SONARJAVA-6273 S3706: "stream" should not be used for Collection "forEach" calls by NoemieBenard · Pull Request #5581 · SonarSource/sonar-java

NoemieBenard · 2026-04-23T08:49:21Z

Implementation of rule S3706.

hashicorp-vault-sonar-prod · 2026-04-23T08:49:40Z

sonar-review-alpha · 2026-04-23T08:52:01Z

Summary

This PR implements SonarQube rule S3706: "stream" should not be used for Collection "forEach" calls.

The rule detects when code unnecessarily chains .stream().forEach() on a Collection instead of calling .forEach() directly. Since all Collection types already have their own forEach() method, the intermediate stream() call is redundant and adds no value.

Changes include:

New check class using method matchers to identify the pattern (.stream() on Collection followed by .forEach() on Stream)
Test cases covering the rule scope: detects violations on Collection, Set, List; correctly ignores .parallelStream().forEach(), filtered streams, and stored stream variables
Rule documentation (HTML/JSON) with rationale and code examples
Integration tests showing 4 real violations found in SonarQube codebase
Addition of rule to both Sonar Way and Agentic AI quality profiles

What reviewers should know

Where to focus:

Core logic (StreamForeachCheck.java:54-61): The method matchers correctly identify .stream() on Collection subtypes followed by .forEach() on Stream. The check stops at 2 levels deep (direct chaining), which intentionally avoids false positives when the stream is assigned to a variable.
Test coverage (StreamForeachCheck.java test file): Review both noncompliant cases (lines 10, 23, 27) and the edge cases marked "Compliant" (lines 20, 31, 36). Note the comment on line 37 explaining the design choice about stored streams.
Error reporting (line 59): The issue is anchored to both method names—.stream to .forEach—making the problem and fix clear.
False positive avoidance: The check correctly does NOT flag parallelStream() (different semantics) or cases where the stream is stored first, which aligns with the simple "direct chaining" pattern this rule targets.
Profile integration: Verify the rule count increase from 467 to 468 in JavaAgenticWayProfileTest.java matches the addition to both profiles.

Generate Walkthrough
Generate Diagram

🗣️ Give feedback

sonar-review-alpha

The implementation logic is correct and well-scoped, but there is a critical missing artifact that will break the build.

🗣️ Give feedback

sonar-review-alpha · 2026-04-23T09:25:53Z

+    list.stream().forEach(e -> System.out.println("Element: " + e)); // Noncompliant
+  }
+
+  void necessaryForEachOnParallelStream(Set<String> set) {


The noncompliant cases cover Collection, Set, and List, but there is no test for a stream().forEach() call where .stream() returns a custom Stream produced by an overriding implementation. More importantly, there is no test using a concrete ArrayList or other class that resolves through the full ofSubTypes hierarchy.

More critically: Stream.forEach() carries a weaker contract than Iterable.forEach(). Per the JDK spec, Stream.forEach() is "explicitly nondeterministic" even on sequential streams, while Collection.forEach() (via Iterable) iterates in encounter order. Code that relies on stream().forEach() for its documented non-determinism guarantee — even if that's unusual — would have its semantics silently changed. Add a test case comment explaining this known limitation, or document it explicitly in the rule description.

Mark as noise

tomasz-tylenda-sonarsource · 2026-04-23T15:03:45Z

+  private static final MethodMatchers STREAM_METHOD = MethodMatchers.create()
+    .ofSubTypes("java.util.Collection")
+    .names("stream")
+    .withAnyParameters()


Since stream() doesn't take any parameters, could we make this match stricter?

tomasz-tylenda-sonarsource · 2026-04-23T15:14:30Z

+  }
+
+  private void checkUnnecessaryForEach(MethodInvocationTree mit) {
+    ExpressionTree methodSelect = mit.methodSelect();


You can try something along these lines:

if (mitForEach.methodSelect() instanceof MemberSelectExpressionTree mset && mset.expression() instanceof MethodInvocationTree mitStream && STREAM_METHOD.matches(mitStream)) { reportIssue(mitStream, "Replace unnecessary call to .stream().forEach() by .forEach()"); } }

Also, we can call strings streamMit and forEachMit or something like this.

tomasz-tylenda-sonarsource · 2026-04-24T08:51:42Z

    StreamForeachCheck check = new StreamForeachCheck();
    CheckVerifier.newVerifier()
      .onFile(mainCodeSourcesPath("checks/StreamForeachCheck.java"))
+      .withoutSemantic()


I meant, we should have two tests, one with semantic, one without.

tomasz-tylenda-sonarsource · 2026-04-24T08:56:07Z

  void unnecessaryStreamForEach(Collection<Integer> collection) {
-    collection.stream().forEach(System.out::println); // Noncompliant
+    collection.stream().forEach(System.out::println); // Noncompliant {{Replace unnecessary call to .stream().forEach() by .forEach()}}
+  //^^^^^^^^^^^^^^^^^^^


If we are pointing at collection.stream() then maybe the message should be Remove unnecessary call to .stream() ? It's possible to tweak the location of the issue quite freely with some adjustments to report issue.

Btw, I told you that quckfixes are difficult. This is generally true, but in this case it's not too difficult, so maybe we could do it in a follow-up PR later.

sonarqube-next · 2026-04-24T15:16:46Z

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
90.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

sonar-review-alpha

LGTM! ✅

The previously flagged issues around test coverage (concrete Collection subtypes, ArrayList) and the missing documentation about the semantic difference between Stream.forEach() (nondeterministic) and Collection.forEach() (encounter-order) are still unresolved — neither the test file nor the rule description were updated in this commit.

🗣️ Give feedback

NoemieBenard added 10 commits April 22, 2026 17:11

fix incorrect test

f881b20

add tests for regex

2a08dab

update tests accordingly to default header

0d629a7

add default header after rebase

7d6bbf4

create files for implementation of S3706

09a9494

implement check

5dfa8cd

add failing test

a18788b

correct check according to .stream().filter().forEach() test

fe22485

Replace ofTypes by ofSubTypes to match collection subtypes

50d8e5d

improve tests

880cb68

hashicorp-vault-sonar-prod Bot changed the title ~~S3706: "stream" should not be used for Collection "forEach" calls~~ SONARJAVA-6274 S3706: "stream" should not be used for Collection "forEach" calls Apr 23, 2026

sonar-review-alpha Bot reviewed Apr 23, 2026

View reviewed changes

generate rule metadata from RSPEC

f113647

NoemieBenard changed the title ~~SONARJAVA-6274 S3706: "stream" should not be used for Collection "forEach" calls~~ SONARJAVA-6273 S3706: "stream" should not be used for Collection "forEach" calls Apr 23, 2026

This comment was marked as resolved.

Sign in to view

NoemieBenard added 2 commits April 23, 2026 14:08

update autoscan diffs

2b80a7b

update expected number of rules

43d8858