SonarJava cannot detect Java 11 Optional isEmpty as null testing

jeffrey.dl.cheung · October 4, 2019, 2:26am

Hi all,

We are using SonarJava for Java code analysis. We are facing a problem that SonarJava cannot detect Java 11 isEmpty as valid null testing for Optional Class (The code sample is shown in below picture, violated rule: squid:S3655). We did try follow suggestion in rule to use ! isEmpty() but it doesn’t work. I can see there is a Jira log SONARJAVA-3087 which is discussing the same problem and this problem should be fixed in version 5.12.1. But, our version is newer than 5.12.1. Is there way to handle this problem?

Sample code:

SonarQube & relevant plugin version:

SonarQube Developer edition, the version is 7.9.1.27448
SonarJava version is 5.14 (build 18788)

Reference Jira ticket:
https://jira.sonarsource.com/browse/RSPEC-3655

Quentin · November 26, 2019, 5:28pm

Hello @jeffrey.dl.cheung,

If I understand correctly the problem, your example can be reduced to:

  void usingIsEmpty() {
    Optional<String> s = optional;
    if (s.isEmpty()) {
      throw new IllegalAccessException();
    }
    s.get();
  }

This sample code is not reporting any issue with the current version of SonarJava.
I am not sure why it was not the case when you tried it, but it seems to behave correctly now.

Feel free to continue this thread if you still face the issue!

Best,
Quentin

jeffrey.dl.cheung · November 27, 2019, 9:36am

Hello @Quentin,

I m not sure the why your reduced code is Ok.

I also tried an add the similar code to another sample java project. It shows the same problem (issue is in line 61, but i should check empty in line 57) .

The quality profile for this project is still “(Java) Sonar way” . Our SonarJava is still 5.14 (build 18788)

I can see a message “WARN: SonarScanner will require Java 11+ to run starting in SonarQube 8.x” in scanner log, but we are using version 7.9.1.27448. The case should not related to java 11 of sonar scanner, right?
I can see two more warn messages in the log:
#1
WARN: SCM provider autodetection failed. Please use “sonar.scm.provider” to define SCM of your project, or disable the SCM Sensor in the project settings.

#2
WARN: Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property.

Are they related to the issue? or any other log / trace i can capture to provide more insight?

Jeffrey

Quentin · November 27, 2019, 2:06pm

Okay, I finally managed to reproduce the strange behavior by using an old version of the scanner (not using java 11).

Updating the scanner (to a version using Java 11) should solve your problem.

jeffrey.dl.cheung · November 29, 2019, 1:20am

@Quentin,

Thanks for your help. We can fix this fail positive problem after the scanner is run on Java 11.

saberduck · January 16, 2020, 2:48pm

To explain why this is happening. Java analyzer is using JDK from the scanner to resolve methods from JDK. Optional#isEmpty method exists only in JDK 11, if you use old scanner running on Java 8, this method is not recognized. This is why using JDK 11 solves the problem.

Ultimately we would like to decouple version of Java used for purpose of analysis and version on which scanner is running. This is described in https://jira.sonarsource.com/browse/MMF-1522, however it never become a priority and is on hold for the time being.

jeffrey.dl.cheung · January 21, 2020, 6:01am

@saberduck. thanks for your clarification. I believe this also applied to eclipse SonarLint, right? Should the eclipse run with JDK 11, right?