False positive for private methods accessed publicly via __call

Hello, SonarQube is currently triggering false positive alerts for Unused "private" methods should be removed when a private method is called externally via __call().

When using AOP programming, this is a common implementation.

Here’s a simplified implementation that generates the issue:

class Foo() {
    public function __call($method, $arguments){
        if (method_exists($this, $method)) {
            //some logic called before the actual method is called
            return call_user_func_array([$this, $method], $arguments);
        trigger_error('Call to undefined method '.__CLASS__.'::'.$method.'()', E_USER_ERROR);

    private function bar(){
        //bar method implementation

$foo = new Foo();
$foo->bar(); // this will call the private method bar via the magic method __call()

SonarQube version:
PHP version: 8.2

Hi @Andumy ,
Thanks for this report!

You are correct, this is a false positive and we should not raise an issue. It seems we are not correctly handling the usage of the __call() method in this case. I’ve created a ticket to fix this issue, which will be tackled in the next development iteration of the PHP Analyzer.

Thanks for the contribution,


Hey @jonas.wielage ,I saw that the ticket is closed. Do you know in what sonar version will this be deployed?


Hi @Andumy ,
This ticket is included in the Release 3.32 of the PHP analyzer.
The new version of the PHP analyzer is included in SonarQube 10.2, which will be released in the next weeks.


1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.