S3417 "Track uses of disallowed dependencies" does not support Maven properties

Rules made from this template raise an issue when the group or artifact id or version of a dependency matches the configured forbidden dependency pattern like in:

<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.17</version>
</dependency>

It is however very common (and in some organisations even required) to specify dependency versions using Maven properties, such as:

<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>${log4j.version}</version>
</dependency>

When the version is specified like this, no issue is raised even if the version is disallowed.

It would be great if this was also supported by SonarQube because it would be very useful to be able to flag older versions of a dependency as disallowed.

Hello @MortenHindsholm,

This is indeed a short-coming of the rule. We could extend it to cover variables. However, because the analysis is performed on a per-file basis, if the variables are not present withing the same file the analyzer will not be able to pick it up.
A ticket has been created to handle the issue.

Dorian

1 Like