Skip to content

SONARJAVA-4926: Use secondary locations for class-level @Transactional issues#5786

Open
romainbrenguier wants to merge 3 commits into
masterfrom
romain/S8989-secondary
Open

SONARJAVA-4926: Use secondary locations for class-level @Transactional issues#5786
romainbrenguier wants to merge 3 commits into
masterfrom
romain/S8989-secondary

Conversation

@romainbrenguier

@romainbrenguier romainbrenguier commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Improves the reporting of S8989 (TransactionalMethodCheckedExceptionCheck) when a @Transactional annotation is at the class level.

Problem

When a @Transactional annotation is on a class and multiple methods throw checked exceptions without rollback configuration, the previous implementation raised multiple issues on the same annotation, which was confusing.

Solution

Instead of raising multiple issues on the annotation:

  • Report the issue on each affected method name (primary location)
  • Show the class-level annotation as a secondary location
  • Provide a clearer message indicating the configuration needs to be added to the class-level annotation

This makes it immediately clear:

  1. Which methods are affected
  2. Where the fix needs to be applied (the class-level annotation)
  3. That the issue applies to multiple methods

Example

Before:

@Transactional // Noncompliant (raised multiple times)
class MyService {
    public void method1() throws IOException { }
    public void method2() throws SQLException { }
}

After:

@Transactional
class MyService {
    public void method1() throws IOException { } // Noncompliant: Specify rollback behavior on the class-level @Transactional
    //          ^^^^^^^ (with secondary location pointing to @Transactional)
    
    public void method2() throws SQLException { } // Noncompliant: Specify rollback behavior on the class-level @Transactional
    //          ^^^^^^^ (with secondary location pointing to @Transactional)
}

Testing

  • All existing tests pass
  • Test file updated to verify new behavior with secondary locations

🤖 Generated with Claude Code


Summary by Gitar

  • Check logic improvement:
    • Updated TransactionalMethodCheckedExceptionCheck to identify and report issues on the affected method name when @Transactional is class-level.
    • Added a secondary location pointing to the class-level @Transactional annotation to clarify where configuration is required.
  • Testing updates:
    • Refactored TransactionalMethodCheckedExceptionCheckSample to include secondary location metadata in existing test cases.
  • Miscellaneous:
    • Added boilerplate configuration files (sonar_code_context.mdc, SONAR.md, settings.json) to the repository.

This will update automatically on new commits.

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

SONARJAVA-4926

Comment thread .gitignore Outdated
@romainbrenguier romainbrenguier force-pushed the romain/S8989-secondary branch from d4c4d27 to 7563d81 Compare July 14, 2026 08:55
@gitar-bot

gitar-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown
Code Review 👍 Approved with suggestions 1 resolved / 2 findings

Refactors S8989 to report issues on individual methods with secondary locations pointing to the class-level @Transactional annotation. Please remove the unrelated tool-specific entries added to .gitignore.

💡 Quality: .gitignore adds unrelated tool-specific entries

📄 .gitignore:42-46

The second commit adds .sonar-code-context/ ignore rules that are unrelated to the S8989 reporting change and appear to leak a local tool/IDE configuration into the shared repository. Consider dropping this from the PR or moving it to a global/personal gitignore unless the team has agreed to track this tool config.

✅ 1 resolved
Bug: Secondary-location markers are never verified in tests

📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:105-107 📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:140-142 📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:154-156
The updated tests declare the class-level secondary location as standalone comments // [[secondary=+2]] on the annotation line, with no // Noncompliant on that line (e.g. lines 105, 140, 154). In the verifier, collectExpectedIssues only builds an expected-issue (and its secondary attribute) from comments matching the //\s+Noncompliant pattern; a comment containing only [[secondary=...]] is ignored. Since the verifier only checks secondaries that are declared, the secondary location — the central feature of this PR — is silently unverified. Move the declaration onto the Noncompliant comment on the method line with a negative offset, e.g. // Noncompliant [[secondary=-2]] {{...}}.

🤖 Prompt for agents
Code Review: Refactors S8989 to report issues on individual methods with secondary locations pointing to the class-level @Transactional annotation. Please remove the unrelated tool-specific entries added to .gitignore.

