Hi, I think rule RSPEC-2275 should recognize final constant string, not only the literal. Please refer to the minimized sample below.
This is a false negative. fs is a bad format string, but SonarQube cannot detect it. Hence, I think we should let this rule consider this kind of constant. Besides, this false negative can lead to runtime crash and could cause serious consequence.
Thanks for your kind consideration.
public void func() {
final String fs = "Not enough arguments %d and %d";
String s = String.format(fs, 1); // should report a warning here, because of wrong format string
System.out.println(s);
}
Used Version:
- sonarqube-9.2.3.50713
- sonar-scanner-4.6.2.2472-macosx