "
                    + "and lower(p.sso_identifier) = lower(?) and trunc(NVL(b.gesperrt_ab, sysdate+1)) > trunc(sysdate)";

Regards, Stefan

Hey there.

Thanks for the report. This was fixed with SONARJAVA-2250 which is available in the latest version of SonarQube (v9.7.1).

If you need to stay on v8.9 LTS – you should mark such issues as false-postives (like you already have!)