squid:S1948 False positive when using constructor or setter injection

  • versions used
    • SonarQube 8.0.0 Community, sonar-maven-plugin 3.7.0-1746, SonarJava
    • SonarCloud, sonar-maven-plugin 3.7.0-1746
  • minimal code sample to reproduce:
package net.bis5.s1948;

import javax.inject.Inject;
import javax.annotation.PostConstruct;
import javax.enterprise.context.SessionScoped;
import java.io.Serializable;

public class S1948App implements Serializable {

    /** Field injection */
    @Inject CdiManagedBean field1; // no problem

    /** Constructor injection */
    private final CdiManagedBean field2; // False positive: Make "field2" transient or serializable.

    /** Setter injection */
    private CdiManagedBean field3; // False positive: Make "field3" transient or serializable.
    public S1948App(CdiManagedBean bean) {
        this.field2 = bean;

    public void setField3(CdiManagedBean bean) {
        this.field3 = bean;
    public CdiManagedBean getField3() {
        return field3;

    public void initialize() {

Hey @maruTA-bis5,

Sorry for finally getting back to you after so long. Thanks for the feedback and the efficient reproducer, this is indeed a FP, and we should cover it. I created the following ticket to fix the rule: SONARJAVA-3467


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.