False positive issues related to lombok in bitbucket sonarcloud scan

Template for a good new topic, formatted with Markdown:

  • ALM used: Bitbucket Cloud,
  • CI system used: Bitbucket Cloud
  • Scanner command used when applicable (private details masked)
  • Languages of the repository: JS
  • Potential workaround: Accepted the issues in sonarcloud and rerun the pipeline to bypass the issue.

Following JS code:

public class OtpDto {
    private String id;
    private String userId;
    private Integer attempts;
    private Integer maxAttempts;
    private Integer expiresIn;

Sonarcloud issues page:

We are using bitbucket sonarcloud scan pipe for scanning: pipe: sonarsource/sonarcloud-scan:2.0.0. Pipeline code is as follows:

      memory: 4096 
      type: docker
    - step: &sonarcloudAnalysis
        name: SonarCloud Analysis
          - docker
        size: 2x
          - if [ "${BITBUCKET_PR_DESTINATION_BRANCH}" != "master" ]; then echo "Pipeline is restricted to master branch only"; exit 0; fi
          - pipe: sonarsource/sonarcloud-scan:2.0.0
              SONAR_TOKEN: ${SONAR_TOKEN}
              EXTRA_ARGS: '-Dsonar.organization=${SONAR_ORG} -Dsonar.projectKey=${PROJECT_KEY} -Dsonar.java.binaries=. -Dsonar.exclusions=dist/,.sonar/,.scannerwork/,node_modules/,.git/,nginx/,src/*/.spec.ts,src/*/.spec.tsx -Dsonar.javascript.node.maxspace=4096 -X'
          - pipe: sonarsource/sonarcloud-quality-gate:0.1.6

Hey there.

It looks like you’re analyzing your Java code in an unreccomended way – using the SonarScanner CLI (wrapped by the Bitbucket pipe).

This can affect the accuracy of analysis results, especially those that are changed by specific dependencies (like lombok).

Did you consider following the analysis tutorial for Maven or Gradle instead?

You can find it again under the project level Administration > Analysis Method

1 Like