SonarSource/sonar-java

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

62 of your 143 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 11.32s · analysis 23.99s · 27.2 MB · GitHub API rate-limit (preflight)

https://github.com/SonarSource/sonar-java · scanned 2026-06-05 13:24 UTC (5 days, 7 hours ago) · 10 languages

240 raw signals (132 security + 108 graph) 11/13 scanners ran 86th percentile · Java · large (100-500K LoC) System graph score 77 (higher by 6)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 5 days, 7 hours ago · v2 · 69 actionable findings from 2 signal sources. 117 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

100.0% cov · 21 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	60.0	0.15	9.00
`security_score`	100.0	0.25	25.00
`testing_score`	80.0	0.20	16.00
`documentation_score`	81.0	0.15	12.15
`practices_score`	86.0	0.15	12.90
`code_quality`	80.0	0.10	8.00
Overall		1.00	83.0

security_score may be inflated — optional security scanners were skipped on this fast scan

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 5 High 14 Medium 15 Low 11 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 48 System graph 21 Crowd 0 Layer: Quality 33 Security 24 Software 7 Cicd 3 Api 1 Frontend 1

Exclude dismissed / FP Exclude test files

All 8370 nodes from the latest scan, grouped by kind. Each node is a unit the engine identified (file, function, endpoint, table…). Most users won't need this view — it's primarily for debugging the engine's graph extraction or for AI agents that want to enumerate the project structure.

Label	Layer	Status	Path
`pom.xml`	software	healthy	`pom.xml`
`README.md`	software	healthy	`README.md`
`sonarpedia.json`	software	healthy	`sonarpedia.json`
`mise.toml`	software	healthy	`mise.toml`
`PULL_REQUEST_TEMPLATE.md`	software	healthy	`PULL_REQUEST_TEMPLATE.md`
`CONTRIBUTING.md`	software	healthy	`CONTRIBUTING.md`
`SECURITY.md`	software	healthy	`SECURITY.md`
`pom.xml`	software	healthy	`java-jsp/pom.xml`
`JasperOptionsTest.java`	software	healthy	`java-jsp/src/test/java/org/sonar/java/jsp/JasperOptionsTest…`
`JasperTest.java`	software	healthy	`java-jsp/src/test/java/org/sonar/java/jsp/JasperTest.java`
`Jasper.java`	software	healthy	`java-jsp/src/main/java/org/sonar/java/jsp/Jasper.java`
`JasperOptions.java`	software	healthy	`java-jsp/src/main/java/org/sonar/java/jsp/JasperOptions.java`
`package-info.java`	software	healthy	`java-jsp/src/main/java/org/sonar/java/jsp/package-info.java`
`pom.xml`	software	healthy	`java-checks-testkit/pom.xml`
`UndefinedRemediationFunc_java.json`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`ExponentialRemediationFunc_java.json`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`ConstantJSON_java.json`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`LinearJSON_java.json`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`BrokenJSON_java.json`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`JavaCheckVerifierFlowsExplicitOrder.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsEx…`
`JavaCheckVerifierParsingIssue.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierParsing…`
`JavaCheckVerifierFlows.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlows.j…`
`JavaCheckVerifierNoIssue.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierNoIssue…`
`JavaCheckVerifierFlowsImplicitOrder.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsIm…`
`JavaCheckVerifierIncorrectAttribute.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierIncorre…`
`JavaCheckVerifierFlowsWithSameLines2.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsWi…`
`JavaCheckVerifierFlowsSuperfluous.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsSu…`
`JavaCheckVerifierFlowsWithSameLines.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsWi…`
`JavaCheckVerifierIncorrectAttribute2.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierIncorre…`
`JavaCheckVerifierIncorrectSecondaryLocation.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierIncorre…`
`JavaCheckVerifier.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifier.java`
`JavaCheckVerifierFlowsMixedExplicitOrder.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsMi…`
`JavaCheckVerifierNoCost.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierNoCost.…`
`JavaCheckVerifierIncorrectEndLine.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierIncorre…`
`JavaCheckVerifierFlowsDuplicateExplicitOrder.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierFlowsDu…`
`JavaCheckVerifierIncorrectShift.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierIncorre…`
`JavaCheckVerifierIncorrectSecondaryLocation2.java`	software	healthy	`java-checks-testkit/src/test/files/JavaCheckVerifierIncorre…`
`IssueWithTwoQuickFixes.java`	software	healthy	`java-checks-testkit/src/test/files/testing/IssueWithTwoQuic…`
`Noncompliant.java`	software	healthy	`java-checks-testkit/src/test/files/testing/Noncompliant.java`
`IssueWithNoQuickFixExpected.java`	software	healthy	`java-checks-testkit/src/test/files/testing/IssueWithNoQuick…`
`ParsingError.java`	software	healthy	`java-checks-testkit/src/test/files/testing/ParsingError.java`
`NeedJava19PreviewFeaturesEnabled.java`	software	healthy	`java-checks-testkit/src/test/files/testing/NeedJava19Previe…`
`NeedJava21PreviewFeaturesEnabled.java`	software	healthy	`java-checks-testkit/src/test/files/testing/NeedJava21Previe…`
`MultipleIssuesSameLine.java`	software	healthy	`java-checks-testkit/src/test/files/testing/MultipleIssuesSa…`
`Compliant2.java`	software	healthy	`java-checks-testkit/src/test/files/testing/Compliant2.java`
`IssueWithQuickFix.java`	software	healthy	`java-checks-testkit/src/test/files/testing/IssueWithQuickFi…`
`IssueWithQuickFixMultipleLine.java`	software	healthy	`java-checks-testkit/src/test/files/testing/IssueWithQuickFi…`
`MultiVariableDeclaration.java`	software	healthy	`java-checks-testkit/src/test/files/testing/MultiVariableDec…`
`Compliant.java`	software	healthy	`java-checks-testkit/src/test/files/testing/Compliant.java`
`Noncompliant2.java`	software	healthy	`java-checks-testkit/src/test/files/testing/Noncompliant2.ja…`

