S4684 should not raise an issue when entity has a static @JsonCreator factory method

SonarQube Enterprise Edition Version 9.4 (build 54424)

public class Wish{
  Long productId;
  Long quantity;
  Client client;

  public static Wish fromJsonNode(JsonNode jsonNode) {
    Long productId = jsonNode.asLong("productId");
    Long quantity = jsonNode.asLong("quantity");
    // .. extract and map client values too
    return new Wish(productId, quantity);

public class WishListController {  

  @PostMapping(path = "/saveForLater")
  public String saveForLater(Wish wish) { // false positive - see below

Because the entity referenced by the controller’s saveForLater() method has a single-argument method annotated with @JsonCreator, prior to the saveForLater() method being invoked, the POST's JSON payload is deserialized as a JsonNode. This DTO is passed to fromJsonNode() where selected fields are mapped to create the Wish that is finally passed to saveForLater(). This is functionally equivalent to accepting a WishDTO and mapping it to Wish.

Hi Paul,
I created SONARJAVA-4254 ticket to improve the rule.
Thanks for your code example and your feedback,

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.