FP S2637 with @NonNullApi in package-info.java

  • SonarQube Developer Edition Version 10.2 (build 77647)
  • org.sonarsource.scanner.maven:sonar-maven-plugin:

We’re forcing all api to be non-null by package-info.java containing

    package mypackage;

    import org.springframework.lang.NonNullApi;
    import org.springframework.lang.NonNullFields;

This is overrideable by specific method annotations, consider a class MyService

    package mypackage;

    import jakarta.annotation.Nullable;

    public class MyService {
        static class InnerService {
          public String getValue() {
              return null;

SonarQube raises S2637 at return null; which we consider a false positive.

Can anyone confirm this?

1 Like

Hello @fjakop,

In my case, I failed to reproduce the scenario with your example: no issue is reported on the return null statement. Could you please provide a reproducer so I can investigate it more accurately?

Unfortunately, rule S2637 relies on the Symbolic Execution engine that is not currently maintained, and it may even be decommissioned in favor of a better engine. This rule happens to be very noisy; you can find here a list of FP reported so far.
My suggestion is to ignore the issue raised. If you provide a reproducer, I will check it and add it to the list of known False Positives.