sonarqube + lombok = false positives

Question

import lombok.Data;

@Data
public class Filter {
    private Operator operator;
    private Object value;
    private String property;
    private PropertyType propertyType;
}

For code above there are 4 squid:S1068 reports about unused private fields. (even they are used by lombok generated getters). I've seen that some fixes related to support of "lombok.Data" annotation have been pushed, but still having these annoying false positives.

Versions: SonarQube 6.4.0.25310
SonarJava 4.13.0.11627
SonarQube scanner for Jenkins (2.6.1)

You can write your own rule,I mean overide squid:S1068 and add a test of the presence of lombok import and @Data. — Maxence Lecointe, Sep 22 '17 at 12:39
@MaxenceLecointe no need to override anything, this is natively supported. That would also be the worst possible approach. If you are not satisfied with a rule, you better disable SonarQube rule and write your own custom rule: https://docs.sonarqube.org/display/PLUG/Custom+Rules+for+Java — Wohops, Sep 22 '17 at 12:59
In fact @Michael-SonarSourceTeam this is what I done, I wrote my own rule for this case and disabled the original rule. I'm wrong with the use of word 'overide' — Maxence Lecointe, Sep 22 '17 at 13:03

score 35 · Accepted Answer · edited Jun 11 '22 at 10:54

35

This case should be perfectly handled by SonarJava. Lombok annotations are taken into account at least since version 3.14 (SONARJAVA-1642). The issues you are getting are resulting from a misconfiguration of your Java project. No need to write any custom rules to handle this, this is natively supported by the analyzer.

SonarJava reads bytecode to know which annotation are used. Consequently, if you are not providing bytecode from your dependencies, on top of bytecode from your own code, the analyzer will behave erratically.

In particular, setting property sonar.java.libraries should solve your issue. Note that this property is normally automatically set when using SonarQube maven or gradle scanners.

Please have a look at documentation in order to correctly configure your project: https://docs.sonarqube.org/display/PLUG/Java+Plugin+and+Bytecode

edited Jun 11 '22 at 10:54

wviana

1,619
2
19
47

answered Sep 22 '17 at 12:57

Wohops

3,071
18
29

2

Now I don't know how to set `sonar.java.libraries` in jenkins scanner plugin. using `sonar.java.libraries=$HOME/.m2/**/*.jar` for now. – okutane Sep 22 '17 at 13:46
5

What should be the actual value for sonar.java.libraries? Do we set ${classpath} or just the path of lombok.jar? – user3709525 Jan 30 '18 at 18:12
@user3709525 the (root) folder(s) where all the libraries required by your code to run (jars) are placed. – Wohops Jan 31 '18 at 07:27
keep in mind that the lombok dependecy itself is not needed at runtime and can be added as being used only at compile-time. – mrt181 May 09 '18 at 16:02
I have still the same problem with sona-java in codeclimate. Setting the `sonar.java.libraries` property doesn't work. Did something change? – Florian Rusch Sep 19 '19 at 12:55
simple.. add your lombok pojo's to sonar exlusions in property file "sonar.exclusions=/path/toyour/pojopackage/*" – Stunner Feb 19 '21 at 09:54
example: sonar.exlusions=**/pojo/* :-- this will exclude all the classes in pojo directory. – Stunner Feb 19 '21 at 09:55

score 17 · Answer 2 · edited Jun 25 '21 at 09:28

17

I added following property to Sonar analysis properties file. And it works for me.

sonar.java.libraries=${env.HOME}/.m2/repository/org/projectlombok/lombok/**/*.jar

lombok v1.16.20 is lombok version on my project.

edited Jun 25 '21 at 09:28

user11153

8,536
5
47
50

answered May 29 '18 at 10:56

Barış Özdemir

399
3
6

Ry.xn · Answer 3 · 2023-03-01T15:53:46.523

3

I'm using sonar-maven-plugin 3.4.0.905, lombok 1.16.18, with SonarQube CE Server v8.3.1.

I resolved the issue by adding <sonar.java.libraries>target/classes</sonar.java.libraries> to the POM properties.

<project>
    ...
    <properties>
        <sonar.java.libraries>target/classes</sonar.java.libraries>
    </properties>
    ...
</project>

edited Mar 01 '23 at 15:53

answered Jan 15 '21 at 02:19

Ry.xn

162
2
6

Where to put this in in pom.xml? – Drishti Jain Mar 01 '23 at 12:48

score 0 · Answer 4 · answered Nov 18 '22 at 13:45

The answer suggested by Wohops and Barış Özdemir worked for me. Posting this answer because in my scenario, it took some time to figure out how to implement it because my CI builds are running in Travis and we don't know the path where the lombok-x.x.x.jar file will be downloaded because there is no much control we have on travis environment where the build runs.

I used my build tool (Gradle) to implement it. Following configuration in build.gradle ensured that as part of building of the project, all the jar dependencies get copied to ${buildDir}/output/libs

task copyToLib(type: Copy) {
    into "${buildDir}/output/libs"
    from configurations.runtime
}
build.dependsOn(copyToLib)

And then as mentioned in the previous answers, I configured the property in the sonar-project.properties file to this libs directory.

sonar.java.libraries=/home/travis/build/xxxxxx/build/output/libs/lombok-1.16.20.jar

Hope this helps.

Cheers.

score -1 · Answer 5 · edited Jan 21 '21 at 22:37

-1

You can configure the ignore issue rules:

sonar.issue.ignore.multicriteria=e1
sonar.issue.ignore.multicriteria.e1.ruleKey=java:S1068

edited Jan 21 '21 at 22:37

Display Name is missing

6,197
3
34
46

answered Jan 21 '21 at 19:36

Jose Fernando U.

1

this will mute the sonar to avoid any unused private field irrespective of lombok which merely fails the very motive of sonar. Hence not recommended. – Sundar Rajan Oct 06 '22 at 08:33

sonarqube + lombok = false positives

5 Answers5

Linked

Related