I try to configure a whole dev environment with pipelines on AzureDevOps and SonarQube as a static code analyzer.
I added several Roselyn Analyser (StyleCop for instance) and expected to see the issues on SonarQube. Some of them do appear but some don't.
For instance: SA1600 never show up on Sonar.
I added an .editorconfig file which works fine as i can switch off some issues. But whatever the parameter is for the SA1600, it does not appear.
This is quite uncumfortable as my devs would not have the same issues in VS and on Sonar.
How is it possible to configure Sonar to have the same configuration as it is in Visual Studio.
Any idea is welcome :)
Related
I'm working on the project, where the developers are trying to write understandable code, so there is no sense to use comments in a lot of places. We have a SonarQube, which is used in other projects and we cannot configure it. All we can do is configuring Sonar in our project's POM file. SonarQube is complaining, that there are not comments in our code with the rule "common-java:InsufficientCommentDensity". I know, that we can ignore some rules using sonar.issue.ignore.multicriteria properties like
<sonar.issue.ignore.multicriteria>junit.assertions.include.messages</sonar.issue.ignore.multicriteria>
<sonar.issue.ignore.multicriteria.junit.assertions.include.messages.ruleKey>squid:S2698</sonar.issue.ignore.multicriteria.junit.assertions.include.messages.ruleKey>
<sonar.issue.ignore.multicriteria.junit.assertions.include.messages.resourceKey>**/*.java</sonar.issue.ignore.multicriteria.junit.assertions.include.messages.resourceKey>
but it's not working with "common-java:InsufficientCommentDensity" rule. Why? And is there a way to ignore this rule in our case?
SonarQube version is 6.7 (build 33306)
Sonar Maven Plugin version is 3.4.0.905
I tested this quite a lot and finally found that setting common rules (anything that starts with "common-xxxx") from scanner side (pom, command line etc) will be ignored and wont work. The language specific rules can be passed as command line arguments and thats why the "squid:S2698" rule is getting ignored correctly. Here is the issue link on the SonarQube JIRA board and it says that it "wont be fixed".
https://jira.sonarsource.com/browse/SONAR-8230
The only option for you is to set the issue exclusion from UI. Here are the steps to set it from U.
If this is a common rule that you want to ignore, then make sure you have admin rights to your project. On the project Dashboard you should see the administration tab:
Click on Administration → General Settings
Click on Analysis Scope on the left hand side
Now set the below property:
Save and run the scan again.
Cut to the chase : I think I need to disable SonarQube Github Plugin from the sonarqube server for specific projects if I want to do both of the following :
Publish to sonarqube server & report to github using github plugin.
It is my understanding that installing SonarQube Github Plugin on a SonarQube server forbids the whole server from storing any analysis, forever. Therefore, I need to find a way to stop using the github plugin for only specific projects. Is there a way to do that?
P.S. Backstory
My original question was Can't publish results to Sonarqube server).
However, Upon finding Why does SonarQube not show results, although the analysis succeeded?, user "Wirone" says that it doesn't show results in sonar server because Sonarqube Github plugin forces sonar.analysis.mode to be set as preview or issues, but not publish.
According to Wirone, sonarscanner doesn't send result to the server unless the mode is set as publish.
I've tried to find out the exact meaning of sonar.analysis.mode, but articles https://groups.google.com/forum/#!topic/sonarqube/JguVVO4OorE or SonarQube analysis mode: preview vs issues were not helpful at all, and I'm still confused about what mode to set if I want to see the analysis result in sonar server instead of github.
Fig.1 : The whole server is empty. This server is actually working, and it has been commenting on github for couple weeks now. However, the server itself does not store any analysis at all - it just pipelines everything to github and then forgets it without storing anything in the database itself. The reason? Fig 2.
Fig.2 : This is the reason. Github plugin prevents the sonar.analysis.mode from ever being set as publish. Without publish mode, the server can never store results in itself. I can't just uninstall this because I need the github commenting feature.
Therefore, I need a separate project to store the whole analysis, but to do that I need to disable this plugin behavior for just that specific project...
Solved : I think leaving in github credentials in SonarScanner properties was the problem. After removing all the github related information in properties, it seems to be working.
Scroll down to bottom to read the conclusion.
