Spring Boot Constructor Injection and Variable Annotation Rules Conflict

java
sonarqube

(Victor Sahin) #1

StackOverflow Post
SonarQube Version 5.6.3

  @Autowired
  private Environment env;
  @Autowired
  private YYYAdaptor yyyAdaptor;
  @Autowired
  private JAXBContext jaxbContext;

The code above conflicts with the “Spring components should use constructor injection” rule. Changing the code to fit with the suggested compliant implementation with the implementation below:

  private Environment env;
  private YYYAdaptor yyyAdaptor;
  private JAXBContext jaxbContext;

  @Autowired
  public YYYResource(Environment env, YYYAdaptor yyyAdaptor,
      @Qualifier("YYYYReq") JAXBContext jaxbContext) {

    this.env = env;
    this.yyyAdaptor = yyyAdaptor;
    this.jaxbContext = jaxbContext;
  }

This conflicts with the " Members of Spring components should be injected" rule, which throws a critical vulnerability warning.

This means there is no way to implement these injections without causing a warning. Ideally the second case should recognize the constructor injection and avoid throwing that warning.


(Elena Vilchik) #2

Looks like issue is fixed at StackOverflow already -> https://stackoverflow.com/questions/54162663/using-spring-constructor-injection-with-sonarqube


(Victor Sahin) #3

The solution I accepted on SO is basically marking it as won’t fix and ignoring it. It doesn’t solve the bug