We are using currently
SonarQube Server 8.1.0.31237
Java Sonar Plugin 6.3 (build 21585)
Some of our developer complain, that there are false-positives with the rule java:S107 in some cases:
-
Using JAX-RS API interface classes. As there are some API endpoints which need more than 7 url params, these methods annotated with “javax.ws.rs.GET” raise a Sonar issue although they cannot be changed
-
Using Spring Bean constructor injection with @Autowired, which in some cases causes constructors with many parameters, which should not raise an issue.
-
Using CDI constructor injection with @Inject. Same as above
I’d suggest to add the following annotations to the white list of the rule:
javax.ws.rs.GET
javax.ws.rs.POST
javax.ws.rs.PUT
javax.ws.rs.PATCH
org.springframework.beans.factory.annotation.Autowired
javax.inject.Inject
And I think it would be great to change the rule so that a sonar admin can add Annotation FQN’s to the white listet annotations.