1. 💡 Quality: .gitignore adds unrelated tool-specific entries
   Files: .gitignore:42-46

   The second commit adds `.sonar-code-context/` ignore rules that are unrelated to the S8989 reporting change and appear to leak a local tool/IDE configuration into the shared repository. Consider dropping this from the PR or moving it to a global/personal gitignore unless the team has agreed to track this tool config.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

romainbrenguier and others added 3 commits July 14, 2026 13:15
…issues

When a @transactional annotation is on a class and multiple methods throw
checked exceptions without rollback configuration, instead of raising
multiple issues on the same annotation, we now:
- Report the issue on each affected method name (primary location)
- Show the class-level annotation as a secondary location
- Provide a clearer message indicating the configuration needs to be
  added to the class-level annotation

This makes it clearer which methods are affected and where the fix needs
to be applied.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Now all issues have a secondary location pointing to the @transactional
annotation that needs to be configured, making it immediately clear where
the fix should be applied.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The Noncompliant comment format requires custom messages to be on a
separate line when used with secondary locations.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@romainbrenguier romainbrenguier force-pushed the romain/S8989-secondary branch from d7adc70 to 2e65d04 Compare July 14, 2026 11:15
@gitar-bot

gitar-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown
Code Review ✅ Approved 2 resolved / 2 findings

Refactors S8989 to report issues on individual methods with class-level secondary locations, resolving the previous issue of repetitive reporting. Test validation for secondary location markers has been successfully implemented.

✅ 2 resolved
Bug: Secondary-location markers are never verified in tests

📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:105-107 📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:140-142 📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:154-156
The updated tests declare the class-level secondary location as standalone comments // [[secondary=+2]] on the annotation line, with no // Noncompliant on that line (e.g. lines 105, 140, 154). In the verifier, collectExpectedIssues only builds an expected-issue (and its secondary attribute) from comments matching the //\s+Noncompliant pattern; a comment containing only [[secondary=...]] is ignored. Since the verifier only checks secondaries that are declared, the secondary location — the central feature of this PR — is silently unverified. Move the declaration onto the Noncompliant comment on the method line with a negative offset, e.g. // Noncompliant [[secondary=-2]] {{...}}.

Quality: .gitignore adds unrelated tool-specific entries

📄 .gitignore:42-46
The second commit adds .sonar-code-context/ ignore rules that are unrelated to the S8989 reporting change and appear to leak a local tool/IDE configuration into the shared repository. Consider dropping this from the PR or moving it to a global/personal gitignore unless the team has agreed to track this tool config.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@gitar-bot

gitar-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown
Code Review ✅ Approved 2 resolved / 2 findings

Refactors S8989 to report issues on individual methods with class-level secondary locations, resolving the previous issue of repetitive reporting. Test validation for secondary location markers has been successfully implemented.

✅ 2 resolved
Bug: Secondary-location markers are never verified in tests

📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:105-107 📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:140-142 📄 java-checks-test-sources/default/src/main/java/checks/spring/TransactionalMethodCheckedExceptionCheckSample.java:154-156
The updated tests declare the class-level secondary location as standalone comments // [[secondary=+2]] on the annotation line, with no // Noncompliant on that line (e.g. lines 105, 140, 154). In the verifier, collectExpectedIssues only builds an expected-issue (and its secondary attribute) from comments matching the //\s+Noncompliant pattern; a comment containing only [[secondary=...]] is ignored. Since the verifier only checks secondaries that are declared, the secondary location — the central feature of this PR — is silently unverified. Move the declaration onto the Noncompliant comment on the method line with a negative offset, e.g. // Noncompliant [[secondary=-2]] {{...}}.

Quality: .gitignore adds unrelated tool-specific entries

📄 .gitignore:42-46
The second commit adds .sonar-code-context/ ignore rules that are unrelated to the S8989 reporting change and appear to leak a local tool/IDE configuration into the shared repository. Consider dropping this from the PR or moving it to a global/personal gitignore unless the team has agreed to track this tool config.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change the behavior for this request:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@romainbrenguier romainbrenguier marked this pull request as ready for review July 14, 2026 12:08
@sonarqube-next

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant