Sonarqube detecting code smell (deprecation) of java language 9 or greater on jdk8 code [reopen]

This post refers to another issue whose post I mistakenly marked as resolved: previous post

The problem remains: the scanner report shows deprecations of java language 9+ on jdk 8 compiled code. “” isn’t working.

Another setting not making any effect is “sonar.exclusions”. I have set sonar.exclusions=**/*.js,**/*.mjs,**/*.css but the scanner still scan and report problems in some .js files

Scanner Context: ***** [Project Analysis]
Global server settings:
  - sonar.auth.gitlab.enabled=true
  - sonar.auth.gitlab.groupsSync=true
  - sonar.auth.gitlab.url=http://*****/
  - sonar.core.serverBaseURL=http://*****:9000/
  - sonar.core.startTime=2023-05-22T09:32:05-0400
  - sonar.dbcleaner.daysBeforeDeletingClosedIssues=15
  - sonar.dbcleaner.daysBeforeDeletingInactiveBranchesAndPRs=10
  - sonar.forceAuthentication=true
  - sonar.lf.enableGravatar=true
  - sonar.plugins.risk.consent=ACCEPTED
  - sonar.projectCreation.mainBranchName=master
Project server settings:
  - sonar.cpd.exclusions=**/*.jsp,**/*.css,**/*.js,**/*.mjs
  - sonar.exclusions=**/*.js,**/*.mjs,**/*.css
Project scanner properties:
  - sonar.cpd.exclusions=['**/*.jsp', '**/*.css', '**/*.js', '**/*.mjs']
  - sonar.exclusions=['**/*.js', '**/*.mjs', '**/*.css']
  - sonar.login=******
  - sonar.projectBaseDir=/src
  - sonar.projectKey=*****
  - sonar.qualitygate.wait=true
  - sonar.scanner.appVersion=
  - sonar.sourceEncoding=ISO-8859-1
  - sonar.sources=src

SonarQube ID information
Date: 2023-07-05

Hey there.

Can you outline how you execute your scan? Basically – your Gitlab CI YAML (I’m assuming you use Gitlab CI)

Yes, i do use Gitlab: CE 14.3.6 (self-managed)

  image: localregistry/maven:3.8-amazoncorretto-8
  stage: test
    - docker
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
    MAVEN_OPTS: -Dmaven.repo.local=/cache/maven_repository/
    - mvn clean compile -DskipTests -gs $ARTIFACTORY_SETTINGS_XML --batch-mode
    - mvn dependency:copy-dependencies -DoutputDirectory=target/lib -gs $ARTIFACTORY_SETTINGS_XML --batch-mode
      - target/classes
      - target/lib
    expire_in: 1 hour

    name: localregistry/sonarsource/sonar-scanner-cli
    entrypoint: [""]
    - compile-job
  stage: test
  allow_failure: true
    - docker
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
    SONAR_SCANNER_OPTS: "$SONAR_HOST_URL -Dsonar.login=$SONAR_PROJECT_ANALYSIS_TOKEN -Dsonar.projectKey=$SONAR_PROJECT_KEY -Dsonar.qualitygate.wait=true"
    key: "${CI_JOB_NAME}"
      - .sonar/cache
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
    - sonar-scanner -Dsonar.sources=src*.jar -Dsonar.sourceEncoding=ISO-8859-1 -Dsonar.exclusions=**/*.js,**/*.mjs,**/*.css$CI_DEFAULT_BRANCH


Why do you decide to try and configure the sonar-scanner-cli rather than run mvn sonar:sonar?

Using the maven plugin on some java 8 projects, it gives errors like this:

[ERROR] /src/[23,30] package org.omg.CORBA.portable does not exist
[ERROR] /src/[400,163] cannot find symbol
  symbol:   class ApplicationException
  location: class myclass1
[ERROR] /src/[5,24] package javax.annotation does not exist
[ERROR] /src/[51,21] cannot find symbol
  symbol:   class Resource
  location: class myclass2

Running with the maven plugin on other projects where it works still results in deprecated java code from versions above 8.
But the exclusions seen to work.

Code smell

... new Integer(rs.getInt("someVariable")) ...
Remove this use of "Integer"; it is deprecated.

Gitlab job:

  image: localregistry/maven:3.8-amazoncorretto-11
  stage: test
    - docker
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
    key: "${CI_JOB_NAME}"
      - .sonar/cache
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
    - mvn clean verify sonar:sonar$SONAR_HOST_URL -Dsonar.login=$SONAR_PROJECT_ANALYSIS_TOKEN -Dsonar.projectKey=$SONAR_PROJECT_KEY -Dsonar.qualitygate.wait=true -Dsonar.sourceEncoding=ISO-8859-1 -Dsonar.exclusions=**/*.js,**/*.mjs,**/*.css$CI_DEFAULT_BRANCH -DskipTests -gs $ARTIFACTORY_SETTINGS_XML --batch-mode

Hello @uliss3s ,

In theory, should do the trick, and tell the analyzer what version you are using. Some rules are then going to adjust based on this value. Unfortunately, the rule java:S1874 is not one of these rules, and it relies solely on what information is read in your byte code.

Now, if your project is using Java 8, and the analyzer reads from bytecode (of the JDK) that the constructor of Integer() is deprecated, it means that the analyzer is reading the bytecode of the wrong JDK (probably your analysis runtime JDK).

This discrepancy is supposed to be handled auto-magically by the gradle or maven scanner (are you using the latest versions?). However, you can set manually the JDK that is used for your project by setting the following property: In your context, you then want to set to this property the "Path to jdk directory used by the project under analysis.". You might want to have a look at this documentation page to know more about the parameter.

Hope this helps,

1 Like

Hi, thanks for the detailed response.

The sonar maven plugin runs only on Java 11 and above, right?
So, if i have a java 8 project (which i cannot change) that uses modules/libraries removed in java 11, like javax.annotation, i can’t use the maven plugin, right?


I feel you can, but in 2 passes

  1. run the maven build with your JDK 8 (required due to the nature of your project)
  2. run the sonar:sonar maven job with JDK 11.

About 1., I believe however that you can still build a java 8 project with JDK 11, as long as you set sources version and release versions in the maven compiler as being java 8, so you should be able to do it in one go.


I got it working doing in two passes as you sugested:

  1. maven build with the jdk 8
  2. sonar:sonar with and

In projects that do not use modules/libraries removed from JDK 11, i can do in one pass.

Thank you very much for the help. :pray:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.