Showing first 50 of this kind. Full payload available via the JSON button at the top of the page.

Label	Layer	Status	Path
`java-jsp`	software	healthy	`java-jsp`
`src`	software	healthy	`java-jsp/src`
`test`	software	healthy	`java-jsp/src/test`
`java`	software	healthy	`java-jsp/src/test/java`
`org`	software	healthy	`java-jsp/src/test/java/org`
`sonar`	software	healthy	`java-jsp/src/test/java/org/sonar`
`java`	software	healthy	`java-jsp/src/test/java/org/sonar/java`
`jsp`	software	healthy	`java-jsp/src/test/java/org/sonar/java/jsp`
`main`	software	healthy	`java-jsp/src/main`
`java`	software	healthy	`java-jsp/src/main/java`
`org`	software	healthy	`java-jsp/src/main/java/org`
`sonar`	software	healthy	`java-jsp/src/main/java/org/sonar`
`java`	software	healthy	`java-jsp/src/main/java/org/sonar/java`
`jsp`	software	healthy	`java-jsp/src/main/java/org/sonar/java/jsp`
`java-checks-testkit`	software	healthy	`java-checks-testkit`
`src`	software	healthy	`java-checks-testkit/src`
`test`	software	healthy	`java-checks-testkit/src/test`
`resources`	software	healthy	`java-checks-testkit/src/test/resources`
`org`	software	healthy	`java-checks-testkit/src/test/resources/org`
`sonar`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar`
`l10n`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n`
`java`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java`
`rules`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`java`	software	healthy	`java-checks-testkit/src/test/resources/org/sonar/l10n/java/…`
`files`	software	healthy	`java-checks-testkit/src/test/files`
`testing`	software	healthy	`java-checks-testkit/src/test/files/testing`
`java-check-verifier`	software	healthy	`java-checks-testkit/src/test/files/java-check-verifier`
`internal`	software	healthy	`java-checks-testkit/src/test/files/internal`
`dummy-module`	software	healthy	`java-checks-testkit/src/test/files/dummy-module`
`java`	software	healthy	`java-checks-testkit/src/test/java`
`org`	software	healthy	`java-checks-testkit/src/test/java/org`
`sonar`	software	healthy	`java-checks-testkit/src/test/java/org/sonar`
`java`	software	healthy	`java-checks-testkit/src/test/java/org/sonar/java`
`checks`	software	healthy	`java-checks-testkit/src/test/java/org/sonar/java/checks`
`verifier`	software	healthy	`java-checks-testkit/src/test/java/org/sonar/java/checks/ver…`
`internal`	software	healthy	`java-checks-testkit/src/test/java/org/sonar/java/checks/ver…`
`main`	software	healthy	`java-checks-testkit/src/main`
`java`	software	healthy	`java-checks-testkit/src/main/java`
`org`	software	healthy	`java-checks-testkit/src/main/java/org`
`sonar`	software	healthy	`java-checks-testkit/src/main/java/org/sonar`
`java`	software	healthy	`java-checks-testkit/src/main/java/org/sonar/java`
`checks`	software	healthy	`java-checks-testkit/src/main/java/org/sonar/java/checks`
`verifier`	software	healthy	`java-checks-testkit/src/main/java/org/sonar/java/checks/ver…`
`internal`	software	healthy	`java-checks-testkit/src/main/java/org/sonar/java/checks/ver…`
`java-checks-common`	software	healthy	`java-checks-common`
`src`	software	healthy	`java-checks-common/src`
`test`	software	healthy	`java-checks-common/src/test`
`resources`	software	healthy	`java-checks-common/src/test/resources`
`files`	software	healthy	`java-checks-common/src/test/files`
`checks`	software	healthy	`java-checks-common/src/test/files/checks`

