S3749: false negative when Lombok @RequiredArgsConstructor is used

JavierSA · December 22, 2025, 11:14am

SonarQube Server Community Edition v10.7 (96327)
SonarScanner for Maven 5.3.0.6276

The following code:

import org.springframework.stereotype.Service;

@Service
public class MyService {

    private final String injected;
    private String notInjected;

    public MyService(String injected) {
        this.injected = injected;
    }

}

raises an issue of the rule java:S3749 in the line private String notInjected:

Annotate this member with “Autowired”, “Resource”, “Inject”, or “Value”, or remove it.

Members of Spring components should be injected

which is the expected behaviour.

However, if I use the Lombok annotation RequiredArgsConstructor:

import lombok.RequiredArgsConstructor;
import org.springframework.stereotype.Service;

@Service
@RequiredArgsConstructor
public class MyService {
    
    private final String injected;
    private String notInjected;

}

no issue is raised, which is a false negative.

I have seen that SONARJAVA-3330 was created some years ago to avoid all false positives raised when RequiredArgsConstructor was used, but it looks like the solution was filtering the issues of all fields, not only of those fields initialised within the constructor generated by the annotation.

ganncamp · January 5, 2026, 4:28pm

Hi,

Welcome to the community!

Only the latest version of SonarQube Community Build is considered active, so you’ll need to update and see if the situation is still replicable before we can help you.

Your update path is:

10.7 → 24.12 → 25.12

You may find these resources helpful:

Update Guide
SonarQube Community Build Update Notes (all update notes since the switch)

If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after update, please come back to us.

HTH,
Ann

JavierSA · January 16, 2026, 10:49am

Hi, Ann. Thanks for the welcome.

I managed to update to 26.1.0.118079, and the false negative still persists.

ganncamp · January 20, 2026, 2:49pm

Hi,

Thanks for verifying. I’ll flag this for the language experts.

Ann

tomasz.tylenda · January 23, 2026, 12:32pm

Hi Javier,

Thank you for the report! I successfully reproduced the problem and created a ticket, SONARJAVA-5980, to track it.

Yes, you are right; if Lombok is used, we aggressively filter out all issues, which unfortunately leads to false negatives. We appreciate you letting us know when this is a problem in practice.

Best,
Tomasz

Topic		Replies	Views
[squid:S3749] False positive when Lombok @RequiredArgsConstructor Report False-positive / False-negative... java	2	2404	July 24, 2020
False positive, when using lombok AllArgsConstructor in Spring Service Report False-positive / False-negative... java	4	3795	June 5, 2020
java:S107 ignores Lombok AllArgsConstructor and RequiredArgsConstructor annotations Report False-positive / False-negative... java , sonarqube-cloud	2	904	June 12, 2023
A lot of false positive issues related to Lombok after Sonarqube upgrade SonarQube Server / Community Build java , sonarqube , false-positive	11	3809	February 24, 2025
Missing Ctor rule doesn't support lomobk annotations Report False-positive / False-negative... java , sonarqube , lombok	6	546	August 10, 2023

S3749: false negative when Lombok @RequiredArgsConstructor is used

Related topics