False Positive java:S3252 on using PanacheEntityBase static methods

Hi there, first report here, hopefully up to spec.

• java
• S3252 - critical - Use static access with “io.quarkus.hibernate.orm.panache.PanacheEntityBase” for “count”.
• False positive as: In the ‘active record pattern’, readability/understandablility of the code is not improved if we would use PanacheEntityBase.count() for this. The name of the class is meaningful: we can immediately see we want the count of Users in the database.
• SonarQube Server - Enterprise Edition v9.9.5 (build 90363)
• Extra references: Simplified Hibernate ORM with Panache - Quarkus

To resolve: this check should be ignored for any class that extends PanacheEntityBase. All static methods should be allowed to be accessed through the inherited method.

Even better: implement the reverse as a rule. If anyone uses PanacheEntityBase.count() (or any other static method), flag that as an error and tell them to use e.g. User.count() in stead.

Reproducer

// imports ...
@Applicationscoped
public class BootstrapUsers {
    @Startup
    @Transactional
    public void bootstrapUsers() {
 // this use of User.count() is flagged with the false positive Use static access with "io.quarkus.hibernate.orm.panache.PanacheEntityBase" for "count"
        if (User.count() != 0) {
            new IllegalStateException("User table not empty!");
        }
    // ...
    }
}


// User definition below copied from https://quarkus.io/guides/security-getting-started-tutorial 
@Entity
@Table(name = "test_user")
@UserDefinition 
public class User extends PanacheEntity {
    @Username 
    public String username;
    @Password 
    public String password;
    @Roles 
    public String role;

    /**
     * Adds a new user to the database
     * @param username the username
     * @param password the unencrypted password (it is encrypted with bcrypt)
     * @param role the comma-separated roles
     */
    public static void add(String username, String password, String role) { 
        User user = new User();
        user.username = username;
        user.password = BcryptUtil.bcryptHash(password);
        user.role = role;
        user.persist();
    }
}

Hey there.

Thanks for the report. I believe we’re already tracking this at SONARJAVA-4208. If you confirm, I’ll link this thread in that ticket!

Your version is also past EOL. You should upgrade to either the latest version or the current LTA (long-term active version) at your earliest convenience. Your upgrade path is:

9.9.6-> 2025.1.1-> 2025.2 (last step optional)

You may find these resources helpful:

• Upgrade Guide
• LTA to LTA release upgrade notes for 9.9 to 2025.1

Thanks Colin - I searched before I posted, but was too limited in my query I think. The other one has been open for almost 3 years now it seems, hope you manage to close it soon

“My” SQ instance is managed by my organization, I expect that they will upgrade in due time.