Skip to content

SONARJAVA-6493 Implement rule S8913: REST Data with Panache resource interfaces should not have implementation classes#5708

Draft
romainbrenguier wants to merge 7 commits into
masterfrom
new-rule/SONARJAVA-6493-S8913
Draft

SONARJAVA-6493 Implement rule S8913: REST Data with Panache resource interfaces should not have implementation classes#5708
romainbrenguier wants to merge 7 commits into
masterfrom
new-rule/SONARJAVA-6493-S8913

Conversation

@romainbrenguier

Copy link
Copy Markdown
Contributor

Implements rule S8913: REST Data with Panache resource interfaces should not have implementation classes.

Summary

  • Adds RestDataPanacheResourceImplementationCheck that detects classes implementing Quarkus REST Data with Panache resource interfaces (PanacheEntityResource, PanacheRepositoryResource, PanacheMongoEntityResource, PanacheMongoRepositoryResource)
  • Reports an issue when such implementation classes are found, since Quarkus silently ignores them and generates the resource implementation automatically
  • Adds rule metadata (S8913.html, S8913.json) and registers the rule in the Sonar Way quality profile
  • Fixes Java release version in test source pom.xml files from 26 to 21

romainbrenguier and others added 3 commits June 26, 2026 19:05
Detect when classes implement interfaces extending Quarkus REST Data with
Panache resource interfaces (PanacheEntityResource, PanacheRepositoryResource,
PanacheMongoEntityResource, PanacheMongoRepositoryResource). These implementations
are silently ignored by Quarkus's code generation mechanism, leading to wasted
development effort and confusion.

Fix Java release version in test source pom.xml files from 26 to 21.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit contains partial work that failed to complete.
Continuing with SA-CI and PR creation.
@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

SONARJAVA-6493

Comment on lines +1 to +15
<p>=== Documentation

* Quarkus - Generating Jakarta REST resources with Panache - https://quarkus.io/guides/rest-data-panache[Official Quarkus documentation on REST Data with Panache, including how to properly use resource interfaces and add custom methods]

* Quarkus - Adding additional methods to the generated resource - https://quarkus.io/guides/rest-data-panache#adding-additional-methods-to-the-generated-resource[Specific section on how to correctly add custom methods using default interface methods]


=== What is the potential impact?

This issue leads to wasted development effort and potential confusion when debugging. Developers may spend time writing and maintaining implementation code that has no effect on the application's behavior. The silent nature of this problem makes it particularly problematic, as there are no build-time errors or runtime warnings to indicate that the custom implementation is being ignored.

While this is not a security or data integrity issue, it can delay development and lead to frustration when custom business logic doesn't execute as expected.

This rule raises an issue when a class implements an interface that extends one of the framework's provided base resource interfaces for REST endpoints with built-in database entity operations.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Quality: S8913.html is malformed: AsciiDoc inside a single

tag

The new rule description S8913.html is not valid rule HTML. The entire content is wrapped in one <p> tag and uses AsciiDoc markup (=== Documentation, == Why is this an issue?, * bullets, -- lists) instead of HTML tags. Every other rule file in this directory (e.g. S100.html starts with <h2>Why is this an issue?</h2>) uses real HTML (<h2>, <ul>, <li>, <pre>, <code>). Consequences: the page will render as one unformatted blob in the SonarQube UI, the section order is wrong ("Documentation" and "What is the potential impact?" appear before "Why is this an issue?"), and the rule-description validation/integration tests that enforce the standard section structure will likely fail. Rewrite the file using the standard HTML structure: a leading <h2>Why is this an issue?</h2> section, then <h3>What is the potential impact?</h3>, code samples in <pre>, and a <h3>Resources</h3>/<ul> block for the documentation links.

Was this helpful? React with 👍 / 👎

Comment thread java-checks-test-sources/default/pom.xml Outdated
import org.sonar.plugins.java.api.semantic.Type;
import org.sonar.plugins.java.api.tree.ClassTree;
import org.sonar.plugins.java.api.tree.Tree;
import org.sonar.plugins.java.api.tree.TypeTree;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Quality: Unused import TypeTree in new check

RestDataPanacheResourceImplementationCheck imports org.sonar.plugins.java.api.tree.TypeTree (line 26) but never uses it. This will be flagged by the project's own unused-import rule and may break the build under strict compiler settings. Remove the unused import.

Drop the unused TypeTree import.:

import org.sonar.plugins.java.api.tree.ClassTree;
import org.sonar.plugins.java.api.tree.Tree;
  • Apply fix

Check the box to apply the fix or reply for a change | Was this helpful? React with 👍 / 👎

romainbrenguier and others added 4 commits June 29, 2026 09:30
Revert pom.xml changes that added --enable-preview to compilerArgs
and changed release from 26 to 21. Using --enable-preview requires
the release version to match the JDK version (26), so this combination
is invalid and caused a build failure.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Removed invalid `--enable-preview` compiler arg and `<excludes>` block from `java-checks-test-sources/default/pom.xml`, and restored `<release>26</release>` (from 21), fixing a compilation failure that prevented `package-info.class` files from being generated, which caused `JSymbolMetadataTest` package-level nullability tests to fail with `NO_ANNOTATION` instead of the expected `NON_NULL`/`WEAK_NULLABLE`.
- Reverted pom.xml to remove --enable-preview from compilerArgs and restore <release>26</release>, fixing invalid combination that caused compilation failure on JDK 26
- Reverted invalid pom.xml changes in java-checks-test-sources/default that set --enable-preview with release 21 (incompatible with JDK 26), restoring the original release 26 compiler configuration without the preview flag
- Reverted pom.xml to remove --enable-preview from compiler args and restored release 26, as --enable-preview requires the release to match the JDK version (26) and cannot be used with release 21
…tionCheckSample.java by making Person extend PanacheEntityBase, PersonRepository implement PanacheRepositoryBase, and adding separate MongoPerson/MongoPersonRepository classes extending the MongoDB Panache base classes, satisfying the generic type bounds of the Panache REST resource interfaces.
- Fixed numeric ordering of rules in Sonar_way_profile.json (S899 was misplaced at the end due to lexicographic sorting instead of numeric)
- Added missing diff_S8913.json to its/autoscan/src/test/resources/autoscan/diffs/ to register expected autoscan behavior (hasTP=false, FN=6, FP=0) for the new S8913 rule
@gitar-bot

gitar-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown
Code Review ⚠️ Changes requested 1 resolved / 3 findings

