java:S107 false positive with micronaut framework

I believe that list of exceptions in Sonar rule java:S107 should be extended, so that the limit of parameters is not applied to methods with the following Micronaut annotations from io.micronaut.http.annotation package:
@ Get, Head, Post, Put, Delete, Options, Trace, Patch

Justification:
Java REST frameworks allow to map a HTTP request to a controller method, that handles the request.
The HTTP request may contain many parameters (in URL, in body, in HTTP headers) and they are all passed to the controller method.
This way, controller methods may violate the java:S107.

Fortunately, the Sonar rule contains exception for methods annotated with Spring’s @RequestMapping.
However, the Sonar rule contains no exceptions for Micronaut framework which has similar purpose.

Similar issue here as well: java:S107 misses some spring cases The same situation would be with Micronaut and its Bean lifecycle annotations.

Btw. perhaps the rule should be made configurable, so that anyone can add such annotations as exceptions? Would be easier to handle plenty of frameworks that are providing custom annotations alongside standard jakarta.

Affected version: 8.9.x+

1 Like

Hey @pkucia,

Thanks for the feedback! I extended the description of the ticket (SONARJAVA-4072), created from the first thread you refer to, to also cover micronaut annotations.

Finally, note that the fix which will be done won’t be available for SQ LTS but only as part of the future java analyzer releases, ultimately only shipped with the latest versions of SQ (9.X ).

Cheers,

Michael

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.