S2441 - UnknownType detect for String result of method call

  • SonarQube 8.2 - Scanner SonarJava 6.1 (build 20866)

  • For rule S2441, some calls to setAttribute() of HTTPSession report a bug like : Make "org.sonar.java.resolve.Symbols$UnknownType@74d9668" serializable or don't store it in the session.

  • Our code detected is :

getHttpSession().setAttribute(CONSTANT + facesContext.getExternalContext().getRequestContextPath(), event.getRequestPath());

with event a method parameter defined of type NotLoggedInEvent that is other project (multi-module maven) and look like

public class NotLoggedInEvent implements Serializable {
    private String requestPath;

    public NotLoggedInEvent(String requestPath) {
        this.requestPath = requestPath;

    public String getRequestPath() {
        return this.requestPath;

In this case getRequestPath() is a String so it’s a Serializable value that can be store in HTTPSession, no ?

Hey there,

Thanks for the report. Looks like a similar false-positive should be fixed in the next release with SONARJAVA-3168. Can you take a peek on the ticket to see if matches?


Thanks for your reply.

In SONARJAVA-3168, the problem seem to be on the detection of the real type of the variable instance (HashMap versus Map for example). In our case, it’s already a String on getter so it should be detect as String all the path of analyze.

I modified our code for explicitly use a variable :

String requestPath = event.getRequestPath();
getHttpSession().setAttribute(CONSTANT + facesContext.getExternalContext().getRequestContextPath(), requestPath);

I will be able to give you feedback tomorrow (analyze only on night because it’s a big project) if this change the result.


I made a sample multi-module project to demonstrate the problem with one class in each project (sonar_S2441_subproject_1 and sonar_S2441_subproject_2).

You can see result in attachment :

If OtherClass is in same module project as caller class, it’s OK.
The bug seem to be specific to multi-modules projects

You can found it at GitHub - cdestombes/sonar_S2441_multiproject_failed: Simple maven multi-project that failed

I try the new version of scanner SonarJava 6.2 (build 21135), but now we have 2 false positive on the same sample project :

Maybe a regression of SONARJAVA-3168.

Hello Christophe,

Sorry for the delay answering you, and thanks a lot for your project reproducing the issue. Unfortunately, I have not been able to reproduce it strictly only using your sample project, but I managed to reproduce a similar case on my machine.

I created the following ticket to handle it: SONARJAVA-3322