Product: SonarQube Community Build 26.5.0.122743
sonar-java version: sonar-java 8.29 (build 43460)
sonar-java SE version: sonar-java-symbolic-execution 8.16.4 (build 1912)
Java source level: 21 (javac 21, source/target 21)
Rule
java:S1113 — The “Object.finalize()” method should not be overridden
Description
S1113 provides a documented exception: “It is allowed to override the finalize() method as final method with an empty body, to prevent the finalizer attack…”.
However, this exception logic fails if the no-op method body contains an explicit return; statement. Instead of treating it as a compliant security defense, Sonar raises a false positive on java:S1113.
While the return; statement is redundant, the developer’s intent remains purely defensive (preventing finalizer attack). The presence of a trivial return; should not completely invalidate the S1113 exception logic and trigger code smell false positives on compliant code.
Reproducer
package demo;
public class SecureResource {
// Compliant — S1113 NOT reported (Matches the documented exception)
@Override
protected final void finalize() {}
}
package demo;
public class SecureResource {
// False Positive — S1113 IS reported
@Override
protected final void finalize() { return; }
}
Expected behavior
When finalize() is overridden as final and contains no operational logic (either strictly empty {} or containing a bare return;), it should be recognized as a finalizer attack defense.
The java:S1113 rule should be silenced in this specific context, as the behavior remains semantically equivalent to an empty body used for security enforcement.
Actual behavior
Sonar fails to recognize { return; } as a no-op defense block, resulting in a false positive on java:S1113 for valid defensive code.