JAVA (Spring Framework): Major Bug reported when @Nullable annotated methods are scanned for static code analysis

scanner
java
sonarqube

(Shashwat Kaundinya) #1

SonarQube Reports Major Bug when checking null for variables whose value comes from any method that is annotated with org.springframework.lang.Nullable


  • versions : SonarQube-v7.2,

error observed

private static final String CACHE_JAXB_CTX = "jaxbContextCache";
@Autowired
private CacheManager cacheMgr;
@PostConstruct
public void init() {
		try {
			this.cacheJaxb = null;
                        this.cacheJaxb = this.cacheMgr.getCache(CACHE_JAXB_CTX);
			if ( this.cacheJaxb == null) {
				throw new RuntimeException("jaxb cache not initialized, please check your configuration file");
			}
		} catch (RuntimeException e) {
			logger.error("error on postConstruct", e);
			throw e;
		}
	}

When the above code is analyzed by SonarQube, a major bug is reported in the if() block where the object is checked for nullability.

Whereas the org.springframework.cache.CacheManager.getCache(String name) clearly states that the value returned can be null.

         /**
	 * Return the cache associated with the given name.
	 * @param name the cache identifier (must not be {@code null})
	 * @return the associated cache, or {@code null} if none found
	 */
	@Nullable
	Cache getCache(String name);

(Nicolas Peru) #2

What is the version of SonarJava analyzer installed on your sonarqube instance ? there were some work around this spring null annotations recently, so I would recommend to ugprade to the latest version.

See https://jira.sonarsource.com/browse/SONARJAVA-2785
https://jira.sonarsource.com/browse/SONARJAVA-2864


(Shashwat Kaundinya) #3

@Nicolas_Peru : Thanks for the links.
SonarJava version for my SonarQube instance is 5.4 (build 14284).
Going through the Jira ticket, I reckon, I need to update SonarJava version to at least 5.7.
I will update my SonarQube instance and revert back.

Thanks a million.


(Shashwat Kaundinya) #4

@Nicolas_Peru
Thanks man,

Updating SonarJava to 5.8 (build 15699) worked.
Now I don’t see the issue as a major bug.