sonarqube + lombok = false positives

I'm using sonar-maven-plugin 3.4.0.905, lombok 1.16.18, with SonarQube CE Server v8.3.1.

I resolved the issue by adding <sonar.java.libraries>target/classes</sonar.java.libraries> to the POM properties.

I added following property to Sonar analysis properties file. And it works for me.

sonar.java.libraries=${env.HOME}/.m2/repository/org/projectlombok/lombok/**/*.jar

lombok v1.16.20 is lombok version on my project.

This case should be perfectly handled by SonarJava. Lombok annotations are taken into account at least since version 3.14 (SONARJAVA-1642). The issues you are getting are resulting from a misconfiguration of your Java project. No need to write any custom rules to handle this, this is natively supported by the analyzer.

SonarJava reads bytecode to know which annotation are used. Consequently, if you are not providing bytecode from your dependencies, on top of bytecode from your own code, the analyzer will behave erratically.

In particular, setting property sonar.java.libraries should solve your issue. Note that this property is normally automatically set when using SonarQube maven or gradle scanners.

Please have a look at documentation in order to correctly configure your project: https://docs.sonarqube.org/display/PLUG/Java+Plugin+and+Bytecode