S1874 FP "@Deprecated" code should not be used java:S1874, in ObjectNode

Eduardo_Ito · September 12, 2023, 3:16pm

False positive with rule java:S1874 “@ Deprecated” code should not be used

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.15.2</version>
</dependency>

In class com.fasterxml.jackson.databind.node.ObjectNode the put method with JsonNode as value is deprecated:

public JsonNode put(String propertyName, JsonNode value)

github.com

FasterXML/jackson-databind/blob/3e4ab840d940d3378258c2ac20d6ca4d8e5cd64b/src/main/java/com/fasterxml/jackson/databind/node/ObjectNode.java#L680


      
           * @param value Value to set to property; if null, will be converted
           *   to a {@link NullNode} first  (to remove a property, call
           *   {@link #remove} instead).
           *
           * @return Old value of the property, if any; {@code null} if there was no
           *   old value.
           *
           * @deprecated Since 2.4 use either {@link #set(String,JsonNode)} or {@link #replace(String,JsonNode)},
           */
          @Deprecated
          public JsonNode put(String propertyName, JsonNode value)
          {
              if (value == null) { // let's not store 'raw' nulls but nodes
                  value = nullNode();
              }
              return _children.put(propertyName, value);
          }
          
          /**
           * Method that will set value of specified property if (and only if)
           * it had no set value previously.

But all other put methods are not, like this one with a String value:

public ObjectNode put(String fieldName, String v)

github.com

FasterXML/jackson-databind/blob/3e4ab840d940d3378258c2ac20d6ca4d8e5cd64b/src/main/java/com/fasterxml/jackson/databind/node/ObjectNode.java#L1038


      
          public ObjectNode put(String fieldName, BigInteger v) {
              return _put(fieldName, (v == null) ? nullNode()
                      : numberNode(v));
          }
          
          /**
           * Method for setting value of a field to specified String value.
           *
           * @return This node (to allow chaining)
           */
          public ObjectNode put(String fieldName, String v) {
              return _put(fieldName, (v == null) ? nullNode()
                      : textNode(v));
          }
          
          /**
           * Method for setting value of a field to specified String value.
           *
           * @return This node (to allow chaining)
           */
          public ObjectNode put(String fieldName, boolean v) {

Example:

ObjectNode node = new ObjectMapper().createObjectNode();
node.put("field", "value");

SonarQube Enterprise generates an issue ‘Remove this use of “put”; it is deprecated.’ but the put method with a String value is not deprecated.

–
Eduardo Ito.

Colin · September 13, 2023, 1:33am

Hey there.

What version of SonarQube are you using? You should be able to find this in the footer of your SonarQube instance.

Eduardo_Ito · October 12, 2023, 11:39pm

I’m using SonarQube Enterpise Edition 9.9.1 (build 69595)

(Sorry for the late response)

Dorian_Burihabwa · October 18, 2023, 2:06pm

Hi @Eduardo_Ito,
We usually pick up the deprecation information as we parse the code and match the types and methods we encounter with classes found in the classpath.

Could it be that multiple versions of jackson-data-bind live within that classpath?

Could you run the analysis with debug logs enabled? That should give us an idea of whether were seeing the right version of the library.

Cheers

kid1412621 · December 13, 2023, 8:25am

I’ve encountered the same issue. I don’t think it’s to do with the multiple versions of Jackson-data-bind since the alternative method never been marked as deprecated since its first introduction.

v2.9:

github.com

FasterXML/jackson-databind/blob/8c9c75a48bf302e7cf0c8fcd1dbfe2e1d53b5f2c/src/main/java/com/fasterxml/jackson/databind/node/ObjectNode.java#L789


      
          public ObjectNode put(String fieldName, BigInteger v) {
              return _put(fieldName, (v == null) ? nullNode()
                      : numberNode(v));
          }
          
          /**
           * Method for setting value of a field to specified String value.
           * 
           * @return This node (to allow chaining)
           */
          public ObjectNode put(String fieldName, String v) {
              return _put(fieldName, (v == null) ? nullNode()
                      : textNode(v));
          }
          
