We have a issue with Sonarqube Server 2025.1.3 LTA and sonar-maven-plugin:5.1.0.4751 (JDK17)
Specifically, we have an issue with the rule java:S2440 - Remove this instantiation of “UserWithMissingRequiredServicesException”. This is a part of code:
if (!CollectionUtils.isEmpty(missingServices)) {
String errorMessage = String.format("Promotion not done. Missing user active services: (%s)",
StringUtils.join(missingServices, ",")); log.warn(errorMessage);
throw new UserWithMissingRequiredServicesException (errorMessage); –> “java:S2440 - Remove this instantiation of “UserWithMissingRequiredServicesException”.”
}
but this exception is defined as:
public class UserWithMissingRequiredServicesException extends DeniedIdentityPromotionException {
private static final long serialVersionUID = 4468159381093610755L;
public UserWithMissingRequiredServicesException(String technicalMessage) {
super(
PromotionDenegationCause.MISSING_REQUIRED_SERVICES,
MagicMessages.ERROR_ON_IDENTITY_PROMOTION.getI18nCode(),
MagicMessages.ERROR_ON_IDENTITY_PROMOTION.getMessage(),
technicalMessage
);
}
}
The implementation of UserWithMissingRequiredServicesException has a constructor and a static serialVersionUID but extends DeniedIdentityPromotionException which has the method getDenegationCause() which is public and non-static.
I think that it’s a false positive. What do you think?
Hi Christian,
Yes, it is a false positive, but I was unable to reproduce it.
My assumption was that the analyzer did not receive the correct classpath and was unable to understand the inheritance of DeniedIdentityPromotionException.
But I failed to reproduce with this snippet of code, where the semantic information about extends Unknown is intentionally broken:
public class Main {
Bug bug = new Bug("msg"); // Compliant
}
class Bug extends Unknown {
private static final long serialVersionUID = 4468159381093610755L;
public Bug(String msg) {
super(msg);
}
}
So, even if the implementation of rule S224 does not check if something is “unknown”, I don’t understand how the rule could end up with a false positive. So I don’t understand what to fix.
Could you confirm the DeniedIdentityPromotionException class is an instance of java.lang.Throwable?
I was asking is an instance of transitively, because I know that java.lang.Throwable contains some non-static fields, which should tell the rule S2440 not to raise an issue.
I ask this question again for IdentityPromotionException, examining its superclass hierarchy.
My assumption is that we have 2 problems:
Local problem in your context: The maven scanner fails to resolve all the dependencies related to the DeniedIdentityPromotionException class hierarchy
Global problem: The rule S2440 does not work well when a part of a class hierarchy is unknown, and raises false positives. (But looking at the code I failed to find the problem)
I will ping my friend @Dorian_Burihabwa to continue this discussion, because I will be on vacation.
