S1854 FP - Remove this useless assignment to local variable

dandoy · June 24, 2024, 10:47am

Make sure to read this post before raising a thread here:

Then tell us:

Java
SonarQube v10.5.1

Indicates useless assignment to ‘METHOD’

private static void rollbackOrCommit(DBConnection theDB)
{
    final String METHOD = CLASS + ".rollbackOrCommit";

    if (theDB != null)
    {
		if (theDB.doRollbackOnError)
		{
			theDB.rollback();
		}
		else
		{
			try
			{
				theDB.commit();
			}
			catch (SQLException ex)
			{
				Log.log(1, METHOD, "dberror", Log.ERROR, "", "", "");
				theDB.rollback();
			}
        }
    }
}

Colin · June 24, 2024, 12:09pm

Hey there.

We know that sometimes this rule raises false-positives when the “semantic” is incomplete: SONARJAVA-4960

How do you execute your analysis (which scanner do you use? the SonarScanner CLI, the SonarScanner for Maven? Gradle?)

Do you receive any warnings during the analysis?

dandoy · June 24, 2024, 12:26pm

I don’t know what ‘semantic’ is incomplete refers to. We are getting about 90 of these false positives.

The SonarQube is being executed from a Jenkins build

I took some screen capture below

Colin · June 24, 2024, 12:28pm

How about you share how your Jenkins build is configured?

dandoy · June 24, 2024, 12:29pm

The code all compiles.

dandoy · June 24, 2024, 12:34pm

They all seem to deal with catching SQLException and the variable is only being used in the catch block.

dandoy · June 24, 2024, 12:43pm

I have a attached the groovy file. I don’t really know much about the Jenkins build.

(Attachment MCS_CommitBuild.groovy is missing)

dandoy · June 24, 2024, 12:47pm

Zip file blocked on our side. Here is partial screen capture.

Colin · June 25, 2024, 9:35am

Hey again.

Indeed, it looks like you’re running the SonarScanner CLI, which isn’t the recommended way (unless your normal build tool is an ant, in which case it’s the only way).

This is because the SonarScanner CLI requires a lot of manual configuration to perform an accurate analysis of Java, specifically the bytecode (the “semantic” I was referring to earlier)

I’m not sure what build tool is underneath your make commands are hiding. Can you tell me more about how your Java code is compiled?

dandoy · June 26, 2024, 3:33pm

Yes, we are using ant as the build tool, but don’t really understand how the build tool impacts the sonar analysis since the source and byte code generated are not really dependent on the build tool that is utilized. Java is still responsible for generating the byte code and not the build tool.

Colin · June 27, 2024, 12:55pm

Yes, but how that bytecode makes its way to the scanner to help analysis is build-tool dependent (and for Maven and Gradle, we can pick up those paths automatically).

We have documented a migration path from the SonarScanner for Ant to the SonarScanner CLI. You weren’t ever using the SonarScanner for Ant, but the general advice (add sonar.java.* to a sonar-project.properties file) still applies.

Once the proper bytecode is being read into your analysis, these FPs on S1854 should go away.

dandoy · June 27, 2024, 2:10pm

We already have the following in our properties file:

sonar.sources=src/classmcs,src/legacy

sonar.java.binaries=classes/legacy,classes/classmcs

sonar.java.libraries=serverLib,springbootLib,clientLib,smartFactoryLib,3rdParty

Is there something else we need to add.

Colin · July 2, 2024, 8:18am

Ideally, no, if all that information is complete and correct.

I have a feeling to learn more, we’d need to see the complete output of the sonar-scanner at DEBUG level (sonar-scanner -X)