          /**
           * Method for setting value of a field to specified String value.
           * 
           * @return This node (to allow chaining)
           */
          public ObjectNode put(String fieldName, boolean v) {

v2.17:

github.com

FasterXML/jackson-databind/blob/0a2cde800221a58392847d96a28c206ecd99566c/src/main/java/com/fasterxml/jackson/databind/node/ObjectNode.java#L1069


      
          public ObjectNode put(String fieldName, BigInteger v) {
              return _put(fieldName, (v == null) ? nullNode()
                      : numberNode(v));
          }
          
          /**
           * Method for setting value of a field to specified String value.
           *
           * @return This node (to allow chaining)
           */
          public ObjectNode put(String fieldName, String v) {
              return _put(fieldName, (v == null) ? nullNode()
                      : textNode(v));
          }
          
          /**
           * Method for setting value of a field to specified String value.
           *
           * @return This node (to allow chaining)
           */
          public ObjectNode put(String fieldName, boolean v) {

yumingtao · January 17, 2024, 3:24am

I have the same issue in IntelliJ with SonarLint version 10.2.1.77304, the jackson-databind version is 2.15.3

    /**
     * Method for setting value of a field to specified String value.
     *
     * @return This node (to allow chaining)
     */
    public ObjectNode put(String fieldName, String v) {
        return _put(fieldName, (v == null) ? nullNode()
                : textNode(v));
    }

The SonarLink scan issue: “SonarLint: Remove this use of “put”; it is deprecated.”

angelo.buono · January 17, 2024, 3:06pm

Hello @yumingtao, welcome to the Sonar Community.

I couldn’t reproduce the issue, and looking at the implementation and the previous answer, I’m not surprised. To continue the investigation, I will ask you to provide a reproducer.

It would be fantastic if you could zip a small project that reproduces your situation! It’s enough to have a maven or gradle project with the specific dependency you’re using and a class that uses the put method being reported as an issue.

Cheers,
Angelo

yumingtao · January 18, 2024, 2:49am

Hi Angelo, here is an example that can be used to reproduce the SonarLint (Java:S1874) issue, the GitHub link is https://github.com/yumingtao/sonarlint-java-s1874.git, and it is reproduced in my local IntelliJ, here is the screenshot.

angelo.buono · January 18, 2024, 4:06pm

Hi @yumingtao, thank you for providing all the information required.

The investigation result is that the FP positive is caused by using Lombok @Getter.

The Java Analyzer relies on the AST built by Eclipse Compiler for Java that is unaware of Lombok autogenerated code. To be more precise, Lombok works by manipulating the AST, previously created by the ECJ (more details in “Lombok: The Good, The Bad, and The Controversial” and Good and Bad usage of Lombok).

The debugging shows that the AST binds the detailsNode.put(“errorCode”, getErrorCode());to the wrong definition ofObjectNode#put`:

public com.fasterxml.jackson.databind.JsonNode put(java.lang.String, com.fasterxml.jackson.databind.JsonNode)

Since the getErrorCode() definition is unknown to the ECJ, because it was generated afterward by Lombok, it cannot infer the correct ObjectNode#put. I assume that ECJ picks the first definition found in com.fasterxml.jackson.databind.node.ObjectNode, which happens to be annotated as deprecated.

Wrapping up, your code is fine, so please ignore the issue reported. Alternatively, you could:

use directly the errorCode field instead of the getter
assign the value returned by getErrorCode() to a local variable (not specify the type explicitly, instead of using var)

Unfortunately, this is a nasty corner case caused by the combination of several different circumstances.

Cheers,
Angelo

yumingtao · January 19, 2024, 9:28am

Thank you for your detailed investigation and clear explanation. I will proceed by utilizing the “errorCode” field as suggested.

system · January 26, 2024, 9:28am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wrong Deprecation warning bug for java:S1874 Report False-positive / False-negative... java , intellij , sonarqube-ide	3	3080	November 8, 2021
FP on java S5164: ThreadLocal#remove not detected when JsonNode is type of ThreadLocal Report False-positive / False-negative... java , sonarqube	5	721	March 14, 2023
Deprecated method usage java:S5738 raised on formerly deprecated method SonarQube Server / Community Build java , sonarqube	0	57	November 24, 2025
False positive java:S1874 Report False-positive / False-negative... java , sonarqube	3	72	November 15, 2024
java:S1168 does not respect jakarta changes and has undocumented behavior Report False-positive / False-negative... java , sonarqube	2	1201	December 20, 2022

S1874 FP "@Deprecated" code should not be used java:S1874, in ObjectNode

Related topics