I have implemented Sonar Java Plug-in(Maven) following the example here : https://github.com/SonarSource/sonar-examples/tree/master/plugins/java-custom-rules. Copied the generated sonar-plugin in /extensions/plugins directory. Restarted the SonarQube server and ran the analysis using the mvn sonar:sonar.
I can see the new Rules being added in Rules tab but no issues are being logged and also the status of Rule is active. Looks like the Rules are not considered at the time of analysis. Is there anything i am missing?
You have to enable your new rules on a quality profile.
Related
I have a class annotated with Lombok's #Data, in a gradle project, using the Sonarqube and Jacoco plugins.
The source code is available here on github
I have a locally running sonarqube server running as a docker container, started like this:
docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube
I have added a "lombok.config" file, asking it to add #Lombok.Generated annotations to its generated code, as per the Global Config keys section here in the docs.
lombok.addLombokGeneratedAnnotation = true
And I have the following Sonar condition configuration.
When I run the sonarqube target for the very first time, it reports that the project passes.
If I then switch the lombok.addLombokGeneratedAnnotation to be false, and rerun the sonarqube target, it reports that there is a failure:
If I then switch the lombok.addLombokGeneratedAnnotation back to true, and rerun again, sonarqube reports that the project is still failed. And I can't get the project to pass again.
I then changed the group name in the build.gradle file, to force the sonarqube gradle plugin to create a new project within the Sonarqube server. When I do this, the project passes again.
I've never changed any of the source code during this process.
Please does anyone have an idea why Sonarqube is behaving this way?
I've never changed any of the source code during this process.
Oh, but you have. Or rather, Lombok has by inserting (or not) annotations in your code.
You're using a Quality Gate that looks only at "New Code". On your first analysis, no code is new, so none of it is up for consideration. Then you twiddle your Lombok settings, regenerate and reanalyze. Lombok apparently makes some changes in your code. I've never used Lombok so I can't expand on exactly what's happening here, but you can click through on the New Coverage-related metrics on the project homepage to get to a list of files. Drill into a file to see what's being considered "new" in it (yellow highlight). Look to the marginal markings (red, green, yellow striped) to see what's considered covered.
N.B. Your quality gate currently demands 99% coverage on conditions in new code. This is unrealistic and past the point of diminishing returns. You should reconsider this value. IMO 85-95% is more realistic depending on your team.
For future reference, we found that the problem was solved by updating the SonarJava plugin to the newest 5.1.1 release.
I think this ticket in release 5.1, to upgrade to Jacoco 0.8.0 may be the thing that started to honour the #Lombok.Generated annotation.
On my local machine for my project trying to see the code quality related issues that sonarqube shows.
Using eclipse IDE.
Installed sonarlint plugin and I am able to see most of the issues that I see in the sonarqube for my project.
But, don’t see issues related to duplicate code etc
From what I see on internet sonarqube uses other third party tools like PMD, checksyle, findbugs to show other issues apart from what sonarlint shows.
Who usually provide the xml rulesets for PMD, Checkstyle etc in the company? Is it the sonar team or the architecture team? or the project team leads create one and provide it to the team.
At the time of this writing, SonarLint runs analyses file by file,
so it cannot display errors involving multiple files, such as:
Duplications
Test coverage
Package-level issues (package-info.java is missing, etc)
Furthermore, it only shows issues from SonarSource analyzers,
third party analyzers such as PMD and checkstyle are excluded.
Finally, it will show the same issues as you see in SonarQube in connected mode.
Otherwise, in standalone mode,
it uses the default quality profile (= set of rules),
as defined by its embedded analyzers,
which may slightly vary depending on their version.
The differences that you see between SonarLint and SonarQube will come down to one or more of the reasons as explained above.
Who usually provide the xml rulesets for PMD, Checkstyle etc in the company? Is it the sonar team or the architecture team? or the project team leads create one and provide it to the team.
That depends on the company, and any answer to this would be subjective.
I am developing a Java application and Using SonarLint to test the code quality.
Sonar shows the error : Take the required action to fix the issue indicated by this comment.
For below line of code:
// FIXME: temp here until we drop tomee or remove all exceptions from ejb <-> non-ejb path.
Is there any way I can suppress the warning in SonarLint ?
You can use the connected mode to bind your project in the IDE to a project in SonarQube. SonarLint will use the same code analyzers and rules as the ones in SonarQube.
In SonarQube, it's possible to change the quality profile assigned to projects and in this way, to enable or disable rules.
More information: https://www.sonarlint.org/intellij/howto.html
I checked several places and tried many things to suppress the warnings, but turns out that //FIXME are considered as major warnings in Sonar . You need to take care of them by removing the tag and fixing the issue which was mentioned in the tag (by the developer of tag).
Or you can simply remove the tag if that issue is not needed to be fixed or that is itself not an issue now.
I’d like to ask for help. I installed the plugin and successfully added the SonarQube server. I upgraded to version 4.1.2. I use IntelliJ IDEA 13.0.2.
I also successfully associated the project and inspection warnings appeared. But when I fix the issue the status is not updated.
How to synchronize ?
I also run inspection by name ‘SonarQube issues’.
Nevertheless after running the inspection the warnings are also there, where the code was fixed. It seems to me the synchronization somehow fails.
Any idea, what todo, please?
What I had done in my situation.
Installed SonarQube 4.4.
Installed IntelliJ 13.1.4b (the same history was with 13.0.4).
Configured SonarQube intelliJ plugin (not community provided one but plugin from SonarSource). All instructions are under the link on Wiki.
Attached to Sonar project. Every step just as SonarSource recommends.
This gave me mapping from Sonar onto source code. But it does not update when I simply fix the issue. But if I fix issues I then re-post project onto Sonar through mvn sonar:sonar and this gives me updated picture next time I run inspection through sonarqube plugin.
But this is not 100% what is wanted. But definitely better than nothing. Also I have imported Sonar rules through QAPlug - this is far less useful. But notable faster.
Overall this configuration allows me to make what is needed but I'd like to receive real incremental processing without publishing local changes onto Sonar server.
Give a try to the SonarQube IntelliJ Community Plugin, it is made for fixing issues detected by jenkins on the local dev machine. Different then the official plugin you will need to do more configuration by yourself, but it gives you also the freedom to specify your local analysis script like you need.
What you need to do:
configure the plugin
setup sonar server
setup local analysis script
Afterwards you can run SonarQube (new issues) inspection, this will run the script and show the results in the Intellij. If you are fixing issues, you can just rerun the inspection from inside the inspections results tool window. This will rerun the script and show new results.
see also: https://github.com/sonar-intellij-plugin/sonar-intellij-plugin
Actually in our project, we are planning to start developing code (with SONAR to analyze from beginning only) , So we are making use of sonar plugin in eclipse. We know how to analyze code by configuring project to SONARQUEBE and making use of maven build tool as well as using sonarrunner. Instead of building maven for every code changes and analysing , is there any way that prompts (as well as show error lines ) sonar to immediately analyze just after saving the java file ?
Help will be appreciated..... Thanks in advance
There is currently no way to tie an sonar analysis to a save action.
However, you do not need to run the maven based analysis. Assuming you use a recent version of SonarQube and SonarQube ide (4+ and 3.3), you can simply run the analysis using the shortcut (ALT-Ctrl-Q, by default).
Using incremental mode with SonarQube 4+, this is actually really fast, because it analyzes only the changed files as compared to the last successful SonarQube run.
Of course, you need make sure that your buildserver regularily runs your full SonarQube builds as well.