refreshVersions plugin not recognized by S6624

  • What language is this for?
    Kotlin

  • Which rule?
    kotlin:S6624

  • Why do you believe it’s a false-positive/false-negative?
    When we are using Redirecting to https://splitties.github.io/refreshVersions versions are not hardcoded in build.gradle.kts, but there is a reference to externalized (usually in versions.properties) version value.

  • Are you using

    • SonarCloud?
      yes
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

Enable version management according to Redirecting to https://splitties.github.io/refreshVersions in any kotlin+gradle project with some dependencies, migrate to refreshVersions, then scan with sonar. Each occurrence of dependency with exported version will be reported as violating kotlin:S6624, like e.g.
implementation("io.github.microutils:kotlin-logging-jvm:_"), where in fact version was declared as variable in versions.properties using version.io.github.microutils..kotlin-logging-jvm=3.0.5 syntax.

1 Like

Hello @andrzej-talarek,

Thanks for your message. This is indeed a false positive and here’s the ticket to track it: [SONARKT-351] - Jira

While we were implementing this rule we haven’t taken this project into consideration, so thanks for pointing this out.

Regards,
Margarita