refreshVersions plugin not recognized by S6624

  • What language is this for?

  • Which rule?

  • Why do you believe it’s a false-positive/false-negative?
    When we are using Redirecting to versions are not hardcoded in build.gradle.kts, but there is a reference to externalized (usually in version value.

  • Are you using

    • SonarCloud?
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

Enable version management according to Redirecting to in any kotlin+gradle project with some dependencies, migrate to refreshVersions, then scan with sonar. Each occurrence of dependency with exported version will be reported as violating kotlin:S6624, like e.g.
implementation("io.github.microutils:kotlin-logging-jvm:_"), where in fact version was declared as variable in using syntax.

1 Like

Hello @andrzej-talarek,

Thanks for your message. This is indeed a false positive and here’s the ticket to track it: [SONARKT-351] - Jira

While we were implementing this rule we haven’t taken this project into consideration, so thanks for pointing this out.