SonarQube use custom phpcs.xml - sonarqube

I am using sonarqube to analysis a Wordpress project.
In my sonar-project.properties file I added
sonar.php.standards.analyzer=phpcs
sonar.php.phpcs.config=./phpcs.xml
The phpcs.xml file contains all the rules I'd like sonar to use and I'd like all their additional rules to be ignored as they often conflict with the Wordpress standards.
When I run my sonar-scanner it currently is using the sonar way.
Thank you

Related

How to set the Teamcity sonarqube plugin module list externally?

We are using Teamcity in conjunction with the SonarQube plugin for some maven multi-module projects.
As we are potentially adding modules to one or the other project, I would like to set the "Modules" parameter of the SonarQube plugin programmatically or via some environment variable instead of having to manually edit it in the plugin's config.
Is there a way to do this?
For my TeamCity setup I have a global variable for my SonarQube exclusions. I can change all exclusions or override for specific projects. If you want to set this programatically, you could use the TeamCity API to update a similar variable either on the project or global level.
If you need a starting point, I have a script that updates build numbers I can share.

How to use PMD and FinBugs rules defined on SonarQube server inside IDE?

I've defined a quality profile containing rules from the sonar analyzer, PMD and Findbugs. However if I want to check those rules in the IDE (IntelliJ IDEA and Eclipse) only the sonar rules are applied (by design). I'd prefer sonarqube server to be the single source of truth and thererfore want to use PMD and Findbugs rules defined on the sonarqube server in my IDE. As far as I know it is not possible to export an PMD or Findbugs config file from sonarqube server.
What is the best way, to use sonarqube server as the single source of truth regarding static coded analysis and using PMD and Findbugs rules defined on the sonarqube server inside an IDE?
Sonar lint is a plugin for live code analysis. Sonar lint can automatically connect to the configured remote server and fetch quality profiles required to analyse the code. This plugin scans the source code for only rules from SonarAnalyzer repository(As you said).
I suggest you to use the below IntelliJ plugins:
FindBugs Plugin download link - https://plugins.jetbrains.com/plugin/3847-findbugs-idea
PMD Plugin download link -
https://plugins.jetbrains.com/plugin/1137-pmdplugin
As far as I know it is not possible to export an PMD or Findbugs config file from sonarqube server-this not true
It is possible to export PMD or Findbugs config file but separately
Create a quality profile and activate all the rules of pmd and findbugs in that quality profile.
After that if you click on the created qualityprofile like the one named "pmd" i created in the below screenshot
i have only activated pmd rules in it so you can a filter named PMD on the left bottom side.
click on that filter then rules that only belongs to pmd shows up as in the below screenshot.
click ctrl-s and save it into an notepad.this is how you export the rules and findbugs have also been present on the left bottom if i have activated it.
you can use this file to configure the above suggested jetbrains plugins
install the plugins and you can configure them in the settings using the exported rule file.
I did this in android-studio.
One option is SonarQube Community Plugin
This plugin will display the issues from your Sonar instance in your IDE. It is a nice way to display results of previous scans.

SonarQube excluding files, directories, and generated code?

The code base I am working with has a lot of generated code. In addition, there are also some deprecated files that I would want to exclude from SonarQube analysis. I've read up the documentation and looked at some answers on here about that, but it does not help in my case.
I have a multi-module maven project. So I have multiple projects in my workspace that are all part of a large application. Say I want to exclude this file:
/home/username/workspace/com.mst.rtra.importing.message/bin/com/mst/rtra/importing/message/idl/parse/idlparser.java
I don't really know how to write this in the exclusions settings on SonarQube because of how long the filepath is. Also, what if I want to exclude another file, but from a different module, say :
/home/username/workspace/com.mst.rtra.interpreter.create/
I am confused about I should write this in the exclusions box in project settings. Should I write the absolute file path due to the multi-module nature of this project? Or is there some other convention used?
In addition, if I want to exclude generated files from analysis, I would need to put file:/generated-sources/ as I saw in another answer. However, after analysis, I can still view the analysis results of those files when I open up the project in SonarQube dashboard.
We use ant rather than maven, and an older version of the Sonar ant task at that. But what works for us is setting a sonar.exclusions property in our build.xml, which accepts wildcards for filenames. For example:
<property name="sonar.exclusions" value="**/com/ex/wsdl/asvc/*.java,**/com/ex/wsdl/bsvc/*.java"/>
That skips analyzing all the code generated from a wsdl file for two services. You ought to be able to do something similar for maven.

How to use existing Checkstyle files in SonarQube

My co-workers and I would like to incorporate SonarQube into our existing projects. Our normal development process for Java projects involves running Checkstyle on code changes to ensure they follow our style rules, committing the project to our code repository and having Jenkins build and package the latest version. We’d like to add SonarQube to this final step (through the Jenkins plugin) but we don’t want to duplicate all of our Checkstyle rules in SonarQube, since this would require us to maintain two separate sets of rules and make things more complicated if we need to make changes to the rules. We don’t want to completely switch to SonarQube since we’d like to still run Checkstyle before we commit code to our repository. We’d also prefer to maintain our own Checkstyle files as the main set of style rules as opposed to maintaining the style rules on SonarQube and downloading the generated XML files for our local development.
So is there any way to “upload” (so to speak) our existing set of Checkstyle XML files to SonarQube for it to use in its evaluation?
Thanks for the help.
AFAIK, it is not possible to have Sonar use the Checkstyle definitions from the repository. Is is, however, possible to have Sonar use the current Checkstyle suppression filter from the repository.
As for the rules definitions, I think you will have to maintain them in Sonar, and when anything is changed, also change the copy in the repository which is used by eclipse-cs. This is redundant, but at least it affects only one person - the rest of the team can reap the benefits. This approach also enables intentional differences, e.g. when some Eclipse-specific issue is checked (say, something concerning source folders, which don't exist in Sonar).
The path to the suppressions filter file can be configured in Sonar to refer to the location where your stuff is checked out for Sonar analysis. So that part can be maintained in the repository without any redundancy.
From my point of view, you should make a choice: use SonarQube or Checkstyle but not both.
Checkstyle on code changes to ensure they follow our style rules => Can't you replace this step with SonarQube. See for example: http://docs.codehaus.org/display/SONAR/Using+SonarQube+in+Eclipse or http://docs.codehaus.org/display/SONAR/Issues+Report+Plugin

The Issues Report Plugin does not retrieve metrics

I have a problem when I run the Issues Report Plugin on the multi-module project. I noted that the documentation indicated that the plugin is incompatible with this kind of project.
Nevertheless, I tried to run a sonar-runner dry run on one of the modules using its projectKey and projectName (retrieved from the widget Description). Unfortunately, the plugin has not retrieved metrics previously analyzed for this module. All anomalies are marked as new.
Is there a way to ensure I get the right values?
The dry run mode for SonarQube analyses on multi-module projects suffers from limitations, which are all fixed in the upcoming 3.6.1 version of SonarQube.
See the following ticket: https://jira.codehaus.org/browse/SONAR-4265
And just to be clear: the Issues Report Plugin does not export measures of metrics, it only exports issues.

Resources