S3749 reports false positive for session-scoped beans

bugbouncer · August 26, 2020, 1:29pm

Hi,
SonarQube reports the issue “java:S3749 - Members of Spring components should be injected” on the following code:

import org.springframework.stereotype.Controller;
import org.springframework.web.context.WebApplicationContext;
@Slf4j
@Controller(value = "myController")
@Scope(value= WebApplicationContext.SCOPE_SESSION, proxyMode= ScopedProxyMode.TARGET_CLASS)
    public class MyBean extends MyBaseBean implements MyConstants     {
        private UIInput keylevel1UIInput;   <------ Issue is reported here

The member on the last line is not injected by Spring. Therefore SonarQube reports the issue here.
In a Spring-Controler - which are singletons by default - this would of course be a problem, as the content of the member would be shared by all users.
But in this case the bean has session scope, denoted by the @Scope annotation.

Is this a false-positive?

Im using
SonarQube 8.3.1
Java Code Quality and Security plugin: 6.4

Quentin · September 2, 2020, 5:47am

Hello @bugbouncer,

It seems that you are facing SONARJAVA-3394, fixed in Java Code Quality and Security plugin version 6.5, included in SonarQube 8.4.

Updating SonarQube should remove this false positive.

Best,
Quentin

bugbouncer · September 2, 2020, 5:48am

Thanks for your response @Quentin.
We are currently upgrading our environment to 8.4.
If you don’t hear from me, the issue is gone

system · September 9, 2020, 5:48am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.