Is there a way to exclude generated-sources out of Fortify scan? I tried sourcepath option mentioned in the guide but it never seem to work for me.
-Dfortify.sca.sourcepath="**/target/generated-sources/**/*.java" or
-Dfortify.sca.sourcepath="**/target/generated-sources/**"
Both the above options ended up with the below warning
[WARNING] Bad value provided for option -sourcepath.
Do not add ** to sourcepath, specify the directories instead:
-Dfortify.sca.sourcepath="module1/target/generated-sources" -Dfortify.sca.sourcepath="module2/target/generated-sources"
If you are using sourceanalyzer you can add the -exclude parameter, with this you can use wildchars, like
-exclude module1/target/generated-sources/**/*.java
Related
Sonarqube Version -7.9.5
SonarQube Scanner - sonar-scanner-msbuild-5.0.4.24009-net46
Source code contains - C#, angular.js, html5, javascript.
Hi,
I executed the following commands and after executing the 3rd command I am getting execution failure error.
The command I executed in the CMD prompt are browsing to the path where solution is present are,
SonarScanner.MSBuild.exe begin /k:"Demo" /d:sonar.host.url="http://localhost:9000" /d:sonar.login="TokenID_ABC"
MsBuild.exe /t:Rebuild
SonarScanner.MSBuild.exe end /d:sonar.login="TokenID_ABC"
ERROR: Error during SonarScanner execution
org.sonar.java.AnalysisException: Please provide compiled classes of your project with sonar.java.binaries property
I found one similar kind of issue reported where it is said that due to .java file present in the code the issue occurs, in our code as well .java files are present, not sure the use of them. How can I exclude those .java files while SonarQube analysis is performed and in which file do I need to add exclusion code?
Also, if there is some another solution to resolve this issue, then please let me know as I have very limited knowledge of Sonar.
Link of similar issue -
https://community.sonarsource.com/t/error-while-running-sonar-scanner-please-provide-compiled-classes-of-your-project-with-sonar-java-binaries-property/30027/2
You can exclude arbitrary files by going to your project settings in SonarQube -> Analysis Scope -> Source File Exclusions. Use regex to match your java files, i.e. *.java.
I am getting a lot code smells from lombok generated code in Sonar. F.E.:
Method Dto.hashCode() stores return result in local before immediately returning it
Dto.equals(Object)
is excessively complex, with a cyclomatic complexity of 58
How can I point out sonar that this should be skipped from analyze?
UPDATE
I've tried it already. My lombok.config file in root directory is:
config.stopBubbling = true
lombok.addLombokGeneratedAnnotation = true
lombok.equalsAndHashCode.callSuper = call
It doesn't helps
I've tried it already: sonarqube + lombok = false positives
I've updated: sonar-project.properties in root directory to:
sonar.sources=src/main
sonar.tests=src/test
sonar.language=java
sonar.java.binaries=build/classes
sonar.junit.reportPaths=build/test-results/test/
sonar.jacoco.reportPaths=build/jacoco/jacocoTest.exec
sonar.java.libraries=.gradle/caches/**/lombok-*.jar
It doesn't work either.
Please don't close it. It is not duplication.
I just had the same issue. I am using sonar-scanner and figured out that it needs to set Lombok jar file using command line argument.
For example:
sonar-scanner -D sonar.java.libraries=/home/gitlab-runner/.gradle/caches/modules-2/files-2.1/org.projectlombok/lombok/1.18.10/625fc0055674dff70dbc76efa36d0f2c89b04a24/lombok-1.18.10.jar
Now SonarQube does not show any issues related with Lombok annotations.
Methods generated by lombok need to be annotated with #Generated. Sonarqube will then ignore them.
Just add a file lombok.config in the project root directory, with the following content:
lombok.addLombokGeneratedAnnotation=true
Be sure that lombok.jar is well inside the directory referenced in the sonar.java.libraries property.
I had the same problem, I added the property but I had put a reference to the directory of my runtime package that did not contains the lombok.jar!
lombok.jar is used at compile time and useless at runtime so we avoid to add it inside this directory.
The org.objectweb.asm library that downloaded from mavenrepository doesn't contain the debug information, it's so hard to put a break point and also when generate override method from intellij, the arguments are all nonsense single char names. I tried to put product.noshrink in the build.properties, but it doesn't seem to do the work.
You can download the source from here and then compile with whatever options you want. http://forge.ow2.org/project/showfiles.php?group_id=23
Am using my java application with log4j as logging mechanism
For most of the debug statements of the 3rd party jars am using, am getting filename with line numbers like
com.abc.xyz.GG(doFilter:67)
but for my source code, am getting the following
com.xyz.abc.class (unknown source problem)
Its tough for me to debug my source code since there is no line number info.
