Sonar rule java:S4507 is not working for sonar community version 8.9, nor 9.9

Hi,

Sonar rule java:S4507 is not working for sonar community version 8.9, nor 9.9.

This rule for java is deprecated,

java:S1148 Throwable.printStackTrace(...) should not be called(Use a logger to log this exception)

suggested by Sonar, it will be replaced by:

java:S4507 Delivering code in production with debug features activated is security-sensitive.

However the rule java:S4507 is not working in SonarQube community version 8.9, and now we are upgrading to 9.9, the old rule java:S1148 is gone, and replaced rule java:S4507 is not working either.

I think this is SonarQube bug, the rule is activated in our Quality Profile, but it behaves like not activated.
Usually under one rule, u will see many violation issues.

but under this one, there is such Issues section not even shows zero issues:
Issues(0)

And we have hundreds of projects and this rule just find nothing. So i do suspect this rule is hardcoded to be not activated at all.

here is an Example Class, it violates java:S4507 but SonarQube doesn’t find it.

public class MyClass {

    public void test() {

        try {
            System.out.print("abc");
        } catch (Exception e) {
            e.printStackTrace(); // Sensitive
            throw new Exception("abc", e);

        }

    }

}

Hello,

First, this is expected to not have a section “Issues (841)” for the rule java:S4507. This is a Security Hotspot and when we implemented this concept we decided to not reproduce everything that is available for Issues. If you think about it, there is no real underlying use case answered by this “Issues (841)” section. It’s cool, but it doesn’t help to Clean Code.

I took your code and put it in a very simple Maven project. I compile and scan it and I can confirm that the Hotspot is detected:

image1200×498 38.6 KB

I had to add a throws Exception to the method signature so the code compiles. Are you sure on your side that you are analyzing code that is compiled?

Alex

ok thanks for the info.

I didn’t add the throws Exception and the code can still compiled. We are using java 15, will that matter?

it is very strange, i scan the code in the same way, i can see other rule violations but not this one.

just run this command as the base:
mvn sonar:sonar -Dsonar.branch.name=master -Dsonar.pullrequest.key= -Dsonar.pullrequest.branch=

and create the testing file and git commit the changes

and run pull request:
mvn sonar:sonar -Dsonar.pullrequest.key="commitid" -Dsonar.pullrequest.branch="local_branch_name"

from the pull request analysis, under the issues view i didnt see the wanted rule violation.
just the deprecated one and another one java:S1166

Screenshot 2023-04-26 at 19.15.271630×710 73.3 KB

what could went wrong, Is there any way to trouble shooting it?

Best,
Xiyao

which version of sonar server you are using?

SonarQube community version 8.9.9
client side:
maven 3.8.4
java 15.0.7

our java code get compiled without the throw exception statement.

I noticed the type of the SonarQube issue is security hotspot which is different from other types. So it doesn’t showed up in sonar Issues tab but Security Hotspot.

Screenshot 2023-04-28 at 18.04.002534×726 112 KB

But it is strange it showed in your example.

Hello,

I advise you to switch to the latest LTS version which is 9.9.x or even better, to use the latest version available when you do the upgrade to get the best of our rules.

If your remark is related to the difference in terms of UI, it’s just because I used SonarCloud to confirm the rule java:S4507 was raising the expected hotspot. SonarCloud uses a slightly different UI compared to SonarQube.

Regards
Alex

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.