squid:S1948 False positive when using constructor or setter injection

  • versions used
    • SonarQube 8.0.0 Community, sonar-maven-plugin 3.7.0-1746, SonarJava 5.14.0.18788
    • SonarCloud, sonar-maven-plugin 3.7.0-1746
  • minimal code sample to reproduce:
package net.bis5.s1948;

import javax.inject.Inject;
import javax.annotation.PostConstruct;
import javax.enterprise.context.SessionScoped;
import java.io.Serializable;

@SessionScoped
public class S1948App implements Serializable {

    /** Field injection */
    @Inject CdiManagedBean field1; // no problem

    /** Constructor injection */
    private final CdiManagedBean field2; // False positive: Make "field2" transient or serializable.

    /** Setter injection */
    private CdiManagedBean field3; // False positive: Make "field3" transient or serializable.
    
    @Inject
    public S1948App(CdiManagedBean bean) {
        this.field2 = bean;
    }

    @Inject
    public void setField3(CdiManagedBean bean) {
        this.field3 = bean;
    }
    public CdiManagedBean getField3() {
        return field3;
    }

    @PostConstruct
    public void initialize() {
        field1.sayHello();
        field2.sayHello();
        field3.sayHello();
    }
}