False Positive in SonarCloud with Lombok annotations: Unused “private” fields should be removed

According to the thread below, the false positive issue about unused “private” fields was resolved in the v9.x series of SonarQube.
However it seems that it wasn’t resolved on SonarCloud. As I am still getting these false positives as of today (4 May 2023).

1 Like

Hey there.

Can you provide a reproducer of your specific code that is triggering the issue?

Hello Colin,

Here is one example of a class triggering the issue on SonarCloud:

import java.util.UUID;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;

@NoArgsConstructor
@AllArgsConstructor
@Builder
@Getter
@Setter
public class MyClass {
  private UUID id;
  private UUID secondId;
  private UUID thirdId;
}

Thanks!

Hello @taomoh,

Thanks for your message,

I tried to check your example and I can’t reproduce it. Issues are filtered out correctly because of Lombok annotations.

Could you, please, give me a little bit more context on how you’re running analysis and answer these questions:

  1. Provide analysis log
  2. Provide properties used for the analysis
  3. Are you using Gradle or maven scanners?
  4. Are you using automatic analysis?

Regards,
Margarita

Thanks @Margarita_Nedzelska for looking into this for me.

  1. From the logs: [INFO] SonarQube version: 8.0.0.40668. So SonarCloud seems to be using a version older than SonarQube 9.x where the issue was fixed. Could this be the cause of the problem?

  2. Properties
    sonar.language=java
    sonar.java.coveragePlugin=jacoco

  3. Using maven scanner. From the logs: Downloaded from central: https://repo.maven.apache.org/maven2/org/sonarsource/scanner/api/sonar-scanner-api/2.16.2.588/sonar-scanner-api-2.16.2.588.jar

  4. I believe we don’t use automatic analysis. Sonar scan is triggered in the CI/CD pipeline using mvn sonar:sonar command

Taoufik

Hi @taomoh,
Thanks for the message.

SonarCloud should use the latest version of the analyzer, so it couldn’t be there. Is it possible to share a full log with me (in private messages)?

Can you reproduce the issue locally? (running mvn sonar:sonar locally)

Have you built the project before analyzing it? Where are your class files situated?

I’ve tried to reproduce the issue in SonarCloud: SonarCloud. But there is no FP there.

So waiting for some additional information to investigate it further.

Regards,
Margarita

Hi Margarita,

From the logs it does look like my project scan is using SonarQube 8.0.0.40601. Happy to share the logs in a private message. How do I do that? I don’t see any option on sonarsource to message you privately.

I can’t reproduce the issue locally, using SonarQube latest version (10.0.0.68432). The scan doesn’t show the false positives and rightly so. I would have liked to use version 8.x but unfortunately I couldn’t, as the 8.x official images on Docker Hub are only available in AMD and my machine is ARM.

I think the key question here is why my SonarCloud scan is using an old version of SonarQube? (as the logs suggest)

Thanks,
Taoufik

I am facing the same issue in SonarCloud, Is there a way to fix this

Same problem here, Community Edition - Version 10.4.1 (build 88267)

Code:

@Getter
@Setter
@Data
public class TemplateEarningsEntityDataDTO {
    // only private fields
}

Issue:

image

Hello @douglasjuniordb1,

Could you please share the log of the analysis. Also, could you, please answer these questions:

  • Are you using Maven or Gradle?
  • Do you add any properties to Sonar?
  • How do you execute the analysis?
  • Do you build the project before running the analysis?

Best,
Margarita

Hi Margarita, thank your for your help, I found the solution here: A lot of false positive issues related to Lombok after Sonarqube upgrade - #9 by douglasjuniordb1

2 Likes

Nice to hear!

1 Like