How to Report a False-positive / False-negative

Hey SonarSource Community!

False-positives happen, as do false-negatives, and we’re eager to fix them. We are thrilled when our users report issues so that we can make our products better.

What is a false-positive (FP)?

A false-positive is when an issue is raised unexpectedly on code that should not trigger an issue, or where the suggested action doesn’t make any sense for the code.

What is a false-negative (FN)?

A false-negative is when an issue should be raised on a piece of code, but isn’t.

There are some things we’d like from you to make sure the information you provide is complete, and so that we can work efficiently.

Relation between reported issues

What information should I include?

When reporting a false-positive or a false-negative, make sure to tell us…

Which product(s) you’re using

  • SonarQube
    • If so, which version of SonarQube?
  • SonarCloud
  • SonarLint
  • If yes, with which IDE and which version?
    • If you’re using Connected Mode, tell us with which product (if it’s SonarQube, see the above notes on providing version details)

:warning: When possible, please try and reproduce the issue using the latest releases of our products. You might get lucky! Our products are continuously improving, and investigating an issue we’ve already fixed isn’t fun for anybody. Your report is much more likely to get attention if you are using a fresh release.

Which language you’re analyzing (and tag your post with the language!)

We’re looking at a lot of code all day. Let us know if it’s Java, C#, Python, COBOL…

Tagging your post with the right language will make it more likely to draw the attention of the right team, and other tags (like security for vulnerability rules) also help us!

Which rule is affected

The title of the rule can be enough, but the Rule ID is even better (E.G. S1234)

Why you believe it’s a false-positive / false-negative

Even if you think it’s obvious, take the time to explain why an issue should or should not be raised.

We also need you to include a code sample

This code sample should either be:

  • code-as-text. Not a screenshot of code or a screenshot of an issue raised in SonarQube.
  • Or a link to code that raises the issue (or doesn’t) on a public SonarCloud project

The more complete a code sample, the easier it will be for us to reproduce and figure out where the issue is. At the same time, it should only be the code that is necessary to reproduce the issue.

Recognizing the varying levels of effort it can take to provide a code sample, here is our order of preference for how the code sample is provided.

  • For C#, Java, and C/C++: a minimal sample project with everything needed to build/analyze (a Maven project, a Visual Studio solution, etc.)
  • A single file (or the full content of a file wrapped with triple quote ``` for proper formatting) where the false-positive is raised, or where an issue isn’t raised in the case of a false-negative.
  • A well-formatted excerpt of code (make sure this excerpt still raises the issue)

Please also leave a comment in the code where the false-positive is being raised, or where the false-negative should be reported and isn’t.

Advanced Tips

It’s possible your false-positive / false-negative has already been reported! Searching our public issue trackers by Rule ID is a good way to find out.

Javascript / Typescript

If you find a similar issue and still have some doubts, go ahead and report it to us.

Thanks again for helping us make our products better!