Hi there, dear Java and Python users,
Today we release version 2.1 of our bug detection engine for Java and Python.
For a long time, Java users have been complaining about duplicate rules (java:S2259 and javabugs:S6555) to detect Null-pointer dereference issues. S2259 had problems with false positives, and S6555 was not in our SonarWay profile. After the steps taken to release version 2.0 of our engine, we feel we can move forward.
Today we resolve this problem by removing the existing java:S2259 rule and replacing it with what used to be javabugs:S6555. We also rename it to javabugs:S2259, because it is definitely an implementation of what is known as S2259 across our languages. This new jababugs:S2259 is a much more powerful rule that will detect issues across files and method calls.
This new rule is now in SonarWay, and all existing java:S2259 issues will be re-affected to it to keep things simple. That means the issues you have marked as false-positives or accepted will stay that way.
We also have been improving our reporting to make javabugs and pythonbugs issues easier to understand, by adding more information to the flows leading to an issue. This work is ongoing and will continue to improve in future versions.
Finally, we have been busy correcting some False-positives that you have reported on Python (S6466) or on Java (S6416).
What this means for you:
- You should see fewer false-positives on S2259 for Java
- You will see new issues appear from javabugs:S2259. This is expected, and a large majority should be true issues (no rule is perfect, so there will still be some false-positives. Please report them to help us make them disappear!).
- If you had S6555 enabled on your quality profile, it will disappear. The issues raised by S6555 in the past will be considered new, because we could only migrate one set of issues (those from java:S2259). However, given the extremely low volume of S6555 issues, this was the simplest way to achieve our goal.
This new version is live on SonarQube Cloud and in SonarQube for IDE when connected to a SonarQube Cloud project. It will be available in SonarQube Server 2025 release 4 later this summer, in SonarQube for IDE when connected to this version of SonarQube Server.
For now, please comment and share your false-positive reports with us (by checking the “share comments with Sonar” on SonarQube Cloud) so we can be aware of the problems and tackle them:
You can also report any issue here on our community forums.
Denis