How to get rid of thousands of False positives for java 21: Remove the non-escaped char from literal

Rules and Languages Report False-positive / False-negative...
1

Since 5 years, java supports string multiline string literals (aka text blocks).

Sonarqube flags these incorrectly as “high” bugs.

E.g.

String myString = """
    some text
    some more text
    """;

It thinks""" is a non-escaped character, which wrong. Its a text block.

  1. Why does sonarqube not support java > 14? Is none from sonarqube updating the rule set?
  2. How do we remove this check from the ruleset to avoid hundreds of false positives?
  3. In the five years this has been incorrectly flaged, has not not been raised by one user? Are we the only project using java > 14?

We are new to sonarqube.

2

Hi,

What scanner are you using to analyze the code (SonarScanner CLI, SonarScanner for Maven, Gradle…)?

3

the maven one, done on local PC. Using the instrucitons given in the “analyize project” button in the sonar UI.

4

That’s strange. I can’t reproduce it with SonarQube Cloud. Even if I force SonarQube to interpret my code as Java 8 (where this code doesn’t even compile), the issue doesn’t appear.

image
image703×239 15.2 KB

Unfortunately, I don’t know what can be causing the issue for you. I hope a SonarSource employee can provide assistance.

1 Like
5

Is there any way to disable this check? If I hit “False Positive” it only fixes one instance, not the hundreds of instances.

6

Hi @nutmix,

Could you provide a screenshot of one of these issues as well as your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

Yes, absolutely. Simply remove it from your Quality Profile. If you’re using the Sonar way profile, you won’t be able to edit that. You’ll need to make a copy, and then remove the rule from that version.

 
HTH,
Ann

7

Here is the screen shot:

image
image1055×193 11.6 KB

8

Hi,

Thanks for the screenshot!

What is your sonar.sourceEncoding set to?

Also, I’d still like to see your analysis log.

 
Thx,
Ann

9

We have not set this, so it should be what ever is the default. I dont know how to see what it is now.

How do we get the analysis log?

10

Hi, I cant see the option to copy the quality profile. Could you send a screen shot?

11

Hi,

For the analysis log, there’s a link in my previous post.

For sonar.sourceEncoding, the default is the system encoding.

For Quality Profiles, the docs should help.

 
Ann

12

I followed this link you kindly povided: How to find logs about importing code coverage

However, there is no mention on this doc for where the logs are located. I followed the link for maven, which takes you to this doc:

But again no mention that I can find of where analysis logs are located.

13

Hi,

What I’m looking for is the analysis portion of the job logs from your CI.

 
Ann

14

The docs you provide for the quality profiles say there should be a create button, but we cant find it. This is what we see:

image
image2203×1213 173 KB

Maybe we require special permissions?

15

Hi,

If you don’t see the ‘Create’ button, then you don’t have permissions to create Quality Profiles. You’ll need to talk to an instance admin.

 
HTH,
Ann

17

Can we share the output privately? It will contain company specific names and data we dont want to share.

18

Hi,

Feel free to redact as necessary.

 
Ann

19

If I run the maven command it gives this for the java part:

[INFO] Store cache: Starting^M
[INFO] Store cache: Time spent was 00:00:00.000^M
[INFO] java security sensor: Time spent was 00:00:01.376^M
[INFO] java security sensor: Begin: 2025-03-10T14:11:23.037992600Z, End: 2025-03-10T14:11:24.414017Z, Duration: 00:00:01.376
  Load type hierarchy and UCFGs: Begin: 2025-03-10T14:11:23.042995600Z, End: 2025-03-10T14:11:23.176227400Z, Duration: 00:00:00.133
    Load type hierarchy: Begin: 2025-03-10T14:11:23.042995600Z, End: 2025-03-10T14:11:23.092993300Z, Duration: 00:00:00.049
    Load UCFGs: Begin: 2025-03-10T14:11:23.092993300Z, End: 2025-03-10T14:11:23.176227400Z, Duration: 00:00:00.083
  Check cache: Begin: 2025-03-10T14:11:23.176227400Z, End: 2025-03-10T14:11:23.177225900Z, Duration: 00:00:00.000
    Load cache: Begin: 2025-03-10T14:11:23.176227400Z, End: 2025-03-10T14:11:23.176227400Z, Duration: 00:00:00.000
  Create runtime call graph: Begin: 2025-03-10T14:11:23.177225900Z, End: 2025-03-10T14:11:23.199227500Z, Duration: 00:00:00.022
    Variable Type Analysis #1: Begin: 2025-03-10T14:11:23.177225900Z, End: 2025-03-10T14:11:23.190225700Z, Duration: 00:00:00.012
      Create runtime type propagation graph: Begin: 2025-03-10T14:11:23.178228200Z, End: 2025-03-10T14:11:23.186227400Z, Duration: 00:00:00.007
      Run SCC (Tarjan) on 349 nodes: Begin: 2025-03-10T14:11:23.186227400Z, End: 2025-03-10T14:11:23.187226Z, Duration: 00:00:00.000
      Propagate runtime types to strongly connected components: Begin: 2025-03-10T14:11:23.188227900Z, End: 2025-03-10T14:11:23.189226200Z, Duration: 00:00:00.000
    Variable Type Analysis #2: Begin: 2025-03-10T14:11:23.191260200Z, End: 2025-03-10T14:11:23.198226900Z, Duration: 00:00:00.006
      Create runtime type propagation graph: Begin: 2025-03-10T14:11:23.191260200Z, End: 2025-03-10T14:11:23.196241300Z, Duration: 00:00:00.004
      Run SCC (Tarjan) on 349 nodes: Begin: 2025-03-10T14:11:23.196241300Z, End: 2025-03-10T14:11:23.197226500Z, Duration: 00:00:00.000
      Propagate runtime types to strongly connected components: Begin: 2025-03-10T14:11:23.197226500Z, End: 2025-03-10T14:11:23.197226500Z, Duration: 00:00:00.000
  Load config: Begin: 2025-03-10T14:11:23.199227500Z, End: 2025-03-10T14:11:24.201922600Z, Duration: 00:00:01.002
  Compute entry points: Begin: 2025-03-10T14:11:24.201922600Z, End: 2025-03-10T14:11:24.216923700Z, Duration: 00:00:00.015
  Slice call graph: Begin: 2025-03-10T14:11:24.216923700Z, End: 2025-03-10T14:11:24.218924100Z, Duration: 00:00:00.002
  Live variable analysis: Begin: 2025-03-10T14:11:24.218924100Z, End: 2025-03-10T14:11:24.227938700Z, Duration: 00:00:00.009
  Taint analysis for java: Begin: 2025-03-10T14:11:24.228922500Z, End: 2025-03-10T14:11:24.392923600Z, Duration: 00:00:00.164
  Report issues: Begin: 2025-03-10T14:11:24.392923600Z, End: 2025-03-10T14:11:24.396923600Z, Duration: 00:00:00.004
  Store cache: Begin: 2025-03-10T14:11:24.397927200Z, End: 2025-03-10T14:11:24.398925700Z, Duration: 00:00:00.000^M
[INFO] java security sensor peak memory: 345 MB^M
[INFO] Sensor JavaSecuritySensor [security] (done) | time=1380ms^M
20

Might be worth noting its a multi-module spring boot 3.4 project using java 21.

21

Hi,

I’m looking for the full log from the analysis command itself through to the end, please.

So clearly you’re building with Java 21. Are you also running the analysis process with Java 21?

 
Ann