I don’t know if this problem is related to Sonarqube itself or the findbugs plugin. @SuppressWarnings annotation is ignored for findbug issues which is really annoying.
Sample code:
@SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
private Path getBackupPath() throws IOException {
Path backupPath;
String backupDirFromSettings = "foo";
// Test if "backupPath" is a valid path
backupPath = Paths.get(backupDirFromSettings).normalize();
// create directory on backupPath if they are not existing
Files.createDirectories(backupPath);
// test if backup path is accessible
if (!Files.isWritable(backupPath)) {
throw new IOException(String.format("Configured settings path (\"%s\") is non-writable", backupPath.toAbsolutePath()));
}
return backupPath;
}
Sonar show still an issue:
This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a
file whose location might be specified by user inputWhy is this an issue?
If you want the short version, this behavior was working fine before and continues to work on the current SonarQube (SQ) 7.9 LTS. For the SQ 8.x series, this is considered a regression and we are working on restoring it very soon (SONARJAVA-3544). The revert will hopefully be effective for SQ 8.6.
With more details:
In the past, it’s the SQ Java Analyzer which was manually removing any issue from a rule having its key mentioned in @SuppressWarnings, from whatever source/analyzer it was coming, as long it was reported using the SQ issue reporting API.
The SQ API allowing filtering has been deprecated for a while and was expected to be dropped with the new LTS to come (8.x).
To not rely on deprecated API, starting from version 6.4, the Java Analyzer reworked its approach to filter out ONLY issues raised by our own analyzer (SONARJAVA-3241), having for side effect to let any issues from other analyzers go through.
This impacts all the subsequent SQ 8.x series including the Java Analyzer >= 6.4 (the LTS staying on 6.3.Y).
Now, since we can not assume all Java-related 3rd party plugins are going to adapt and filter out suppressed issues on their side, we are going to revert that change (SONARJAVA-3544).
The fix is expected to be delivered with our next release, to be included in SQ 8.6.