java:S6813 false negative for imported @Inject annotation

Product: SonarQube Community (self-hosted)
sonar-java version: sonar-java 8.28.0.43176 on SonarQube Community Build 26.4.0.121862
Java source level: 21 (javac 21, source/target 17)

Rule

java:S6813 — Field dependency injection should not be used

Description

java:S6813 behaves inconsistently for @Inject depending on whether the annotation is written with an import (@Inject) or fully qualified (@javax.inject.Inject). Since both resolve to the same annotation type, the rule should treat them identically.

Reproducer

// BEFORE — no violation reported (false negative)
package demo.before;

import javax.inject.Inject;

public class InjectDemo {
    @Inject
    private AuthenticationService authService;

    public static class AuthenticationService {}
}

// AFTER — java:S6813 reported
package demo.after;

public class InjectDemo {
    @javax.inject.Inject
    private AuthenticationService authService;

    public static class AuthenticationService {}
}

Expected behavior

java:S6813 should fire on both snippets, since both apply javax.inject.Inject to a private field.

Actual behavior

java:S6813 is reported only when the annotation is written as @javax.inject.Inject; the equivalent @Inject (imported) form produces no violation.

Hi @Emilyaxe ,

I couldn’t reproduce the issue. The problem can arise because the analyzer doesn’t have needed semantic information to raise the rule. Could you confirm that dependency included javax.inject.Inject is properly configured and resolved? (probably javax.inject library, or spring-context)

Thank you for the clarification. After adding the corresponding jar dependency to the classpath, the issue no longer reproduces on my side.

Best regards.