I have a very large Java project with a massive codebase statically analysed with SonarQube. A part of it, confined to one module, is currently being rewritten. I would like to apply a different quality profile to this part of the codebase without changing the profile for the rest of the project. To be more specific: I would like to disable one of the rules in the current quality profile just for this one module. Is this possible and if yes, how do I do that?
I have been scouring through SonarQube settings looking for any options for this kind of setup. The only thing I have found until now is the option to Restrict Scope of Coding Rules under Project settings > Analysis Scope. Here one can restrict the application of a certain rules or rules to only certain file patterns. Not exactly what I was looking for.
Any ideas?
Related
I know that SonarCube could exclude certain codes or modules.
My question is that, currently i have certain project, i only want to scan part of the codes using all SonarCube rules;
but at same time, for other parts of same project codes, i only want to apply some of the Sonar rules(for example, rules relates to security).
See this image for my example
Any experts can give me some hints, whether sonar can do this using maven or not, and how if possible. thanks.
This is not a common use case, but I see two options:
Create two quality profiles, and analyze your project twice using a different project key and a different quality profile. In SonarQube it will show 2 different projects. Using file inclusion/exclusions, you can partition your modules in the two projects. Note that having two projects could bring some difficulties, for example if you use PR analysis. Still you can have an overall view of the quality using an application to group them.
Keep a single quality profile and single project, but use advanced issue exclusion patterns to exclude issues you don't want on specific files. Managing those exclusions could be a bit tedious.
I'm a big fan of SonarQube as a developer. This time though I need to do admin work since I need to configure it from a fresh install. I see this rule in SonarQube "Methods should not have too many lines" but I don't see that it belongs to any of the default profiles ("FindBugs+FB-Contrib", "Sonar Way"). I think that's the reason I don't see any rule violations of this type from any of the projects. I thought this should be part of a common default profile since this is a pretty common violation. How can I add this rule to the profile?
There are other rules that I need to add which I expected also to be in the default/available profiles already.
You can't edit built-in profiles. Instead, you'll have to create a new profile, and then you'll be able to edit the rules to your heart's content. I suggest you initialize your new profile either by copying the rules from the built-in profile of your choice, or by inheriting from that profile. Note that choosing the latter means your profile can (and probably will) be updated by upgrading your analyzers; each new version of SonarJava, for instance, implements new rules and many of them are added to the Sonar way profile.
SonarQube Quality Profiles are not being used during the sonarqube scan:
We have sonar tasks installed and enabled for build definition what we are seeing is that the quality profiles are being stopped for one build run and it is again started using the quality profiles for the next run automatically. We are consistently seeing the same behavior for the alternate build runs.
Image where we can see the profiles are stopped and started:
What you're seeing is the result of a bad configuration somewhere. You indicate your comments that along with the toggling of profiles, you also see large swings in issue counts
as most of the file types get excluded from analysis resulting in very few issues reported.
So let's break this down:
The profile events you're seeing simply record/reflect the changes in profile use from one analysis to another. If I have a project with Java and JavaScript, the first analysis will use the default profiles for that language. Then, let's say I use the deprecated property sonar.language to restrict analysis to just Java files and analyze again. Since JavaScript is no longer found in my project, the default JavaScript profile will not be used, and a profile event will be recorded.
That seems to be what you're seeing in your activity log.
So now to the detective work: why is this happening? First, this swings back and forth. That indicates configurations set not at the project level (in SonarQube itself) but properties that are only sometimes passed during the analysis, or some other analysis-side circumstance. There are a few possible causes which you'll need to investigate independently:
sonar.language - if this deprecated property is used during analysis, it will limit the by-default multi-language analysis to a single language. It could be in your properties files or passed on the analysis command line -Dsonar.language=foo
exclusions - exclusions are difficult to set properly from the analysis side, but this can happen
improper/incomplete checkout - is it possible that only part of your project is checked out?
In investigating this, you should be aware that analysis-side properties can be set at two levels; at the individual project/analysis or in the global scanner configuration.
I'm guessing that your CI system has multiple slaves and languages are dropped - or not - from your project depending on which slave the job lands on that night.
I was experiencing a similar problem and I believe I have tracked down the root of the issue for us. Capturing the source code and properties used during the build, I was unable to find any discrepancies in sonar properties or source code collected, as suggested in the previous answer.
Our solution we were trying to analyze with SonarQube has a few C# projects that are part of an external core solution, which is shared between several components. Compiling any one of these other components requires that core be compiled first. I believe the issue lies in that when compiling my component to be analyzed, MsBuild would sometimes rebuild some of the projects included in core. Depending on if they were rebuilt or not, the number of projects and files (and hence issues) would swing wildly in one direction or the other.
By enforcing MsBuild to clean my component solution before compiling,
MsBuild.exe MySolution.sln /t:Clean,Build
I ensure a consistent set of projects are built and analyzed by sonarqube. I am 30 builds in with this new approach and I have no more flopping back and forth between using and not using a quality profile.
Sonar scanner runs analysis for all the available plugins installed in SonarQube. But for some of the projects analysis should be run only for some languages(For example Java and Javascript).
sonar.language parameter allows me to set only one language.
Is there any way to set multiple languages for analysis.
Stop thinking in term of language, since this is a blur concept in SonarQube. Just exclude the files you don't want to analyze, using for example the property sonar.exclusions.
For example, when considering a pom.xml file, the "language" was historically XML (and rules provided by SonarXML). But we now also have rules provided by SonarJava.
The property sonar.language was deprecated in SonarQube 4.4 and might be removed in SonarQube 6.7 or later, because SonarQube can now use several languages (which seems to be exactly the issue that you face currently).
If you only want Java and Javascript issues to be reported, I suggest to create custom quality profiles for all other languages, containing 0 rules. You can then, for your project, explicitly assign those "void" quality profiles.
I currently have a SonarQube instance setup with multiple projects. Currently I get multiple requests every few weeks to update the quality profile to include a new rule or to remove an old one. This is usually followed by me having to recreate the projects and then sequentially running analysis again so that I can have the differential view again starting from a baseline code. This is becoming a pain as the number of projects grow. Is there any alternative to this? For instance is there any way to tell Sonar to pick up the new rules from the quality profile and run the existing analysis again against these rules.
If I don't do that I get a spike in issues as new rules get added and a new analysis is run as the existing analysis wasn't run against those rules and doesn't have an accurate issue number.
Thanks for the help!
Once you have linked a profile to a project, you can change the rule set and it will be used during the next analysis. As you add or remove rules, spikes are normal. Propably what you want to ensure is that for example no new rules are introduced as you want to ensure the quality is not going down, but is always improved. You can do it using quality gates and build breaker plugin. Hopefully I could help.
I am not sure to understand very well what you want to do, if this is running again a new (changed) profile to all previous versions of a project, or to apply different profiles on different versions of a project.
Maybe this could help you ?
SonarQube - analyzing branches of the same project
How to configure Maven to run a SonarQube project analysis with two different quality profiles?