java:S1128: false negative when Lombok log is used

Product: SonarCloud

Unused imports are not being detected when Lombok’s log4j2 is used (not just declared as a class level annotation but actually used).

Analyzer running on JDK11
Project source: Java8
CI: Jenkins
Build: Maven3

package fnreproducer;

import org.apache.commons.lang3.StringUtils; // unused but Sonar doesn't detect this

import lombok.extern.log4j.Log4j2;

@Log4j2
public class SomeClass {
	void someMethod() {
		// crucial for this reproducer to use the 'log' field: otherwise the unused import is truly detected
		log.info("Any");
	}
}

3 Likes

Hello @lrozenblyum

Thanks for the feedback.
As a general observation, tools modifying the source code (like Lombok) are usually messing up with static analysis (relying only on the source code). We are trying hard to still have a nice experience when using Lombok, but I’m afraid this sometimes results in false negatives.

I’m afraid this case is a limitation of the engine, supporting it perfectly would require almost re-implementing Lombok logic, this is out of scope for now.

Hope it clarifies the situation.
Best,
Quentin.

Hello @Quentin.

Thanks for the explanation.
Unfortunately for our project that heavily uses Lombok and the @Log4j2 annotation, it means java:S1128 is almost not working.
So we’d appreciate if some investigation may be done to somehow improve this in Sonar.

Hello Quentin, We are faced with this issue as well. Do you have any updates?