I'm using SonarQube 6.3.1 with default profile Sonar way. I have the newest SonarJava plugin installed (4.8.0.9441).
I can see that the rule SQL binding mechanisms should be used is activated.
I have installed SonarLint 2.9.0 plugin for Intellij and connected to running SonarQube server.
After copying example violation from Sonar page I can see in my IDE that plugin works fine. Everything seemed perfect up to this moment.
Unfortunately, analysis on SonarQube server doesn't find this vulnerability. The same goes for another owasp-a6 rule Cookies should be secure (also found by Sonarlint). But on the other hand, some owasp rules work (i.e. Console logging should not be used).
Is this a known Sonar issue that some rules are omitted? Exclusions are not a problem, I'm pretty sure that those files are being analyzed because some other issues have been found.
Related
I'm trying to implement a custom SonarQube plugin which also works fine on my dev machine in Eclipse, but as soon as I deploy it to our SonarQube instance it crashes during runtime with a ClassNotFoundException. The class which it can't find during runtime is ExpressionsHelper, which (as far as I understand it) should be in the sonar-java-plugin-***.jar.
Our SonarQube instance is running version 6.1, the SonarJava plugin is installed in version 4.15.0.12310.
Now to which version(s) should I set which property in my pom.xml so that the configuration on my dev machine matches the available libraries on the SonarQube instances? I've tried setting them to sonar.version=6.1, java.plugin.version=4.15.0.12310 but then I still got the ClassNotFoundException during the scan.
Thanks for your help in advance.
If the class is not part of package starting with : org.sonar.plugins.java.api it won't be found at runtime.
org.sonar.java.checks.helpers.ExpressionHelper is not part of this package and so won't be found at runtime, hence the exception you encounter.
What is the difference between the Sonarqube java plugin repository under rules>repository> Sonarqube Java rules and the default profile Sonar way under quality profiles. The first one has 322 rules, while the second one has 229. What is missing from the Sonar way profile? I am using Sonarqube 5.2 server.
First, the version of your Java Plugin is more relevant than the version of your SonarQube server. The server ships with a copy of the Java plugin, but the two are versioned independently, and it can never be assumed that you're running the version of the plugin that ships with the server.
To answer your question, the Sonar Way profiles are designed to be absolutely non-controversial out of the box. So rules about what line '{' should be on, for instance, aren't included. There are also rules that are desirable only in certain coding situations. For instance, not everyone is going to be interested in the proper use of Struts, so those get left off too.
We have Eclipse Java EE IDE for Web Developers.
Version: Luna Release (4.4.0)
Build id: 20140612-0600
I have installed SonarQube Plugin in my eclipse and have configured the SonarQube Server. Tested the Server connection in Eclipse.
Windows>Preferences>Sonar>Servers. Connection is successful.
I am able to associate my project to Sonar in eclipse and get the report locally.
After fixing the violated issues , Is there a way we can publish the new report from our Local to the SonarQbe server dashboard.?
First, you appear to be using an old version of the plugin; the most recent version of SonarLint for Eclipse has not yet re-established the connected experience (although that's coming soon). You may be interested in upgrading because SonarLint checks your code as you work; there's no longer a need to trigger the analysis. This way, issues are brought to your attention immediately instead of your having to remember to look for them.
Now to your question: there is not a way to push your updated results from Eclipse directly into the SonarQube platform; you'll need to perform a full analysis. Keep in mind that in-IDE analysis runs most but not all rules. I.e. you're not going to get issues in Eclipse from the rule about too-low coverage thresholds, for instance. Ditto duplicatons. Those are only run as part of the full analysis.
I installed agent tool3 on my eclipse and proceeds to install the MASE plug in for analysis and design. I really need the plug in for a design and analysis but unfortunately, after the installation of the agent tool3 the next step towards installing the MASE pugin I got this error message below.
Plug-in org.eclipse.epf.authoring.ui was unable to load class org.eclipse.epf.authoring.ui.views.LibraryView.
I have done everything within my knowledge but cant seem to get a solution. below are pictures of the errors
Most likely you have this class loading errors because agentTool III and MaSE are for Eclipse 3.4 (Ganymede). Usually eclipse tools have open range for dependencies to prevent blocking users from installing it into newer Eclipse release. It works sometimes, if tools do not use restricted/none public API which tends to have many changes between major Eclipse releases.
I cannot see details on your screenshots but it feels like some classes were removed/refactored in Eclipse Mars since Ganymede release.
Disclaimer : I have tried to post this message on the users mailing list of Sonar.
We are using SonarQube 4.5.1 and encountered an issue this morning on some project using the property sonar.java.binaries.
We updated the version of the java plugin yesterday to 2.8 (we were using 2.5.1 before).
The error in the analysis is :
[ERROR] [20:43:58.997] Invalid value for sonar.java.binaries
[ERROR] No files nor directories matching '/PATH_TO_JENKINS_WORKSPACES/sonar/PROJECT_NAME/release/PROJECT_JAR.jar'
In the pom.xml, sonar.java.binaries property is valued with : ${basedir}/release/${project.artifactId}.jar
Variables changes is good on analysis and jar exists in the repository.
Here is my investigation :
When getting back to version 2.5.1, sonar analysis is OK
When using version 2.8, if sonar.java.binaries points straightly to a jar file, analysis is KO
When using version 2.8, if sonar.java.binaries points to a directory (in my case, ${basedir}/release/), the analysis is OK
Is the behavior of sonar.java.binaries, implemented in 2.8, wanted ? or this a regression ?
Thanks,
Frédéric
As your project is built using Maven, we recommend to analyze it using the SonarQube Maven Plugin.
In that case you don't need to define the sonar.java.* properties
BTW : it would better to upgrade directly to SonarQube 4.5.4 and Java Plugin 3.3 to get all bug fixes / enhancements in particular new rules on bug detection coming with recent Java Plugin: http://nemo.sonarqube.org/coding_rules#languages=java|tags=bug|repositories=squid
As I understand from here you should use double slashes for sonar.java.binaries