Spring Boot Constructor Injection and Variable Annotation Rules Conflict

SonarQube Server / Community Build
,
1

StackOverflow Post
SonarQube Version 5.6.3

  @Autowired
  private Environment env;
  @Autowired
  private YYYAdaptor yyyAdaptor;
  @Autowired
  private JAXBContext jaxbContext;

The code above conflicts with the “Spring components should use constructor injection” rule. Changing the code to fit with the suggested compliant implementation with the implementation below:

  private Environment env;
  private YYYAdaptor yyyAdaptor;
  private JAXBContext jaxbContext;

  @Autowired
  public YYYResource(Environment env, YYYAdaptor yyyAdaptor,
      @Qualifier("YYYYReq") JAXBContext jaxbContext) {

    this.env = env;
    this.yyyAdaptor = yyyAdaptor;
    this.jaxbContext = jaxbContext;
  }

This conflicts with the " Members of Spring components should be injected" rule, which throws a critical vulnerability warning.

This means there is no way to implement these injections without causing a warning. Ideally the second case should recognize the constructor injection and avoid throwing that warning.

2

Looks like issue is fixed at StackOverflow already -> https://stackoverflow.com/questions/54162663/using-spring-constructor-injection-with-sonarqube

3

The solution I accepted on SO is basically marking it as won’t fix and ignoring it. It doesn’t solve the bug

4

Hi,

This indeed a false positive and an inconsistency between the two rules : ticket created to handle the issue: https://jira.sonarsource.com/browse/SONARJAVA-3153