Sonar-scanner + Lombok + Gradle = False-Positives codesmells

epats · November 20, 2020, 8:54am

Hello,

We are using:

Sonar-scanner-cli v.4.2.0.1873

We use Gradle to build our Java code and sonar-scanner to analyse it, but sonar-scanner generates false-positive codesmells regarding Lombok library, for example: “Remove this unused “fname” private field” or “Add a private constructor to hide the implicit public one”.

We have faced similar issues with sonar-scanner and Maven projects as well, and we used the following plugin: http://javaln.blogspot.com/2019/09/sonar-lombok-maven-jacoco.html in order to generate lombok .jar files. Then we set sonar.java.libraries property accordingly to point to the location of these .jars, in our sonar-project.properties file and the problem was solved.

However, we cannot find anything similar in order to generate lombok .jar files for Gradle projects. Do you know if there is such a setting or maybe another way to resolve this issue in Gradle? Please note that we need to avoid creating custom rules.

Thank you

Michael · November 24, 2020, 3:29pm

Hello,

Unfortunately, without the binaries, the java analyzer is not going to be able to understand the code generated by lombok annotations. The java analyzer is only supporting lombok at best. We try to kill the noise, but ultimately, we need the jars to be able to operate without too many FPs.

Currently, there are also no particular settings in our analyzers to be set to handle lombok better.

However, if the lombok plugin for gradle is systematically placing generated bytecode in the same folder, we could try to check for that folder before starting the analysis. However, in order to do so, we would need more information about how lombok is working with gradle, and this is out of our scope at the moment.

Cheers,
Michael