SuppressWarnings is not considered for java findbugs

Sonarqube 8.5 with Findbugs 4.0.0

I don’t know if this problem is related to Sonarqube itself or the findbugs plugin.
@SuppressWarnings annotation is ignored for findbug issues which is really annoying.

Sample code:

private Path getBackupPath() throws IOException {
  Path backupPath;
  String backupDirFromSettings = "foo";
  // Test if "backupPath" is a valid path
  backupPath = Paths.get(backupDirFromSettings).normalize();
  // create directory on backupPath if they are not existing
  // test if backup path is accessible
  if (!Files.isWritable(backupPath)) {
    throw new IOException(String.format("Configured settings path (\"%s\") is non-writable", backupPath.toAbsolutePath()));
  return backupPath;

Sonar show still an issue:

  This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a 
  file whose location might be specified by user inputWhy is this an issue?

Kind regards,

Hey @reitzmichnicht,

If you want the short version, this behavior was working fine before and continues to work on the current SonarQube (SQ) 7.9 LTS. For the SQ 8.x series, this is considered a regression and we are working on restoring it very soon (SONARJAVA-3544). The revert will hopefully be effective for SQ 8.6.

With more details:

  • In the past, it’s the SQ Java Analyzer which was manually removing any issue from a rule having its key mentioned in @SuppressWarnings, from whatever source/analyzer it was coming, as long it was reported using the SQ issue reporting API.
  • The SQ API allowing filtering has been deprecated for a while and was expected to be dropped with the new LTS to come (8.x).
  • To not rely on deprecated API, starting from version 6.4, the Java Analyzer reworked its approach to filter out ONLY issues raised by our own analyzer (SONARJAVA-3241), having for side effect to let any issues from other analyzers go through.
  • This impacts all the subsequent SQ 8.x series including the Java Analyzer >= 6.4 (the LTS staying on 6.3.Y).
  • Now, since we can not assume all Java-related 3rd party plugins are going to adapt and filter out suppressed issues on their side, we are going to revert that change (SONARJAVA-3544).
  • The fix is expected to be delivered with our next release, to be included in SQ 8.6.

You might find other information here :

Hope this helps,

Thanks for the info, this for sure will help, but produced a lot of trouble in the past months.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.