Showing first 50 of this kind. Full payload available via the JSON button at the top of the page.

Label	Layer	Status	Path
`PullRequestCreated_job`	cicd	healthy	`.github/workflows/PullRequestCreated.yml`
`rule-metadata-update`	cicd	healthy	`.github/workflows/UpdateRuleMetadata.yml`
`release`	cicd	healthy	`.github/workflows/automated-release.yml`
`cleanup`	cicd	healthy	`.github/workflows/pr-cleanup.yml`
`PullRequestMerged_job`	cicd	healthy	`.github/workflows/PullRequestClosed.yml`
`releasability-job`	cicd	healthy	`.github/workflows/releasability.yaml`
`SubmitReview_job`	cicd	healthy	`.github/workflows/SubmitReview.yml`
`ToggleLockBranch_job`	cicd	healthy	`.github/workflows/ToggleLockBranch.yml`
`unified-platform-dogfooding`	cicd	healthy	`.github/workflows/unified-dogfooding.yml`
`Next-Iteration-Job`	cicd	healthy	`.github/workflows/PrepareNextIteration.yml`
`cleanup`	cicd	healthy	`.github/workflows/cleanup-cache.yml`
`dogfood_merge`	cicd	healthy	`.github/workflows/dogfood.yml`
`stale`	cicd	healthy	`.github/workflows/mark-prs-stale.yml`
`release`	cicd	healthy	`.github/workflows/release.yml`
`releasability-status`	cicd	healthy	`.github/workflows/ReleasabilityCheck.yml`
`build`	cicd	healthy	`.github/workflows/build.yml`
`ruling-qa`	cicd	healthy	`.github/workflows/build.yml`
`plugin-qa`	cicd	healthy	`.github/workflows/build.yml`
`sanity`	cicd	healthy	`.github/workflows/build.yml`
`test-analyze`	cicd	healthy	`.github/workflows/build.yml`
`custom-rules-license-check`	cicd	healthy	`.github/workflows/build.yml`
`autoscan`	cicd	healthy	`.github/workflows/build.yml`
`qa-os-win`	cicd	healthy	`.github/workflows/build.yml`
`promote`	cicd	healthy	`.github/workflows/build.yml`
`RequestReview_job`	cicd	healthy	`.github/workflows/RequestReview.yml`

