java:S107 ignores Lombok AllArgsConstructor and RequiredArgsConstructor annotations

Rules and Languages Report False-positive / False-negative...
,
1
  • What language is this for? Java
  • Which rule? java:S107
  • Why do you believe it’s a false-positive/false-negative? Works fine when not using lombok
  • Are you using
    • SonarCloud
      • in connected mode with SonarCloud
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

Appears java:S107 rule ignores Lombok annotations AllArgsConstructor and RequiredArgsConstructor.

Manually doing the constructor will make java:s107 return true positive.

Lombok example with constructor with 8+ parameters (false negative):

package com.example;

@RequiredArgsConstructor
public class LombokConstructorExample {

    private final Environment environment;
    private final ServerProperties serverProperties;
    private final DataSourceProperties dataSourceProperties;
    private final JdbcProperties jdbcProperties;
    private final WebProperties webProperties;
    private final CacheProperties cacheProperties;
    private final JacksonProperties jacksonProperties;
    private final GsonProperties gsonProperties;
}

Manually made constructor with 8+ parameters (true positive):

package com.example;

public class ManualConstructorExample {

    private final Environment environment;
    private final ServerProperties serverProperties;
    private final DataSourceProperties dataSourceProperties;
    private final JdbcProperties jdbcProperties;
    private final WebProperties webProperties;
    private final CacheProperties cacheProperties;
    private final JacksonProperties jacksonProperties;
    private final GsonProperties gsonProperties;

    public ManualConstructorExample(
            Environment environment,
            ServerProperties serverProperties,
            DataSourceProperties dataSourceProperties,
            JdbcProperties jdbcProperties,
            WebProperties webProperties,
            CacheProperties cacheProperties,
            JacksonProperties jacksonProperties,
            GsonProperties gsonProperties) {
        this.environment = environment;
        this.serverProperties = serverProperties;
        this.dataSourceProperties = dataSourceProperties;
        this.jdbcProperties = jdbcProperties;
        this.webProperties = webProperties;
        this.cacheProperties = cacheProperties;
        this.jacksonProperties = jacksonProperties;
        this.gsonProperties = gsonProperties;
    }
}
4

Hello @s_jepsen,

Thanks for the feedback. This is my understanding:

  • There’s a legitimate java:S107 issue on ManualConstructorExample, you are happy about this.
  • There’s a missing java:S107 issue on LombokConstructorExample, because you expect to have one.

It’s true, LombokConstructorExample has a constructor generated by Lombok with 8 arguments. So we could consider raising a java:S107 issue on it. Unfortunately, the static analysis relies only on the source code and not the binaries generated by Lombok, it does not see the constructor. This case is a limitation of the engine, and supporting Lombok-generated binaries would require almost re-implementing Lombok logic, this is out of scope for now.

The only support of Lombok that we have is related to removing false-positive.

Hope it clarifies the situation.

Best,
Alban.

1 Like
6

Hi, Alban

Your understanding is correct :slight_smile:

I’m sorry to hear the limitation of only scanning the source code - and understand the implications of removing this limitation.

Thanks for your time.

Regards,
Soren