SonarQube java plugin Unused "private" methods should be removed (squid:UnusedPrivateMethod) bug

[parfe...@gmail.com]

Code example:

public void post(){
 AuthType authType = authTypeRepository.findOne(3L);
  if (authType != null) {
    someMethod(authType.getName());
  }
}

private void someMethod(String test){
  LOG.debug(test);
}

SonarQube marks "someMethod" as unused private method. It's a bug.

SonarQube 6.0, Java 1.8, SonarQube Java Plugin 4.1

[Nicolas Peru]

Hi, 

(Always appreciated to say Hi and Thank you around here, help to get things smoother). 

Would you mind precising how you are triggering your analysis ? is it from SonarLint? and more specifically : How do you provide the bytecode of the AuthType type to the analyzer ? is it part of an external lib or of your project ? 

What is most probably happening here is that this type is not read, this the getName method cannot be resolved and so "someMethod" can't be resolved.

Cheers, 

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/ff0868c0-e893-474e-8b5c-d3935b77731c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nicolas PERU | SonarSource

Senior Developer
http://sonarsource.com

https://twitter.com/benzonico

[parfe...@gmail.com]

This example was created using SonarLint for IntelliJ IDEA.
The same results I get to the server through TeamCity SonarQube analysis.

In all cases, such an error, the private method is called from a private method after certain conditions are met, which is not obvious outcome in advance. For example the condition of a certain check for a response from the database or a third-party service. Looks like Sonar rule wrongly implies that the condition is not feasible.

[Nicolas Peru]

Hi, 

Could you precise the version of SonarLint for Intellij that you are using ? Can you also precise how your analysis is triggered and configured on your TeamCity server (ie which scanner are you using ? are you using maven? ) 

Just a note, your last paragraph is making some assumption about how the sonar java analyzer works which are wrong, unused private method checks relies solely on semantic analysis and not on dataflow analysis.

Cheers, 

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/78102444-7987-41b4-aee2-6ea59008245e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Nicolas Peru]

Hi, 

If you can also precise which version of intellij you are using, that could be great. 

Thanks.

[parfe...@gmail.com]

Hi,

SonarLint version 2.3
IntelliJ IDEA 2016.2.2
JDK 1.8.0_91 x64
TeamCity uses jetbrains sonar plugin https://github.com/JetBrains/TeamCity.SonarQubePlugin after build project with maven and pass all tests.

Plugin configured as described in https://confluence.jetbrains.com/display/TW/SonarQube+Integration

понедельник, 22 августа 2016 г., 17:55:22 UTC+5 пользователь Nicolas Peru написал:

[Johan "Johnnei"]

Hi,

I would like to add that several developers in my company project have discovered FPs on this rule since the upgrade to SonarLint 2.3. However I haven't been able to create a reproducer for this (as I can't post the actual sources) so I couldn't make post which would be of any help.
There is a difference in my case though. When we run the analysis through maven the issue is (correctly) not reported.

Kind regards,

Johan.

[Johan "Johnnei"]

Hi,

As a follow up: There is an issue with SonarLint in IntelliJ not providing the bytecode to the Java plugin (which is known to cause more FPs and FNs). I've been looking through why and made a PR for it: https://github.com/SonarSource/sonarlint-intellij/pull/38
And now I'll shush to not high-jack this thread any further as this threads' issue seems slightly different from mine.

Kind regards,

Johan.

[Duarte Meneses]

Thanks Johan, I've tested and merged your P/R.
I also created a ticket to track the issue: https://jira.sonarsource.com/browse/SLI-103

Could you guys please test it by installing from the following zip?
https://repox.sonarsource.com/sonarsource-public-releases/org/sonarsource/sonarlint/intellij/sonarlint-intellij/2.4-build948/SonarLint-2.4-build948.zip

[parfe...@gmail.com]

Hi,
Thanks for fix SonarLint Plugin for IntelliJ!

With SonarLint 2.4-build948 issue has been resolved.
With local run analysis sonar-maven-plugin issue does not appear.

But TeamCity via SonarQube Runner still produce false positive issues on UnusedPrivateMethod.

[Nicolas Peru]

Hi, 

Good to know problem is solved in SonarLint.

Issue on teamcity is a separate problem.

