Skip to content

SONARJAVA-6187 S4605: improve scanning detection#5631

Merged
asya-vorobeva merged 1 commit into
masterfrom
asya/SONARJAVA-6187
May 27, 2026
Merged

SONARJAVA-6187 S4605: improve scanning detection#5631
asya-vorobeva merged 1 commit into
masterfrom
asya/SONARJAVA-6187

Conversation

@asya-vorobeva
Copy link
Copy Markdown
Contributor

@asya-vorobeva asya-vorobeva commented May 27, 2026
edited
Loading

Add support for the type-safe scanBasePackageClasses attribute on @SpringBootApplication, which was previously ignored, causing false positives for beans reachable via class-based package references.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 27, 2026
edited
Loading

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

11 issue(s) found across 5 file(s):

Rule File Line Message
java:S120 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/SpringBootApp5.java 1 Rename this package name to match the regular expression '^[a-z]+(.[a-z][a-z0-9])$'.
java:S120 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/controller/MyController.java 1 Rename this package name to match the regular expression '^[a-z]+(.[a-z][a-z0-9])$'.
java:S103 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/controller/MyController.java 6 Split this 227 characters long line (which is greater than 180 authorized).
java:S125 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/controller/MyController.java 6 This block of commented-out lines of code should be removed.
java:S139 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/controller/MyController.java 6 Move this trailing comment on the previous empty line.
java:S120 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/extra/ExtraService.java 1 Rename this package name to match the regular expression '^[a-z]+(.[a-z][a-z0-9])$'.
java:S139 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/extra/ExtraService.java 6 Move this trailing comment on the previous empty line.
java:S120 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/service/MyService.java 1 Rename this package name to match the regular expression '^[a-z]+(.[a-z][a-z0-9])$'.
java:S139 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/service/MyService.java 6 Move this trailing comment on the previous empty line.
java:S120 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/service/ServiceMarker.java 1 Rename this package name to match the regular expression '^[a-z]+(.[a-z][a-z0-9])$'.
java:S2094 java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/service/ServiceMarker.java 3 Remove this empty class, write its code or make it an "interface".

Analyzed by SonarQube Agentic Analysis in 7.2 s

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title S4605: handle scanBasePackageClasses on @SpringBootApplication SONARJAVA-6403 S4605: handle scanBasePackageClasses on @SpringBootApplication May 27, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown
Contributor

hashicorp-vault-sonar-prod Bot commented May 27, 2026
edited by atlassian Bot
Loading

SONARJAVA-6403

@asya-vorobeva asya-vorobeva force-pushed the asya/SONARJAVA-6187 branch from 1a111c7 to 133ce45 Compare May 27, 2026 07:24
@asya-vorobeva asya-vorobeva changed the title SONARJAVA-6403 S4605: handle scanBasePackageClasses on @SpringBootApplication SONARJAVA-6187 S4605: improve scanning detection May 27, 2026
leonardo-pilastri-sonarsource
leonardo-pilastri-sonarsource requested changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@leonardo-pilastri-sonarsource leonardo-pilastri-sonarsource left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one comment for a test case

Comment thread ...default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/SpringBootApp5.java Outdated
gitar-bot[bot]

This comment was marked as resolved.

Sign in to view

@asya-vorobeva asya-vorobeva force-pushed the asya/SONARJAVA-6187 branch from f7df564 to 6e72aa3 Compare May 27, 2026 11:17
@gitar-bot gitar-bot Bot dismissed their stale review May 27, 2026 11:17

✅ All code review findings resolved.

Configure merge blocking

@asya-vorobeva asya-vorobeva enabled auto-merge (squash) May 27, 2026 11:18
@asya-vorobeva asya-vorobeva disabled auto-merge May 27, 2026 11:19
@asya-vorobeva @claude
S4605: handle scanBasePackageClasses on @SpringBootApplication
c56effc 
Add support for the type-safe `scanBasePackageClasses` attribute on
`@SpringBootApplication`, which was previously ignored, causing false
positives for beans reachable via class-based package references.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@asya-vorobeva asya-vorobeva force-pushed the asya/SONARJAVA-6187 branch from 6e72aa3 to c56effc Compare May 27, 2026 11:20
@asya-vorobeva asya-vorobeva enabled auto-merge (squash) May 27, 2026 11:20
@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented May 27, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
90.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@asya-vorobeva asya-vorobeva merged commit feab27c into master May 27, 2026
15 checks passed
@asya-vorobeva asya-vorobeva deleted the asya/SONARJAVA-6187 branch May 27, 2026 11:35
@gitar-bot
Copy link
Copy Markdown

gitar-bot Bot commented May 27, 2026

Code Review ✅ Approved 1 resolved / 1 findings

Adds support for the scanBasePackageClasses attribute on @SpringBootApplication to improve bean detection accuracy. The previously missing ExtraService.java test file has been added to resolve potential build failures.

✅ 1 resolved
Bug: Missing test file ExtraService.java will cause test failure

📄 java-checks/src/test/java/org/sonar/java/checks/spring/SpringBeansShouldBeAccessibleCheckTest.java:169
The test testSpringBootApplicationWithMixedScanBasePackageAttributes references mainCodeSourcesPath(testFolder + "extra/ExtraService.java") but the file java-checks-test-sources/default/src/main/java/checks/spring/s4605/springBootApplication/fifthApp/extra/ExtraService.java does not exist in the repository. This will cause the test to fail at runtime when it tries to load the file.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact 
gitar auto-apply:on         

gitar display:verbose

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gitar-bot gitar-bot[bot] gitar-bot[bot] left review comments

@leonardo-pilastri-sonarsource leonardo-pilastri-sonarsource leonardo-pilastri-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@asya-vorobeva @leonardo-pilastri-sonarsource