SonarJava 5.3 squid:S2589 false positive for nullable value from spring-web if project does depend on findbugs:jsr305

483 views

java

Skip to first unread message

andreas...@coremedia.com

unread,

May 26, 2018, 9:41:00 AM5/26/18

to SonarQube

Hi,

SonarJava 5.3.0 reports a violation for squid:S2589 for the following example code:

package com.example;

import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;

public class S2589 {

  public void m() {
    RequestAttributes attributes = RequestContextHolder.getRequestAttributes();
    if (attributes != null) { // <--- S2589 : Remove this expression which always evaluates to "true"
      System.out.println("foo");
    }
  }
}

The checked Maven module has just one declared dependency

    <dependency>
      <groupId>org.springframework</groupId>
      <artifactId>spring-web</artifactId>
      <version>5.0.2.RELEASE</version>
    </dependency>

The return value of RequestContextHolder.getRequestAttributes() is annotated with org.springframework.lang.Nullable which indicates a possible null return value, so the null check makes sense here.

Interestingly, S2589 does not report a violation if I add a dependency to findbugs jsr305 in the checked module.

    <dependency>
      <groupId>com.google.code.findbugs</groupId>
      <artifactId>jsr305</artifactId>
      <version>2.0.3</version>
      <scope>provided</scope>
    </dependency>

But this should not be necessary as the code does not directly uses Findbugs annotations.

Is this a known bug? Any plans to fix it?

Thank you,
Andreas

Michael Gumowski

unread,

Jun 8, 2018, 11:25:09 AM6/8/18

to andreas...@coremedia.com, SonarQube

Hello Andreas,

It's indeed a False Positives... Which is a bit tricky, as it indeed disappear when adding a dependency over JSR-305.

The reason of this issues disappearance comes from the fact that if you look at the definition of org.springframework.lang.Nullable, the annotation itself uses the @Nonnull annotation from the JSR as meta-annotation to describe its behavior.

SonarJava should be able to (and actually, is able to) handle meta-annotations, as long as the bytecode is fully provided. In this case, it means that you would need to provide bytecode of the JSR-305 in order to allow our semantic engine to fully resolve the meta-annotations, and consequently understand that the @Nullable annotation from eclipse is equivalent to the @Nonnull(when = When.MAYBE) from JSR-305.

Now, I agree with you, you should not need to explicitly add JSR-305 to make these issues disappear, even if they are using the adequate annotation as meta-annotations. I consequently created the following ticket to handle it: SONARJAVA-2785

Cheers,

Michael

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b51b84f4-3589-410d-aa6e-427f498b17e6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Michael Gumowski | SonarSource

Software Developer, Language Team
https://www.sonarsource.com

Reply all

Reply to author

Forward

0 new messages