This is most likely due to a misconfiguration of your analysis where the compiled classes (bytecode) are not provided properly to the sonar java analyzer. So could you share the logs and the values of sonar.java.binaries/sonar.java.libraries properties ? 

Cheers, 

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5389f5a9-a92d-4328-a62d-ba26cb503a70%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[milk...@web.de]

I get the same false positives with sonarlint 2.2.1 for eclipse. Is there any fix available or planned for eclipse plugin too?

[Julien HENRY]

Hi,

I get the same false positives with sonarlint 2.2.1 for eclipse. Is there any fix available or planned for eclipse plugin too?

If you are using connected mode you have to update the Java plugin on your SonarQube server to version 4.2, then refresh SonarLint configuration using "Update all project bindings" in SonarQube server view.

++

Julien 

[milk...@web.de]

Hi.

Yes I think we are using connected mode. At least we bind the project in eclipse so the server projects.

But the false positives are only shown in eclipse, not in the analysis performed via maven an stored on the server. So will updating the java plugin really help?

[Brian Sperlongano]

Hi - It made them go away for me.

[milk...@web.de]

Quite strange. On my desktop with eclipse Neon there are no false positives. I never saw them there, independent on sonar java plugin version. On my notebook with eclipse Mars the false positive is still there, although wie updated the java plugin to 4.2 and I updated all project bindings.

[Duarte Meneses]

Could you please post the SonarLint analysis log with debug enabled when running it in Mars?
We are specially interested to see the classpath configured in the analysis properties.

[milk...@web.de]

I found two perhaps interesting points in the debug log:

a)

Could not complete symbolic execution: 

org.sonar.java.se.ExplodedGraphWalker$MaximumStepsReachedException: reached limit of 16000 steps for method getRectangleTextLines in class StammdatenSvgBuilder

b)

JavaClasspath initialization

Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property

JavaClasspath initialization (done) | time=0ms

The project is a multi module maven project. Of course it builds fine in eclipse and console via maven. 

The method recognized as unused is a private method of the class. But in all calls of the method one of it parameters contains a call to another static method of another module of the project. If I add a call to the private method which does not call methods of other modules, the false positive goes away.

Does this help, to find to cause for the fp?

[Michael Gumowski]

Hey,

About what you observed:

a) The fact that symbolic execution (SE) reach the maximum number of steps won't have any effect on results of the "unused private methods" rule. This line only logs the fact that a given method was not fully explored by the SE engine, so rules relying on it will simply stay silent.

b) This is more interesting. Regarding your observation about method being detected as unused or not depending of what you call, it seems to me that we don't recognize the method from the other module. I'm going to try to reproduce it with a small multi-module maven project.

Cheers,

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/7d00f84d-6418-4983-b632-9f5325760141%40googlegroups.com.

[Michael Gumowski]

Hey, 

Just to let you know @milkyman. I tried to reproduce the issue with a small maven multi-module project reproducing the case you describe, without success.

My configuration:

• Eclipse 4.6,
• SonarLint 2.2.1 connected mode,
• SonarQube 5.6,
• Java Analyzer 4.2
  

Attached to this email you'll find the project I used, trying to reproduce the issue. Feel free to have a look and update it in a way which reproduce the issue for you.

Regards,

--

Michael GUMOWSKI | SonarSource

Software Developer @ Language Team
http://sonarsource.com

[milk...@web.de]

I'm sorry, I cannot find any attached project.

[Michael Gumowski]

Oups, Indeed, I apparently forgot to attach the archive!

Sorry!

It should be attached to this one.

On Thu, 15 Sep 2016 at 18:02 <milk...@web.de> wrote:

I'm sorry, I cannot find any attached project.

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5c0d2771-80d8-45e0-917c-f43deeba461d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[milk...@web.de]

Hi Michael.

I do not need to change anything. When I import the project (not using connected mode, since the project is not on the SQ server), sonarlint complains about the unused private method 

private void loadSettings(List<?> settings)

Checking your setup I noticed that you are using eclipse 4.6 (neon) while I use 4.5.2 (mars). Please review my post from 31 aug:

"On my desktop with eclipse Neon there are no false positives. I never saw them there, independent on sonar java plugin version. On my notebook with eclipse Mars the false positive is still there.

Perhaps you can try with Mars?