FP S2637 with @NonNullApi in package-info.java

fjakop · January 12, 2024, 10:56am

SonarQube Developer Edition Version 10.2 (build 77647)
org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594:sonar

We’re forcing all api to be non-null by package-info.java containing

    @NonNullApi
    @NonNullFields
    package mypackage;

    import org.springframework.lang.NonNullApi;
    import org.springframework.lang.NonNullFields;

This is overrideable by specific method annotations, consider a class MyService

    package mypackage;

    import jakarta.annotation.Nullable;

    public class MyService {
        static class InnerService {
          @Nullable
          public String getValue() {
              return null;
          }
        }
    }

SonarQube raises S2637 at return null; which we consider a false positive.

Can anyone confirm this?

angelo.buono · January 22, 2024, 9:39am

Hello @fjakop,

In my case, I failed to reproduce the scenario with your example: no issue is reported on the return null statement. Could you please provide a reproducer so I can investigate it more accurately?

Unfortunately, rule S2637 relies on the Symbolic Execution engine that is not currently maintained, and it may even be decommissioned in favor of a better engine. This rule happens to be very noisy; you can find here a list of FP reported so far.
My suggestion is to ignore the issue raised. If you provide a reproducer, I will check it and add it to the list of known False Positives.

Cheers,
Angelo