False positive in kotlin:S1874 (Deprecated code should not be used)


I noticed that there is no option to configure the JDK version for the Kotlin plugin (like sonar.java.jdkHome) and this causes false positives in kotlin:S1874.

I’ve created a simple example to demonstrate this: GitHub - felipebz/sonar-kotlin-bug-2

This project has a Java and a Kotlin class, both invoking System.getSecurityManager() which was deprecated in Java 17.

You can see in the GitHub Actions workflow that this project is built with JDK 11 but analyzed with JDK 17 (because of the new requirement from SonarCloud/SonarQube 10.4).

Since this code is meant for JDK 11 and the method is not deprecated in that version, it shouldn’t raise any issues. In the SonarCloud dashboard, the Java file shows no issues as expected, but the Kotlin file reports a “Deprecated code should not be used” issue.

(note: I saw that a related issue was discussed here, but I decided to create a new topic with a simpler example)

Hello @felipebz,

Thank you for reporting this undesired behavior.

The investigation shows that the Kotlin analyzer configures the org.jetbrains.kotlin.cli.jvm.compiler.TopDownAnalyzerFacadeForJVM to Java 1.8. The consequence is that the generated semantics are not the latest, leading to False Positives.

The Jira ticket SONARKT-270 tracks the progress for using the most suited java version for the Kotlin Analyzer.