org.springframework.lang.Nullable is ignored in nullability analysis

Versions used:

  • Java 11.0.8 AdoptOpenJDK (64-bit)
  • SonarQube Scanner 3.1.0.1141
  • SonarQube server 8.1.0

When API nullability is established through @NonNullApi, exceptions specified through @Nullable (which is the intent of the API) are ignored and multiple of nullability false positives are triggered.

package-info.java

@NonNullApi
package com.example;
import org.springframework.lang.NonNullApi;

X.java

import org.springframework.lang.Nullable;

public class X {
	public boolean isNull(@Nullable x) {
	  return x == null; // java:S2583
	}
	
	@Nullable public Object getNull() {
	  return null; // java:S2637
	}
}

Hey there.

SonarQube v8.1 was released in December 2019 and a lot has changed since then! Can you reproduce the issue on SonarQube v8.8?

Please also make sure that parameters like sonar.java.binaries and sonar.java.libraries are being filled correctly if you’re handling them manually (they should be handled automatically by the Scanner for Maven, Gradle, etc.)

Sorry, I don’t have access to newer versions, the instance I use is governed by our corporate IT.
Are you implying you can’t reproduce it with a recent version or that you simply don’t look at issues unless they can be reproduced with a newer version?

I will definitely doublecheck the highlighted parameters.

A non-LTS version of SonarQube becomes unsupported as soon as a new version is released, which is why we suggest the following:

Sure, I’ve read that and I already clarified that using a new version is “not possible”. I will interpret your response as “haven’t tried to reproduce”.

Hello Vojtech,

Thanks for reporting this.

That’s unfortunate because we won’t be able to help you much. This SonarQube version is not maintained and not supported anymore. Your corporate IT is obviously not following our guidelines regarding using non-LTS versions of SonarQube.

For your information, your use case can not be reproduced with the latest released version of SonarQube (8.8), which embeds version 6.14 of the Java Analyzer. To me, the issue you might be facing has been solved by this ticket: SONARJAVA-3447. This was indeed an FP and a wrong interpretation of the annotation.

The fix was released as part of version 6.7 of the Java Analyzer, which was itself only available with SonarQube 8.5 (not maintained anymore). As of today, the only way to benefit from the fix, as well as all the other fixes and features we added since then would be to update to the latest version of SonarQube.

Unfortunately for you, you made it clear that it is absolutely “not possible”.

Good luck,
Michael

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.