Setup:
- JDK 25, Lombok 1.18.42 (
providedscope) - Maven 3.9.11, Sonar scanner for Maven 5.5.0.6356
- SonarQube Cloud
I have a serializable subclass of a non-serializable base class, whose no-arg constructor is provided by Lombok:
@Data
@SuperBuilder(toBuilder = true)
@Jacksonized
@NoArgsConstructor(access = AccessLevel.PROTECTED) // for serializable subclasses
public class MyBaseClass {
@Data
@EqualsAndHashCode(callSuper = true)
@ToString(callSuper = true)
@SuperBuilder
@Jacksonized
public class MyChildClass extends MyBaseClass implements Serializable {
I’m using the Maven scanner out-of-the-box, via a script in a CI/CD pipeline:
#!/bin/sh
./mvnw install \
org.sonarsource.scanner.maven:sonar-maven-plugin:5.5.0.6356:sonar \
-Dmaven.test.skip=true \
-Dmaven.compiler.useIncrementalCompilation=false \
-DlastModGranularityMs=10000000 \
"$@"
If the root cause here ends up being related to making bytecode available to Sonar, I’m really looking for a way to do that without requiring configuration on a per-project basis (we’re a large org with a lot of developers of, let’s say, varying degrees of knowledge in this area of the craft).
That said, this seems to be specific to S2055: I don’t see warnings about our heavy use of the @Data annotation, for example.