java:S3252: false positive with Quarkus Panache


Using SonarQube version 9.3 (build 51899), the rule “static” base class members should not be accessed via derived types (java:S3252) raises false negative when using injected methods on classes that extends PanacheEntity and PanacheEntityBase.

public class Person extends PanacheEntity {

// this will trigger java:S3252
List<Person> allPersons = Person.listAll();

In a mundane application, the rule fires a lot and makes using Sonar with Panache pretty painful.
Would it be possible to instruct the rule to ignore the static method calls for these specific methods (they are all annotated with @io.quarkus.panache.common.impl.GenerateBridge)

The related framework documentation can found here: Quarkus - Simplified Hibernate ORM with Panache
A simple reproducer can be found here: GitHub - gnieser/sandbox-sonar

Best Regards

1 Like

Hey @guillaumen ,

Thanks a lot for the time you took to provide such a precise reproducer and explain your issue! It’s highly appreciated and it considerably helps us identify the issue. :+1:

Your use case is a tough one (Quarkus obviously injects some static methods into the code of subclasses), making it hard to generalize into fixing something else than this very precise case. I still created a ticket to tackle it (SONARJAVA-4208). We will see at implementation time which approach we choose, but it will anyway kill the noise for you.