Java False Positive "Do not use finalizers" when Finalizer is Empty and Final

We are using SonarCloud to scan our Java open source project [1] and are now getting false positives for using (empty final) finalizers, e.g.:

protected final void finalize() {}

SonarCube checks the rule in order to comply to MET12-J, but MET12-J defines an exception MET12-J-EX1 “A class may use an empty final finalizer to prevent a finalizer attack […]”, which seems to not be checked in SonarCube leading to the false positive.

Checkstyle / Spotbugs is raising this as an error (see [2]), suggesting to introduce the empty finalizer or make the class final and if we introduce the finalizer SonarCube is raising this as a high severity issue.

Can this rule be adapted to consider MET12-J-EX1 and not raising this as an issue if the finalizer is empty and final? Thanks.

[1] SonarCloud
[2] Bug descriptions — spotbugs 4.8.3 documentation

1 Like

Hello @kriskra, welcome to the Sonar Community, and thanks a million for bringing such an interesting scenario to our attention!

The attack scenario described in OBJ11-J. Be wary of letting constructors throw exceptions is very interesting! I will check if we cover such a scenario and propose a new rule. According to the MET12-J-EX1 the finalizer attack happens in the OBJ11-J scenario. Since, in your case, you are not throwing any exception in the constructor, I would suggest you not override the finalize().

The [SONARJAVA-4758] - Jira has been created to cover the finalier attack scenario for the rule S1113.