Rule java:S2583 not always showing chain of causality

SQ 8.6.0

At some point (not sure when but I didn’t notice it before) SQ started highlighting a chain of causality (I’m not sure what you call it) where the bug involves multiple separated statements, such as null derefencing (java:S2259) and superfluous conditionals (java:S2583, i.e., “Conditionally executed code should be reachable” where it thinks a conditional always evaluates the same way). This is an awesome feature BTW!

But it seems sometimes for the latter rule, the web portal doesn’t show the causality. In the issue list frame, usually the box for the issue looks like this, with the small +n box next to the bug indication:
But sometimes it isn’t there:

And the ones where it doesn’t appear (and the other ways of getting at the chain of statements that cause the issue are similarly not present) seem to be false positives.

So can you explain under what conditions SQ will show the chain of causality and under what conditions it won’t?

Hello @MisterPi,

Thank you for your message. These rules use symbolic execution under the hood and try to discover all possible path in the method and apply constraints. Indeed not all the reported issues will have secondary locations, if none were found.

To investigate it further we would like to look at some examples, where you don’t see these secondary locations and feel it’s FP.