How to Report a False-positive

Hey SonarSource Community!

False-positives happen, and we’re eager to fix them. We are thrilled when our users report issues so that we can make our products better.

There are some things we’d like from you to make sure the information you provide is complete, and so that we can work efficiently.

When reporting a false-positive, make sure to tell us…

Which product(s) you’re using

  • SonarQube
    • If so, which version of SonarQube?
    • If you’re using SonarQube < v8.5, let us know what version of the affected analyzer is being used (see the Marketplace on your SonarQube instance)
  • SonarCloud
  • SonarLint
  • If yes, with which IDE and which version?
    • If you’re using Connected Mode, tell us with which product (if it’s SonarQube, see the above notes on providing version details)

:warning: When possible, please try and reproduce the issue using the latest releases of our products. You might get lucky! Our products are continuously improving, and investigating an issue we’ve already fixed isn’t fun for anybody. Your report is much more likely to get attention if you are using a fresh release.

Which language you’re analyzing (and tag your post with the language!)

We’re looking at a lot of code all day. Let us know if it’s Java, C#, Python, COBOL…

Tagging your post with the right language will make it more likely to draw the attention of the right team, and other tags (like security for vulnerability rules) also help us!

Which rule is affected

The title of the rule can be enough, but the Rule ID is even better (E.G. S1234)

Why you believe it’s a false-positive

Even if you think it’s obvious, take the time to explain why an issue should not have been raised

We also need you to include a code sample

This code sample should either be:

  • code-as-text. Not a screenshot of code or a screenshot of an issue raised in SonarQube.
  • Or a link to code that raises the issue on a public SonarCloud project

The more complete a code sample, the easier it will be for us to reproduce and figure out where the issue is. At the same time, it should only be the code which is necessary to reproduce the issue.

Recognizing the varying levels of effort it can take to provide a code sample, here is our order of preference for how the code sample is provided.

  • For C#, Java, and C/C++: a minimal sample project with everything needed to build/analyze (a Maven project, a Visual Studio solution, etc.)
  • A single file (or the full content of a file wrapped with triple quote ``` for proper formatting) where the false-positive is raised
  • A well-formatted excerpt of code (make sure this excerpt still raises the issue)

Please also leave a comment in the code where the False-Positive is being raised.

Advanced Tips

It’s possible your false-positive has already been reported! Searching our public issue trackers by Rule ID is a good way to find out.

Javascript / Typescript

If you find a similar issue and still have some doubts, go ahead and report it to us.

Thanks again for helping us make our products better!