False Positive in SonarCloud with Lombok annotations: Unused “private” fields should be removed

taomoh · May 4, 2023, 3:27pm

According to the thread below, the false positive issue about unused “private” fields was resolved in the v9.x series of SonarQube.
However it seems that it wasn’t resolved on SonarCloud. As I am still getting these false positives as of today (4 May 2023).

Colin · May 5, 2023, 6:35am

Hey there.

Can you provide a reproducer of your specific code that is triggering the issue?

taomoh · May 5, 2023, 8:25am

Hello Colin,

Here is one example of a class triggering the issue on SonarCloud:

import java.util.UUID;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;

@NoArgsConstructor
@AllArgsConstructor
@Builder
@Getter
@Setter
public class MyClass {
  private UUID id;
  private UUID secondId;
  private UUID thirdId;
}

Thanks!

Margarita_Nedzelska · May 9, 2023, 12:31pm

Hello @taomoh,

Thanks for your message,

I tried to check your example and I can’t reproduce it. Issues are filtered out correctly because of Lombok annotations.

Could you, please, give me a little bit more context on how you’re running analysis and answer these questions:

Provide analysis log
Provide properties used for the analysis
Are you using Gradle or maven scanners?
Are you using automatic analysis?

Regards,
Margarita

taomoh · May 9, 2023, 4:56pm

Thanks @Margarita_Nedzelska for looking into this for me.

From the logs: [INFO] SonarQube version: 8.0.0.40668. So SonarCloud seems to be using a version older than SonarQube 9.x where the issue was fixed. Could this be the cause of the problem?
Properties
sonar.language=java
sonar.java.coveragePlugin=jacoco
Using maven scanner. From the logs: Downloaded from central: https://repo.maven.apache.org/maven2/org/sonarsource/scanner/api/sonar-scanner-api/2.16.2.588/sonar-scanner-api-2.16.2.588.jar
I believe we don’t use automatic analysis. Sonar scan is triggered in the CI/CD pipeline using mvn sonar:sonar command

Taoufik

Margarita_Nedzelska · May 12, 2023, 10:15am

Hi @taomoh,
Thanks for the message.

SonarCloud should use the latest version of the analyzer, so it couldn’t be there. Is it possible to share a full log with me (in private messages)?

Can you reproduce the issue locally? (running mvn sonar:sonar locally)

Have you built the project before analyzing it? Where are your class files situated?

I’ve tried to reproduce the issue in SonarCloud: SonarCloud. But there is no FP there.

So waiting for some additional information to investigate it further.

Regards,
Margarita

taomoh · May 18, 2023, 7:32pm

Hi Margarita,

From the logs it does look like my project scan is using SonarQube 8.0.0.40601. Happy to share the logs in a private message. How do I do that? I don’t see any option on sonarsource to message you privately.

I can’t reproduce the issue locally, using SonarQube latest version (10.0.0.68432). The scan doesn’t show the false positives and rightly so. I would have liked to use version 8.x but unfortunately I couldn’t, as the 8.x official images on Docker Hub are only available in AMD and my machine is ARM.

I think the key question here is why my SonarCloud scan is using an old version of SonarQube? (as the logs suggest)

Thanks,
Taoufik