Skip to content

SONARJAVA-6537 Implement rule S8948: "@OneToMany" relationships should use "mappedBy" or "@JoinColumn"#5716

Merged
NoemieBenard merged 9 commits into
masterfrom
nb/sonarjava-6537-implement-S8948
Jul 1, 2026
Merged

SONARJAVA-6537 Implement rule S8948: "@OneToMany" relationships should use "mappedBy" or "@JoinColumn"#5716
NoemieBenard merged 9 commits into
masterfrom
nb/sonarjava-6537-implement-S8948

Conversation

@NoemieBenard

@NoemieBenard NoemieBenard commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary by Gitar

  • New rule implementation:
    • Implemented S8948 to detect @OneToMany relationships missing mappedBy or @JoinColumn configurations.
    • Added comprehensive test suites for both jakarta.persistence and javax.persistence APIs.
  • Documentation and metadata:
    • Provided full rule specification, including rationale on performance impacts and code examples.
    • Registered S8948 in the Sonar_way quality profile.

This will update automatically on new commits.

@hashicorp-vault-sonar-prod

hashicorp-vault-sonar-prod Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

SONARJAVA-6537

@NoemieBenard NoemieBenard marked this pull request as ready for review June 30, 2026 08:25

@romainbrenguier romainbrenguier left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a couple of changes to make on the rspec side, otherwise it looks good.

<li>Hibernate ORM User Guide - Associations - <a
href="https://docs.jboss.org/hibernate/orm/6.2/userguide/html_single/Hibernate_User_Guide.html#associations">Comprehensive guide to Hibernate
associations including one-to-many mappings</a></li>
<li>Baeldung - JPA @OneToMany Annotation - <a href="https://www.baeldung.com/jpa-one-to-many">Practical tutorial on using @OneToMany with mappedBy

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get a page not found on this link

<li>Jakarta Persistence Specification - OneToMany - <a
href="https://jakarta.ee/specifications/persistence/3.1/jakarta-persistence-spec-3.1.html#a11914">Official specification for @OneToMany annotation
and its default behavior</a></li>
<li>Hibernate ORM User Guide - Associations - <a

@romainbrenguier romainbrenguier Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The format for the links in documentation should be: - <source> - <url>[<title>]. In this example the title should be Hibernate ORM User Guide.

@gitar-bot

gitar-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Code Review 👍 Approved with suggestions 1 resolved / 2 findings

Implements rule S8948 to detect missing 'mappedBy' or '@JoinColumn' in '@OneToMany' relationships, while correctly handling '@JoinTable' annotations. Ensure property-access detection for getters is added to address the current limitation in tree traversal.

💡 Edge Case: Property-access @OneToMany (getter) not detected

📄 java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:41-43

nodesToVisit() returns only Tree.Kind.VARIABLE, so the check only inspects fields. JPA supports both field access and property (getter) access, and @OneToMany legally targets METHOD as well as FIELD. Entities using property access (annotation placed on the getter) will not be analyzed, producing a false negative. If property-access entities are in scope for this rule, also visit Tree.Kind.METHOD and inspect the method's modifiers/annotations. If intentionally out of scope, consider documenting the limitation.

✅ 1 resolved
Edge Case: Explicit @jointable on @onetomany flagged as noncompliant

📄 java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:50-54
The check considers a @OneToMany compliant only when it has mappedBy or a sibling @JoinColumn. A developer who deliberately configures a join table with @JoinTable (a valid, explicit mapping choice) will still be flagged, since neither mappedBy nor @JoinColumn is present. This is a potential false positive: the developer has explicitly chosen the mapping rather than relying on the implicit default the rule targets. Consider treating the presence of @JoinTable on the same field as compliant.

🤖 Prompt for agents
Code Review: Implements rule S8948 to detect missing 'mappedBy' or '@JoinColumn' in '@OneToMany' relationships, while correctly handling '@JoinTable' annotations. Ensure property-access detection for getters is added to address the current limitation in tree traversal.

1. 💡 Edge Case: Property-access @OneToMany (getter) not detected
   Files: java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:41-43

   `nodesToVisit()` returns only `Tree.Kind.VARIABLE`, so the check only inspects fields. JPA supports both field access and property (getter) access, and `@OneToMany` legally targets `METHOD` as well as `FIELD`. Entities using property access (annotation placed on the getter) will not be analyzed, producing a false negative. If property-access entities are in scope for this rule, also visit `Tree.Kind.METHOD` and inspect the method's modifiers/annotations. If intentionally out of scope, consider documenting the limitation.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@gitar-bot

gitar-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Code Review ✅ Approved 2 resolved / 2 findings

Implements rule S8948 to enforce the use of 'mappedBy' or '@JoinColumn' on '@OneToMany' relationships, resolving issues with false positives on '@JoinTable' and missed property-access annotations.

✅ 2 resolved
Edge Case: Explicit @jointable on @onetomany flagged as noncompliant

📄 java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:50-54
The check considers a @OneToMany compliant only when it has mappedBy or a sibling @JoinColumn. A developer who deliberately configures a join table with @JoinTable (a valid, explicit mapping choice) will still be flagged, since neither mappedBy nor @JoinColumn is present. This is a potential false positive: the developer has explicitly chosen the mapping rather than relying on the implicit default the rule targets. Consider treating the presence of @JoinTable on the same field as compliant.

Edge Case: Property-access @onetomany (getter) not detected

📄 java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:41-43
nodesToVisit() returns only Tree.Kind.VARIABLE, so the check only inspects fields. JPA supports both field access and property (getter) access, and @OneToMany legally targets METHOD as well as FIELD. Entities using property access (annotation placed on the getter) will not be analyzed, producing a false negative. If property-access entities are in scope for this rule, also visit Tree.Kind.METHOD and inspect the method's modifiers/annotations. If intentionally out of scope, consider documenting the limitation.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

@sonarqube-next

sonarqube-next Bot commented Jul 1, 2026

Copy link
Copy Markdown

@NoemieBenard NoemieBenard merged commit 601fe28 into master Jul 1, 2026
15 checks passed
@NoemieBenard NoemieBenard deleted the nb/sonarjava-6537-implement-S8948 branch July 1, 2026 13:46
@gitar-bot

gitar-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Code Review ✅ Approved 2 resolved / 2 findings

Implements rule S8948 to enforce the use of 'mappedBy' or '@JoinColumn' on '@OneToMany' relationships, resolving issues with false positives on '@JoinTable' and missed property-access annotations.

✅ 2 resolved
Edge Case: Explicit @jointable on @onetomany flagged as noncompliant

📄 java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:50-54
The check considers a @OneToMany compliant only when it has mappedBy or a sibling @JoinColumn. A developer who deliberately configures a join table with @JoinTable (a valid, explicit mapping choice) will still be flagged, since neither mappedBy nor @JoinColumn is present. This is a potential false positive: the developer has explicitly chosen the mapping rather than relying on the implicit default the rule targets. Consider treating the presence of @JoinTable on the same field as compliant.

Edge Case: Property-access @onetomany (getter) not detected

📄 java-checks/src/main/java/org/sonar/java/checks/OneToManyMappingCheck.java:41-43
nodesToVisit() returns only Tree.Kind.VARIABLE, so the check only inspects fields. JPA supports both field access and property (getter) access, and @OneToMany legally targets METHOD as well as FIELD. Entities using property access (annotation placed on the getter) will not be analyzed, producing a false negative. If property-access entities are in scope for this rule, also visit Tree.Kind.METHOD and inspect the method's modifiers/annotations. If intentionally out of scope, consider documenting the limitation.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants