SuppressWarnings is not considered for java findbugs

reitzmichnicht · October 8, 2020, 9:05am

Sonarqube 8.5 with Findbugs 4.0.0

I don’t know if this problem is related to Sonarqube itself or the findbugs plugin.
@SuppressWarnings annotation is ignored for findbug issues which is really annoying.

Sample code:

@SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
private Path getBackupPath() throws IOException {
  Path backupPath;
  String backupDirFromSettings = "foo";
  // Test if "backupPath" is a valid path
  backupPath = Paths.get(backupDirFromSettings).normalize();
  // create directory on backupPath if they are not existing
  Files.createDirectories(backupPath);
  // test if backup path is accessible
  if (!Files.isWritable(backupPath)) {
    throw new IOException(String.format("Configured settings path (\"%s\") is non-writable", backupPath.toAbsolutePath()));
  }
  return backupPath;
}

Sonar show still an issue:

  This API (java/nio/file/Paths.get(Ljava/lang/String;[Ljava/lang/String;)Ljava/nio/file/Path;) reads a 
  file whose location might be specified by user inputWhy is this an issue?

Kind regards,
Michael

Michael · November 5, 2020, 1:45pm

Hey @reitzmichnicht,

If you want the short version, this behavior was working fine before and continues to work on the current SonarQube (SQ) 7.9 LTS. For the SQ 8.x series, this is considered a regression and we are working on restoring it very soon (SONARJAVA-3544). The revert will hopefully be effective for SQ 8.6.

With more details:

In the past, it’s the SQ Java Analyzer which was manually removing any issue from a rule having its key mentioned in @SuppressWarnings, from whatever source/analyzer it was coming, as long it was reported using the SQ issue reporting API.
The SQ API allowing filtering has been deprecated for a while and was expected to be dropped with the new LTS to come (8.x).
To not rely on deprecated API, starting from version 6.4, the Java Analyzer reworked its approach to filter out ONLY issues raised by our own analyzer (SONARJAVA-3241), having for side effect to let any issues from other analyzers go through.
This impacts all the subsequent SQ 8.x series including the Java Analyzer >= 6.4 (the LTS staying on 6.3.Y).
Now, since we can not assume all Java-related 3rd party plugins are going to adapt and filter out suppressed issues on their side, we are going to revert that change (SONARJAVA-3544).
The fix is expected to be delivered with our next release, to be included in SQ 8.6.

You might find other information here :

Hope this helps,
Michael

reitzmichnicht · November 6, 2020, 9:30am

Thanks for the info, this for sure will help, but produced a lot of trouble in the past months.

system · November 13, 2020, 9:30am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.