Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Filtered: 49 rules found

spring

Impact

Clean code attribute

Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract
Code Smell
Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
Code Smell
@EventListener methods should have one parameter at most
Bug
"@Scheduled" annotation should only be applied to no-arg methods
Bug
@InitBinder methods should have void return type
Code Smell
"@Cache*" annotations should only be applied on concrete classes
Code Smell
@Cacheable and @CachePut should not be combined
Code Smell
Injecting data into static fields is not supported by Spring
Code Smell
Use appropriate @DirtiesContext modes
Code Smell
Set appropriate Status Codes on HTTP responses
Bug
Beans in "@Configuration" class should have different names
Bug
SpEL expression should have a valid syntax
Bug
"@PathVariable" annotation should be present if a path variable is used
Bug
"@Bean" methods for Singleton should not be invoked in "@Configuration" when proxyBeanMethods is false
Bug
Superfluous "@ResponseBody" annotations should be removed
Code Smell
"@Controller" should be replaced with "@RestController"
Code Smell
Non-singleton Spring beans should not be injected into singleton beans
Code Smell
"@Qualifier" should not be used on "@Bean" methods
Bug
Bean names should adhere to the naming conventions
Code Smell
"@Autowired" should be used when multiple constructors are provided
Code Smell
"@Autowired" should only be used on a single constructor
Bug
Use of the "@Async" annotation on methods declared within a "@Configuration" class in Spring Boot
Bug
Nullable injected fields and parameters should provide a default value
Bug
"@Value" annotation should inject property or SpEL expression
Code Smell
Spring's ModelAndViewAssert assertions should be used instead of other assertions
Code Smell
A new session should be created during user authentication
Vulnerability
Allowing user enumeration is security-sensitive
Security Hotspot
OpenSAML2 should be configured to prevent authentication bypass
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Persistent entities should not be used as arguments of "@RequestMapping" methods
Vulnerability
Spring beans should be considered by "@ComponentScan"
Code Smell
"@SpringBootApplication" and "@ComponentScan" should not be used in the default package
Bug
"HttpSecurity" URL patterns should be correctly ordered
Vulnerability
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Composed "@RequestMapping" variants should be preferred
Code Smell
Spring components should use constructor injection
Code Smell
"@Controller" classes that use "@SessionAttributes" must call "setComplete" on their "SessionStatus" objects
Bug
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
"@RequestMapping" methods should not be "private"
Code Smell
Spring "@Controller" classes should not use "@Scope"
Bug
Members of Spring components should be injected
Code Smell
Constructor injection should be used instead of field injection
Bug
Factory method injection should be used in "@Configuration" classes
Code Smell
Methods with Spring proxying annotations should be public
Bug
Methods should not call same-class methods with incompatible "@Transactional" values
Bug
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot

Methods with Spring proxying annotations should be public

consistency - conventional

reliability

Bug

spring

Why is this an issue?

Exceptions

How can I fix it?

More Info

Marking a non-public method @Async or @Transactional is misleading because, up to version 5, Spring does not recognize non-public methods, and so makes no provision for their proper invocation. Nor does Spring make provision for the methods invoked by the method it called. Since Spring 6, protected and package-private methods can be handled, but the issue remains for private methods.

Therefore, marking a private method, for instance, @Transactional gives a false sense of security, and can lead to incorrect assumptions and potential bugs.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted