java rule False Positive with squid:UnusedPrivateMethod when parameter is a method call

[ext.roger...@tieto.com]

Tested and cleaned up the example from earlier today

SonarQube 6.3.1

package com.hoxina.fpprivate;

import java.util.UUID;

import lombok.Data;

public class SonarFPPrivate {
    @Data
    private static class OtherClass {
        private UUID id;
    }

    private OtherClass lstSvc = new OtherClass();


    public void loadSettings() {
        loadSettings(lstSvc.getId());
    }


    // @SuppressWarnings("squid:S106")
    private void loadSettings(UUID uuid) {
        System.out.format("Executed UUID:%s%n", uuid);
    }
   
    public static void main(String [] args) {
        new SonarFPPrivate().loadSettings();
    }
}

sonar.projectKey=com.hoxina:SonarFPPrivate
sonar.projectName=SonarFPPrivate
sonar.projectVersion=1.0
 
sonar.sources=.
sonar.java.binaries=com/hoxina/fpprivate/
sonar.java.libraries=lib/*.jar

sonar.sourceEncoding=UTF-8

Compiled, executed and analyzed like this

javac -classpath lib/lombok.jar com/hoxina/fpprivate/SonarFPPrivate.java
java -classpath lib/lombok.jar:. com.hoxina.fpprivate.SonarFPPrivate
/opt/sonarqube/sonar-scanner-3.0.3.778-linux/bin/sonar-scanner -X

This false positive might be a false positive as one thing confuses me, why does .class and .jar files get language 'null'

02:53:47.256 INFO: Index files
02:53:47.265 DEBUG: 'com/hoxina/fpprivate/SonarFPPrivate$OtherClass.class' indexed with language 'null'
02:53:47.266 DEBUG: 'com/hoxina/fpprivate/SonarFPPrivate.class' indexed with language 'null'
02:53:47.266 DEBUG: 'com/hoxina/fpprivate/SonarFPPrivate.java' indexed with language 'java'
02:53:47.266 DEBUG: 'lib/lombok.jar' indexed with language 'null'
02:53:47.269 DEBUG: 'sonar-project.properties' indexed with language 'null'
02:53:47.270 INFO: 5 files indexed

another really interesting fact is that uncommenting the @SuppressWarnings will remove this error too...

[Tibor Blenessy]

Hello,

the version 6.3.1 you are providing is version of the SonarQube server, however the analysis is done by SonarJava analyzer, which is installed as a plugin in the SonarQube server and has independent release cycle. If possible it is always good to use the latest version of the plugin, which can be upgraded via Update Center.

However, in your example you are not providing the dependencies (bytecode) to the analysis correctly. It will be easier to analyze your project if you separate your sources from the compiled code and libraries. This is also the reason you see "null" language messages in the log, because everything is in the current directory, so class files are interpreted as source files. Also package name should not be part of sonar.java.binaries property, just the top-level directory where class files are generated (this is usually set by -d option of javac ). 

It is usually easier to setup the analysis via maven or gradle and use SonarQube scanner for specific build system, this way these properties are setup automatically.

About the annotation, the rule will not report on annotated methods, to avoid false positives for methods which are used by some frameworks via reflection and similar techniques.

Hope that helps,

Tibor

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/55c71bc3-e9ea-4081-b780-af4a1d52324a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Tibor Blenessy | SonarSource

SonarJava Developer

http://sonarsource.com