Can Someone please help me how do I enable this....
Thanks in advance....
Did you compile your code with the "-g:none" option of javac?
If so, the compiler doesn't generate any debugging information and Log4j cannot fetch them.
You need to pass -g option when calling the javac command.
From the Oracle documentation:
-g
Generate all debugging information, including local variables. By default, only line number and source file information is generated.
If you using ant to build your project you need to set the javac task's debug attribute to on, like this:
<javac debug="on">...</javac>
I am using Maven, with the one-jar pluggin, but when I run the one jar executable, I'm greeted with a wall of warnings, this is unacceptable for use
I've looked at every available resource on one-jar and see no instruction on how to keep the jar for spewing out tons of warnings when run, has anyone solved this?
JarClassLoader: Warning: META-INF/LICENSE.txt in lib/commons-io-1.4.jar is hidden by lib/commons-collections-3.2.1.jar (with different bytecode)
JarClassLoader: Warning: META-INF/NOTICE.txt in lib/commons-io-1.4.jar is hidden by lib/commons-collections-3.2.1.jar (with different bytecode)
JarClassLoader: Warning: META-INF/LICENSE.txt in lib/commons-lang-2.4.jar is hidden by lib/commons-collections-3.2.1.jar (with different bytecode)
JarClassLoader: Warning: META-INF/NOTICE.txt in lib/commons-lang-2.4.jar is hidden by lib/commons-collections-3.2.1.jar (with different bytecode)
I found that if you create a one-jar.properties file and put it in the root of your runtime classpath (ie, where your project .class files end up), it will be read by the one-jar Boot class. An entry in this properties file such as:
one-jar.silent=true
will suppress the one-jar log messages altogether.
Other values that the Boot class looks for are one-jar.info and one-jar.verbose.
The default level is INFO. As Pascal Thivent indicated above, you can also set a System property via the command line with the -D parameter of the java command, but if you do not want to have to stipulate or remember this, the properties file approach works great.
It seems that these messages are printed when running in "verbose" mode. What I don't get is that the verbose mode doesn't seem to be activated by default.
Anyway, could you try to set the one-jar.verbose system property to false when running your one-jar:
java -Done-jar.verbose=false -jar <one-jar.jar>
Regarding the latest-and-greatest One-Jar v0.97: The problem is there. The 'one-jar.properties' file actually needs to be put into the root of the final jar. It will, of course, have one line that reads, one-jar.silent=true. This can be done in Ant by setting something like <fileset dir="${build.dir}" includes="**/*.properties" /> inside the <one-jar ...> task.
It can also, just as easily, be placed into the command line using the java -Done-jar.silent=true -jar foo-jar-made-by-one-jar.jar command.
Nevertheless, it will still report a single line that it's loading properties from the One-Jar internal Boot class before going quiet. There is no way to get around this without changing source code starting at line 317 in Boot.java where the method initializeProperties logs the loading/merging operations. See Bug ID 3609329 at SourceForge in the One-Jar bug tracker where I provided the quick fix.
Summary: By adding the one-jar.properties file all but one line of extraneous logging is removed. This should help Maven users find a workaround.
This is much better in the new version of the Maven one-jar plugin.
Add the plugin repository:
<pluginRepository>
<id>one-jar</id>
<url>http://onejar-maven-plugin.googlecode.com/svn/mavenrepo</url>
</pluginRepository>
and use version 1.4.4 in the plugin definition.
I found I needed to use version 1.4.5 (1.4.4 did not work) and then the suggestion to place a one-jar.properties file at the root of my jar file with a single line reading one-jar.silent=true worked for me.
I upgraded fromr 1.4.3 to 1.4.4 as someone suggested before and that made the deal
There's two places to get the one-jar plugin from.
https://github.com/jolira/onejar-maven-plugin
http://code.google.com/p/onejar-maven-plugin/
The 1st one claims to be just a copy of the 2nd one that's served from Maven's main repository. I was encouraged to use this one as it doesn't require specifiying an additional plugin repository that the 2nd one requires. However, when I switched to use the 2nd one (the official one), this problem went away for me.
Note - passing -Done-jar.verbose=false worked for me but not when set in file one-jar.properties as someone stated above.
I submitted a patch for this quite some time ago that merely makes the default behavior silent.
public static final int LOGLEVEL_VERBOSE = 5;
// Loglevel for all loggers.
- private static int loglevel = LOGLEVEL_INFO;
+ private static int loglevel = LOGLEVEL_NONE;
private final String prefix;
AFAIK, it never got applied. Recently I fixed another issue, so I put my fixes out here:
https://github.com/nsoft/uno-jar
Please Re-read the "as is, no warranty" part of the license several times :)
There is no way to do this without modifying the source code