sonarqube + lombok = false positives

Question

import lombok.Data;

@Data
public class Filter {
    private Operator operator;
    private Object value;
    private String property;
    private PropertyType prope         


        

Answer 1

This case should be perfectly handled by SonarJava. Lombok annotations are taken into account at least since version 3.14 (SONARJAVA-1642). The issues you are getting are resulting from a misconfiguration of your Java project. No need to write any custom rules to handle this, this is natively supported by the analyzer.

SonarJava reads bytecode to know which annotation are used. Consequently, if you are not providing bytecode from your dependencies, on top of bytecode from your own code, the analyzer will behave erratically.

In particular, setting property sonar.java.libraries should solve your issue. Note that this property is normally automatically set when using SonarQube maven or gradle scanners.

Please have a look at documentation in order to correctly configure your project: https://docs.sonarqube.org/display/PLUG/Java+Plugin+and+Bytecode

Answer 2

I added following property to jenkins Sonar analysis properties. And work for me.

sonar.java.libraries=/jenkins/jenkins-user-home/.m2/repository/org/projectlombok/lombok/1.16.20/lombok-1.16.20.jar

lombok v1.16.20 is lombok version on my project.