Implements rule S8913 to flag prohibited REST Data with Panache implementation classes, but the rule description file is malformed and an unused import remains in the check.

⚠️ Quality: S8913.html is malformed: AsciiDoc inside a single

tag

📄 sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8913.html:1-15

The new rule description S8913.html is not valid rule HTML. The entire content is wrapped in one <p> tag and uses AsciiDoc markup (=== Documentation, == Why is this an issue?, * bullets, -- lists) instead of HTML tags. Every other rule file in this directory (e.g. S100.html starts with <h2>Why is this an issue?</h2>) uses real HTML (<h2>, <ul>, <li>, <pre>, <code>). Consequences: the page will render as one unformatted blob in the SonarQube UI, the section order is wrong ("Documentation" and "What is the potential impact?" appear before "Why is this an issue?"), and the rule-description validation/integration tests that enforce the standard section structure will likely fail. Rewrite the file using the standard HTML structure: a leading <h2>Why is this an issue?</h2> section, then <h3>What is the potential impact?</h3>, code samples in <pre>, and a <h3>Resources</h3>/<ul> block for the documentation links.

💡 Quality: Unused import TypeTree in new check

📄 java-checks/src/main/java/org/sonar/java/checks/RestDataPanacheResourceImplementationCheck.java:26

RestDataPanacheResourceImplementationCheck imports org.sonar.plugins.java.api.tree.TypeTree (line 26) but never uses it. This will be flagged by the project's own unused-import rule and may break the build under strict compiler settings. Remove the unused import.

Drop the unused TypeTree import.
import org.sonar.plugins.java.api.tree.ClassTree;
import org.sonar.plugins.java.api.tree.Tree;
✅ 1 resolved
Quality: Unrelated --enable-preview and excludes added to default pom.xml

📄 java-checks-test-sources/default/pom.xml:1056-1070
Beyond the documented <release>26</release>21 fix, the default test-sources pom.xml also gains <arg>--enable-preview</arg> and a large new <excludes> list. These changes are unrelated to the S8913 Quarkus rule and the new sample (RestDataPanacheResourceImplementationCheckSample.java) uses no preview features. Enabling --enable-preview is risky: javac requires the compiling JDK's major version to exactly match --release (21), so on any other JDK the test-sources build will fail; it also opts all sources in this module into preview semantics. Combined with the PR title noting only a 26→21 fix and the WIP commit message ("incomplete after 5 attempts"), this looks like leftover experimental configuration. Please confirm the --enable-preview flag and the exclude list are intentional, or revert them.

🤖 Prompt for agents
Code Review: Implements rule S8913 to flag prohibited REST Data with Panache implementation classes, but the rule description file is malformed and an unused import remains in the check.

1. ⚠️ Quality: S8913.html is malformed: AsciiDoc inside a single <p> tag
   Files: sonar-java-plugin/src/main/resources/org/sonar/l10n/java/rules/java/S8913.html:1-15

   The new rule description `S8913.html` is not valid rule HTML. The entire content is wrapped in one `<p>` tag and uses AsciiDoc markup (`=== Documentation`, `== Why is this an issue?`, `*` bullets, `--` lists) instead of HTML tags. Every other rule file in this directory (e.g. `S100.html` starts with `<h2>Why is this an issue?</h2>`) uses real HTML (`<h2>`, `<ul>`, `<li>`, `<pre>`, `<code>`). Consequences: the page will render as one unformatted blob in the SonarQube UI, the section order is wrong ("Documentation" and "What is the potential impact?" appear before "Why is this an issue?"), and the rule-description validation/integration tests that enforce the standard section structure will likely fail. Rewrite the file using the standard HTML structure: a leading `<h2>Why is this an issue?</h2>` section, then `<h3>What is the potential impact?</h3>`, code samples in `<pre>`, and a `<h3>Resources</h3>`/`<ul>` block for the documentation links.

2. 💡 Quality: Unused import TypeTree in new check
   Files: java-checks/src/main/java/org/sonar/java/checks/RestDataPanacheResourceImplementationCheck.java:26

   `RestDataPanacheResourceImplementationCheck` imports `org.sonar.plugins.java.api.tree.TypeTree` (line 26) but never uses it. This will be flagged by the project's own unused-import rule and may break the build under strict compiler settings. Remove the unused import.

   Fix (Drop the unused TypeTree import.):
   import org.sonar.plugins.java.api.tree.ClassTree;
   import org.sonar.plugins.java.api.tree.Tree;

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.
Unblock → Override a blocking verdict and allow merging.

Comment with these commands to change:

Auto-apply Compact Unblock
gitar auto-apply:on         
gitar display:verbose         
gitar unblock         

Was this helpful? React with 👍 / 👎 | Gitar

@sonarqube-next

Copy link
Copy Markdown

Quality Gate failed Quality Gate failed

Failed conditions
1 New issue

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant