import org.springframework.stereotype.Service;
@Service
public class MyService {
private final String injected;
private String notInjected;
public MyService(String injected) {
this.injected = injected;
}
}
raises an issue of the rule java:S3749 in the line private String notInjected:
Annotate this member with “Autowired”, “Resource”, “Inject”, or “Value”, or remove it.
Members of Spring components should be injected
which is the expected behaviour.
However, if I use the Lombok annotation RequiredArgsConstructor:
import lombok.RequiredArgsConstructor;
import org.springframework.stereotype.Service;
@Service
@RequiredArgsConstructor
public class MyService {
private final String injected;
private String notInjected;
}
no issue is raised, which is a false negative.
I have seen that SONARJAVA-3330 was created some years ago to avoid all false positives raised when RequiredArgsConstructor was used, but it looks like the solution was filtering the issues of all fields, not only of those fields initialised within the constructor generated by the annotation.
Only the latest version of SonarQube Community Build is considered active, so you’ll need to update and see if the situation is still replicable before we can help you.
Thank you for the report! I successfully reproduced the problem and created a ticket, SONARJAVA-5980, to track it.
Yes, you are right; if Lombok is used, we aggressively filter out all issues, which unfortunately leads to false negatives. We appreciate you letting us know when this is a problem in practice.
We extensively use Spring and Lombok in our corporate environment, so the combination of @Service and @RequiredArgsConstructor is very common. Although we currently don’t observe any violations in our codebase, this false negative could hide real issues in the future.
