Sonar rule java:S4507 is not working for sonar community version 8.9, nor 9.9.
This rule for java is deprecated,
java:S1148 Throwable.printStackTrace(...) should not be called(Use a logger to log this exception)
suggested by Sonar, it will be replaced by:
java:S4507 Delivering code in production with debug features activated is security-sensitive.
However the rule java:S4507 is not working in SonarQube community version 8.9, and now we are upgrading to 9.9, the old rule java:S1148 is gone, and replaced rule java:S4507 is not working either.
I think this is SonarQube bug, the rule is activated in our Quality Profile, but it behaves like not activated.
Usually under one rule, u will see many violation issues.
but under this one, there is such Issues section not even shows zero issues: Issues(0)
And we have hundreds of projects and this rule just find nothing. So i do suspect this rule is hardcoded to be not activated at all.
here is an Example Class, it violates java:S4507 but SonarQube doesn’t find it.
public class MyClass {
public void test() {
try {
System.out.print("abc");
} catch (Exception e) {
e.printStackTrace(); // Sensitive
throw new Exception("abc", e);
}
}
}
First, this is expected to not have a section “Issues (841)” for the rule java:S4507. This is a Security Hotspot and when we implemented this concept we decided to not reproduce everything that is available for Issues. If you think about it, there is no real underlying use case answered by this “Issues (841)” section. It’s cool, but it doesn’t help to Clean Code.
I took your code and put it in a very simple Maven project. I compile and scan it and I can confirm that the Hotspot is detected:
SonarQube community version 8.9.9
client side:
maven 3.8.4
java 15.0.7
our java code get compiled without the throw exception statement.
I noticed the type of the SonarQube issue is security hotspot which is different from other types. So it doesn’t showed up in sonar Issues tab but Security Hotspot.
I advise you to switch to the latest LTS version which is 9.9.x or even better, to use the latest version available when you do the upgrade to get the best of our rules.
If your remark is related to the difference in terms of UI, it’s just because I used SonarCloud to confirm the rule java:S4507 was raising the expected hotspot. SonarCloud uses a slightly different UI compared to SonarQube.