squid:S2583 over optimistic about use of @NotNull


(Stephen Palmer) #1

We use
*sonarQube 6.7.4
*sonarJava 5.5

squid:S2583 is interpreting @NotNull as guaranteeing that a method will not return null and is then claiming related checks for null should be removed. This is incorrect.

We found this reported in https://groups.google.com/forum/#!topic/sonarqube/e1YOkU1xLOs where we are suggested to mark such occurrences as ‘Won’t fix’. That does not fly for an enterprise with a big code base. This is a false positive and undermines an otherwise useful rule. I do not want to turn it off but not fixing this issue is causing a problem for us with developers complaining about too many false positives.

Even for @NonNull which is supposedly a stricter annotation in this regards, the advice is to keep runtime null checks see for example this Oracle blog post, which says “Optional Type Annotations are not a substitute for runtime validation”
https://blogs.oracle.com/java-platform-group/java-8s-new-type-annotations

If you are adamant about keeping this behaviour, please, could we have a flag on the rule to turn this interpretation off if we do not want such strict interpretation.