Skip to content

SONARJAVA-4698 Fix false positive in S1191 when variable is named "sun" #5352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

SONARJAVA-4698 Fix false positive in S1191 when variable is named "sun" #5352

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
66bc890
SONARJAVA-4698 Fix false positive in S1191 when variable is named "sun"
benzonico Nov 12, 2025
e7e84f4
SONARJAVA-4698 Address PR review comments
benzonico Nov 13, 2025
72dd782
SONARJAVA-4698 Prefer avoiding FPs over missing TPs when type is unknown
benzonico Nov 14, 2025
d568c34
SONARJAVA-4698 Detect all sun.* usage patterns and ensure consistent …
benzonico Nov 18, 2025
4329430
SONARJAVA-4698 Fix autoscan test by requiring bytecode for import det…
benzonico Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ...-test-sources/default/src/main/files/non-compiling/checks/SunPackagesUsedCheckSample.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,15 @@ public Object uselessMethod() {

// SONARJAVA-4698: False positive when variable is named "sun"
public void fooWithFieldNamedSun() {
sun.toString(); // Compliant - FP: "sun" is a field of type Object, not a sun.* package class
sun.toString(); // Compliant - "sun" is a field of type Object, not a sun.* package class
}

public void barWithParameterNamedSun(Object sun) {
sun.toString(); // Compliant - FP: "sun" is a parameter of type Object, not a sun.* package class
sun.toString(); // Compliant - "sun" is a parameter of type Object, not a sun.* package class
}

public void bazWithLocalVariableNamedSun() {
Object sun = new Object();
sun.toString(); // Compliant - FP: "sun" is a local variable of type Object, not a sun.* package class
sun.toString(); // Compliant - "sun" is a local variable of type Object, not a sun.* package class
}
}
25 changes: 25 additions & 0 deletions java-checks-test-sources/default/src/main/java/checks/SunPackagesUsedCheckSample.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package checks;

class SunPackagesUsedCheckSample {
private Object sun; // variable named "sun"

// SONARJAVA-4698: Variables named "sun" should not trigger the rule
public void fooWithFieldNamedSun() {
sun.toString(); // Compliant - "sun" is a field of type Object, not a sun.* package class
}

public void barWithParameterNamedSun(Object sun) {
sun.toString(); // Compliant - "sun" is a parameter of type Object, not a sun.* package class
}

public void bazWithLocalVariableNamedSun() {
Object sun = new Object();
sun.toString(); // Compliant - "sun" is a local variable of type Object, not a sun.* package class
}

// Actual sun.* package usage - should trigger the rule
public void useSunMiscUnsafe() {
sun.misc.Unsafe unsafe = null; // Noncompliant {{Use classes from the Java API instead of Sun classes.}}
// ^^^^^^^^^^^^^^^
}
}
14 changes: 8 additions & 6 deletions java-checks/src/main/java/org/sonar/java/checks/SunPackagesUsedCheck.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,15 @@ private static boolean isActuallySunPackage(MemberSelectExpressionTree tree) {
// Check if the expression's type actually comes from a sun.* package
// This prevents false positives when a variable is named "sun"
var type = tree.expression().symbolType();
if (type.isUnknown()) {
// If we can't determine the type, we should still check to avoid missing real issues
// In this case, rely on the string-based check
return true;
if (!type.isUnknown()) {
// When we have type information, use it to determine if it's actually a sun.* package
String fullyQualifiedName = type.fullyQualifiedName();
return fullyQualifiedName.startsWith("sun.");
}
String fullyQualifiedName = type.fullyQualifiedName();
return fullyQualifiedName.startsWith("sun.");
// When type is unknown (non-compiling code), we can't use semantic analysis
// In this case, rely on the string-based check which has already been done
// This means we may miss some FPs in non-compiling code, but we'll catch them with proper semantic analysis
return true;
Copy link
Contributor

@andreaguarino andreaguarino Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like the same logic as before, with the condition reversed. In my opinion, if we don't have semantic information available, we should return false to prevent annoying FPs in our users' code, e.g. a user on SQC, with AutoScan, is going to get FPs on variables called "sun"

}

private boolean isExcluded(String reference) {
Expand Down
8 changes: 8 additions & 0 deletions java-checks/src/test/java/org/sonar/java/checks/SunPackagesUsedCheckTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,12 @@ void check_with_exclusion() {
.verifyIssues();
}

@Test
void detected_with_semantic() {
CheckVerifier.newVerifier()
.onFile(TestUtils.mainCodeSourcesPath("checks/SunPackagesUsedCheckSample.java"))
.withCheck(new SunPackagesUsedCheck())
.verifyIssues();
}

}
Loading