Spring-Data JpaRepository creating a false positive finding of java:S2583

I’m using sonarcloud for analysis of this code, where the repository is a spring-data JpaRepository:

DndObject configuration = dndRepository.findOne(channelType);
if (configuration == null) {
  // do not-found behavior
}

This triggers a java:S2583 = Conditionally executed code should be reachable on the second line even though the response from JpaRepository.findOne() will be either an object or null. This seems incorrect. Is Sonar not realizing that the object in question is nullable?

Similar issue with if-checking null happened on a spring-context CacheManager.getCache() which also may return null if the desired object isn’t found in the cache.

Hello Rick,

Thanks for the feedback, this is indeed a FP from rule S2583 (and also a potential FN on S2259).

The issue is caused by our symbolic execution engine wrongly assuming that Spring’s annotation @Nullable is equivalent to @javax.annotation.Nullable (weak nullness assumption), while it should be considered as a strong nullness assumption (closer from @javax.annotation.CheckForNull). The two annotations sharing the same name probably led to the error in our implementation.

I created the following ticket to handle it: SONARJAVA-3447

Cheers,
Michael

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.