Label	Layer	Status	Path
`gha::PullRequestCreated`	cicd	healthy	`.github/workflows/PullRequestCreated.yml`
`gha::UpdateRuleMetadata`	cicd	healthy	`.github/workflows/UpdateRuleMetadata.yml`
`gha::automated-release`	cicd	healthy	`.github/workflows/automated-release.yml`
`gha::pr-cleanup`	cicd	healthy	`.github/workflows/pr-cleanup.yml`
`gha::PullRequestClosed`	cicd	healthy	`.github/workflows/PullRequestClosed.yml`
`gha::releasability`	cicd	healthy	`.github/workflows/releasability.yaml`
`gha::SubmitReview`	cicd	healthy	`.github/workflows/SubmitReview.yml`
`gha::ToggleLockBranch`	cicd	healthy	`.github/workflows/ToggleLockBranch.yml`
`gha::unified-dogfooding`	cicd	healthy	`.github/workflows/unified-dogfooding.yml`
`gha::PrepareNextIteration`	cicd	healthy	`.github/workflows/PrepareNextIteration.yml`
`gha::cleanup-cache`	cicd	healthy	`.github/workflows/cleanup-cache.yml`
`gha::dogfood`	cicd	healthy	`.github/workflows/dogfood.yml`
`gha::mark-prs-stale`	cicd	healthy	`.github/workflows/mark-prs-stale.yml`
`gha::release`	cicd	healthy	`.github/workflows/release.yml`
`gha::ReleasabilityCheck`	cicd	healthy	`.github/workflows/ReleasabilityCheck.yml`
`gha::build`	cicd	healthy	`.github/workflows/build.yml`
`gha::RequestReview`	cicd	healthy	`.github/workflows/RequestReview.yml`

Label	Layer	Status	Path
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/HardC…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`
`password_literal::java-checks-test-sources/default/src/main…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`
`password_literal::java-checks/src/main/java/org/sonar/java/…`	security	healthy	`java-checks/src/main/java/org/sonar/java/checks/AbstractHar…`

Label	Layer	Status	Path
`auth::sonar-java-plugin/src/main/resources/org/sonar/l10n/j…`	security	healthy	`sonar-java-plugin/src/main/resources/org/sonar/l10n/java/ru…`
`auth::java-checks/src/main/java/org/sonar/java/checks/secur…`	security	healthy	`java-checks/src/main/java/org/sonar/java/checks/security/JW…`
`auth::external-reports/src/main/resources/org/sonar/l10n/ja…`	security	healthy	`external-reports/src/main/resources/org/sonar/l10n/java/rul…`
`auth::.github/workflows/build.yml`	security	healthy	`.github/workflows/build.yml`
`auth::java-checks-test-sources/default/pom.xml`	security	healthy	`java-checks-test-sources/default/pom.xml`
`auth::java-checks-test-sources/default/src/main/java/checks…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`
`auth::java-checks-test-sources/default/src/main/java/checks…`	security	healthy	`java-checks-test-sources/default/src/main/java/checks/secur…`

Label	Layer	Status	Path
`9.14.0.375`	network	healthy	`docs/java-custom-rules-example/pom.xml`
`1.9.9.1`	network	healthy	`java-checks-test-sources/default/pom.xml`
`1.9.22.1`	network	healthy	`java-checks-test-sources/default/pom.xml`
`4.9.8.2`	network	healthy	`its/plugin/projects/spotbugs-external-report/pom.xml`
`2.3.0.0`	network	healthy	`its/plugin/projects/servlet-jsp/pom.xml`

Label	Layer	Status	Path
`SQ_VERSION`	cicd	healthy	`—`
`GITHUB_TOKEN`	cicd	healthy	`—`
`USE_DEVELOCITY`	cicd	healthy	`—`
`DEVELOCITY_URL`	cicd	healthy	`—`

Label	Layer	Status	Path
`mongodb`	data	healthy	`java-checks-test-sources/default/pom.xml`
`elasticsearch`	data	healthy	`java-checks-test-sources/default/pom.xml`

Label	Layer	Status	Path
`vps::aws`	hardware	healthy	`pom.xml`
`vps::azure`	hardware	healthy	`java-checks-test-sources/default/pom.xml`

Label	Layer	Status	Path
`repobility-clone-96ibr5ra`	software	healthy	`/tmp/repobility-clone-96ibr5ra`

Label	Layer	Status	Path
`sqs`	data	healthy	`.github/workflows/automated-release.yml`

Label	Layer	Status	Path
`port:04`	network	healthy	`.github/workflows/unified-dogfooding.yml`

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.

For AI agents + API integrations

Email me when this repo regresses

Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.

API access

This page is publicly accessible at: https://repobility.com/scan/8b0cc620-1283-4f1a-95c5-51f9bc3ef4eb/

To check status programmatically (no auth required):

curl -s https://repobility.com/api/v1/public/scan/8b0cc620-1283-4f1a-95c5-51f9bc3ef4eb/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.

SonarSource/sonar-java

Complete repo analysis

file 50+

directory 50+

job 25

pipeline 17

secret 14

auth 7

service 5

env_var 4

database 2

vps 2

repo 1

queue 1

port 1