For rule S2441, some calls to setAttribute() of HTTPSession report a bug like : Make "org.sonar.java.resolve.Symbols$UnknownType@74d9668" serializable or don't store it in the session.
Thanks for the report. Looks like a similar false-positive should be fixed in the next release with SONARJAVA-3168. Can you take a peek on the ticket to see if matches?
In SONARJAVA-3168, the problem seem to be on the detection of the real type of the variable instance (HashMap versus Map for example). In our case, it’s already a String on getter so it should be detect as String all the path of analyze.
I modified our code for explicitly use a variable :
I made a sample multi-module project to demonstrate the problem with one class in each project (sonar_S2441_subproject_1 and sonar_S2441_subproject_2).
Sorry for the delay answering you, and thanks a lot for your project reproducing the issue. Unfortunately, I have not been able to reproduce it strictly only using your sample project, but I managed to reproduce a similar case on my machine.
I created the following ticket to handle it: SONARJAVA-3322