sonarqube + lombok = false positives

Question

import lombok.Data;

@Data
public class Filter {
    private Operator operator;
    private Object value;
    private String property;
    private PropertyType propertyType;
}

For code above there are 4 squid:S1068 reports about unused private fields. (even they are used by lombok generated getters). I've seen that some fixes related to support of "lombok.Data" annotation have been pushed, but still having these annoying false positives.

Versions: SonarQube 6.4.0.25310
SonarJava 4.13.0.11627
SonarQube scanner for Jenkins (2.6.1)

Answer 1

This case should be perfectly handled by SonarJava. Lombok annotations are taken into account at least since version 3.14 (SONARJAVA-1642). The issues you are getting are resulting from a misconfiguration of your Java project. No need to write any custom rules to handle this, this is natively supported by the analyzer.

SonarJava reads bytecode to know which annotation are used. Consequently, if you are not providing bytecode from your dependencies, on top of bytecode from your own code, the analyzer will behave erratically.

In particular, setting property sonar.java.libraries should solve your issue. Note that this property is normally automatically set when using SonarQube maven or gradle scanners.

Please have a look at documentation in order to correctly configure your project: https://docs.sonarqube.org/display/PLUG/Java+Plugin+and+Bytecode

Answer 2

I added following property to Sonar analysis properties file. And it works for me.

sonar.java.libraries=${env.HOME}/.m2/repository/org/projectlombok/lombok/**/*.jar

lombok v1.16.20 is lombok version on my project.

Answer 3

I'm using sonar-maven-plugin 3.4.0.905, lombok 1.16.18, with SonarQube CE Server v8.3.1.

I resolved the issue by adding <sonar.java.libraries>target/classes</sonar.java.libraries> to the POM properties.