False positive for private methods accessed publicly via __call

Andumy · May 27, 2023, 6:06pm

Hello, SonarQube is currently triggering false positive alerts for Unused "private" methods should be removed when a private method is called externally via __call().

When using AOP programming, this is a common implementation.

Here’s a simplified implementation that generates the issue:

class Foo() {
    public function __call($method, $arguments){
        if (method_exists($this, $method)) {
            //some logic called before the actual method is called
            return call_user_func_array([$this, $method], $arguments);
        } 
        trigger_error('Call to undefined method '.__CLASS__.'::'.$method.'()', E_USER_ERROR);
    }

    private function bar(){
        //bar method implementation
    }
}

$foo = new Foo();
$foo->bar(); // this will call the private method bar via the magic method __call()

SonarQube version: 10.0.0.68432
PHP version: 8.2

jonas.wielage · June 1, 2023, 8:44am

Hi @Andumy ,
Thanks for this report!

You are correct, this is a false positive and we should not raise an issue. It seems we are not correctly handling the usage of the __call() method in this case. I’ve created a ticket to fix this issue, which will be tackled in the next development iteration of the PHP Analyzer.

Thanks for the contribution,
Jonas

Andumy · August 24, 2023, 11:01pm

Hey @jonas.wielage ,I saw that the ticket is closed. Do you know in what sonar version will this be deployed?

Thanks!
Andrei

jonas.wielage · August 28, 2023, 1:17pm

Hi @Andumy ,
This ticket is included in the Release 3.32 of the PHP analyzer.
The new version of the PHP analyzer is included in SonarQube 10.2, which will be released in the next weeks.

Best,
Jonas

system · September 26, 2023, 9:42am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.