Git integration working config:
sonar.projectKey=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=issues
sonar.profile=My_Analysis_Profile
sonar.github.repository=${repository}
sonar.github.endpoint=https://customossendpoint/api/v3
sonar.github.login=someusername
sonar.github.oauth=somehashkey123
sonar.login=id
sonar.password=pass
sonar.github.pullRequest=${pr}
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=true
sonar.github.disableInlineComments=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Tried to make it publish to server but analysis couldn't start due to "Doesn't support sonar.analysis.mode=publish" error message:
sonar.projectKey=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=publish
sonar.profile=My_Analysis_Profile
sonar.github.repository=${repository}
sonar.github.endpoint=https://customossendpoint/api/v3
sonar.github.login=someusername
sonar.github.oauth=somehashkey123
sonar.login=id
sonar.password=pass
sonar.github.pullRequest=${pr}
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=true
sonar.github.disableInlineComments=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Rolling back to "issues" mode because nobody knew what the mode's purpose even was, and tried to make it stop publishing to github by erasing github related options (it didn't send to github, but now it didn't send to server either):
sonar.projectKey=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=issues
sonar.profile=My_Analysis_Profile
sonar.login=id
sonar.password=pass
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Finally figured out the answer:
sonar.projectKey=${componentName}
sonar.projectName=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=publish
sonar.profile=My_Analysis_Profile
sonar.login=id
sonar.password=pass
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Conclusion: sonar.analysis.mode is very confusing. issues and preview seem to be almost identical; it doesn't store results in the server, and it's just a pipeline either by showing on console when running sonarrunner manually, or by pipelining it to sonarqube github plugin to post as a comment.
When sonarqube github plugin is active, it prohibits any mode other than issues and preview. In order to post it to the server, it needs to be set as publish. To do that, we need to make sure the github plugin isn't used. We can "disable" the plugin project-wise simply by omitting any github related properties(ie. sonar.github.login).
SonarC# 6.7.1 (build 4347)
SonarQube Version 6.7.1 (build 35068)
Quality Profile: Sonar way (outdated copy) because the current Sonar Way quality profile returns nothing at all.
Running the current MSBuild.SonarQube.Runner (SonarQube Scanner for MSBuild 4.0.2.892) only reports Code Smells. No vulnerabilities or bugs are being reported.
Using https://github.com/SonarSource/sonar-scanning-examples - CSharpProject to test. I've added bugs from the quality profile above into the code but they never get reported. I've tried this with other CS projects with the same results.
Are there any known issues reporting vulnerabilities/bugs for C#? Is any additional configuration required to get this information reported back to SonarQube?
This isn't a known issue, and I couldn't reproduce it using the same versions of the scanner, the C# plugin and a clean install of SonarQube 6.7.1.
Analysing the sample project reported one bug (csharpsquid:S2583, Program.cs line 9), and one code smell (csharpsquid:S1118, Program.cs line 4).
Code Smells, Bugs and Vulnerabilities are all handled the same way by the Scanner for MSBuild - they are all just Roslyn issues with different categories applied. No additional configuration is required.
I'm guessing you've migrated from an older version of SonarQube since you have an outdated SonarWay. However, that shouldn't make any difference to how issues are reported. The rules included in the default SonarWay might change between versions, but you've checked for rules you know are in the active QP.
If you haven't already, you could try installing SonarLint for VS and checking it correctly detects the bugs you've injected into the code.
Other options:
the .sonarqube\conf file will contain a ruleset file showing which rules are being executed by the scanner. Check that contains the expected rules.
the bin directory of each project will contain a XXX.RoslynCA.json file containing all of the issues that were detected during the build. Check they contains the expected issues.
check the console logs for errors or warnings. You could also increase the verbosity of the logged output by passing /d:sonar.verbose=true on the command line in the Begin step.
I'm trying to create method without add comment or documentation it, I expected SonarLint would show errors based on rules, but I don't see any errors or warnings. Why?
The particular rules you're looking for are "common" rules applied at the server. You're not going to see them in SonarLint. But in general:
Out of the box, SonarLint runs with the Sonar way (default) profile. If you want additional rules applied in the IDE, you'll need to:
set up a SonarQube instance (assuming you don't already have one)
configure a Quality Profile to your liking
apply it to your project
connect your project in the IDE to the project on the server
At this point you will see (almost) all the same issues in both places.
I've configured sonarqube server on my local machine to run and I committed the initial project with Analysis mode. Also, I created an ant target for the developers to run in incremental mode to view their new issues. I installed issuesReport on sonar server and using it from the ant file to generate html files.
However, when each developer syncs with svn and runs the ant target, they see violations by other developers under the new issues instead of only their issues.
I expected the sonarqube plugin only scan newly edited file by the developer, but is instead showing all the new files that are introduced by other developers.
To make it work properly I have to run an analysis mode from my machine. However this fixes the problem only for me, my colleagues still see all the violations as new.
How does SonarQube decide if an issue is new or not? If each developer has to run a full analysis every time, this would be big over head. Is there something am I missing?
Thanks in advance for your time and help.
An issue is considered "new" if it does not exist on the analysis server. If you run a full analysis on a CI server on a scheduled basis, it will feed the server with issues and reduce the risk of developers seeing other developer's issues in issues report in preview mode.
Please note, that the sonar documentation says, incremental mode is only for the developers and that too for the code they run against sonar prior to scm (SVN or GIT) commit.
See incremental section on the page: http://www.sonarqube.org/analysis-vs-preview-vs-incremental-preview-in-sonarqube/
The sonar report, when run with incremental mode, will show the developer, how much issue will be generated, if he commits the code. This way developer gets to know, what he can do to keep the sonar issues low. This is the whole purpose of incremental mode.
Hope this answers your question!!!