The Java analyzer relies on the JDK used to build your project and not the one used to run the scan

Hello Java developpers,

The Java analyzer was updated with a couple of improvements I hope you’ll enjoy.

JDK Home:

You can now customize which JDK should be used to resolve JDK classes. Here is why it’s a great improvement.

Until today, the Java analyzer was relying on the runtime JDK to resolve JDK classes. When the JDK of a project is different from the one used to perform the analysis, this leads to False-Positives reporting wrong and unfixable usage of JDK classes.

To illustrate this behavior, the following example defines a Java 8 project being analyzed with a JDK 11. In Java 8, the class java.util.Observable is perfectly legit, while in Java 11, the class is deprecated. This situation leads to the rule S1874 (Remove usage of deprecated classes) reporting a False-Positive, while it is OK in the context of the Java 8 project. The analyzer relied on Java 11 classes to resolve the Observable object, while it should have been fed with Java 8 classes.


// JDK 8 project analyzed with JDK 11
public abstract class A {

  void foo() {
    bar(new java.util.Observable()); // FP by java:S1874: Observable is Deprecated in Java11, not in Java8

  abstract void bar(Object o);

Starting today on SonarCloud, if you are NOT using Maven or Gradle, you will need to set the property manually to get accurate results.

3 New Rules

2 new rules were added to help you improve unit tests and 1 to better use java.util.Map “computeIfAbsent()” and “computeIfPresent()” methods.

  • S6073: Mockito argument matchers should be used on all parameters (Major - Bug)
  • S6103: AssertJ assertions with “Consumer” arguments should contain assertion inside consumers (Major - Bug)
  • S6104: Map “computeIfAbsent()” should not be used to add “null” values.

For more information, you can check the changelog.

These features are already available on SonarCloud, and will be included in SonarQube 8.7.