we have a legacy code (10 years old), I want to bypass that code not to be analyzed in SonarQube. Or, SonarQube should scan only recent changes which i made to the legacy code or new files. How to achieve this. I found the CutOff Plugin is deprecated since SonarQube4.0 , we are using SonarQube 7.5
Please help
SonarScanner doesn't support analyzing only part of source code (example: only newer than a specified date). It always scans everything. If you keep your legacy code in other packages than the new code, then you may configure exclusion filter to just ignore the old code. You have to set the sonar.exclusions parameter (comma-separated list with ignored paths). You can read more about Narrowing the Focus in the official documentation.
Be aware that the proposed solution is not recommended. SonarScanner is able to find many vulnerabilities which should be fixed also in legacy code. It can prevent your company against material (e.g. money) and non-material (reputation) losses. The recommended way is to scan all code, and use Quality Gate to prevent introducing new issues. You can read more about it in Fixing the Water Leak.
Related
From the following blog post:
Note that this mode is not intended to evaluate this software. Please
use a demo version or request a temporary license key to try out the
analyzer.
Do I understand it correctly, that I cannot add the following comment section to every source file in the open-source project in order to analyze it with PVS-Studio?
// This is an open source non-commercial project. Dear PVS-Studio, please check it.
// PVS-Studio Static Code Analyzer for C, C++, C#, and Java: http://www.viva64.com
Because otherwise it would be a fact of software evaluation and I need to download a demo version of PVS-Studio for that? Considering the fact that I'm not a maintainer of the project I'd like to analyze but only a person who would like to collect the static analysis report and send it to the project's maintainers.
Do I understand it correctly, that I cannot add the following comment
section to every source file in the open-source project in order to
analyze it with PVS-Studio?
The article mentioned that PVS-Studio team considers adding these comments for the analysis, then removing them (without committing to version control) to be inappropriate use of the free mode. As you will not be able to commit these comments, the answer to your question will be, unfortunately, no, you can not.
However, if you take active part in the development of the aforementioned project, you can try applying for the free license for open source projects: https://www.viva64.com/en/b/0600/
So, as I understand you're not a project developer, but you want to help the project by finding bugs with PVS-Studio and sending information about them to developers. Hmm. We didn't think about such a usage scenario. I think, a free PVS-Studio licensing option will be right for you. We provide it for developers of open projects. You can specify your GitHub/Bitbucket profile and get the key for one year. For more information, this and other free licensing options are covered in the article "Ways to Get a Free PVS-Studio License".
Note. I want to just warn you from the following scenario. If you just check the projects and send the analyzer's reports, it will be perceived negatively. If you really want to yield benefits to the project, describe specific errors! Or you can pre-filter the report to weed out false positives and leave only the warnings that are likely to indicate defects. Also see the note. "I've sent a PVS-Studio text log to the project authors! Did I really help?". And if you send the filtered report, it’s best to use the following format of its presentation: PVS-Studio Reports Now in Html , Managing XML Analyzer Report (see the section Converting the analysis results).
We have a lot of legacy code in our repositories, and now we implement SonarQube 6.4 but our legacy code causes a lot of errors and warnings, so we would like to analyze only new written/in the future modified code and exclude the old because we have no resources to amend all issues from legacy code written during last 10 years.
How can I exclude already found issues e.g. by the date they when they were found? But we don't want to exclude all old files as such, because edit them from time to time. We just want to make sure not to add new issues.
SonarQube promotes the idea of a "leak paradigm". In short, the idea is to continously enrich your existing code base with clean, maintainable, secure increments - which will make your code base better over time.
Fixing all existing issues is not advisable.
So: define a leak period in SonarQube and change your quality gate to only leak measures. SonarQube is made for exactly your use-case!
You could change all of the issues within a time frame via Bulk change:
filter:
bulkchange accordingly
can Sonarqube analyse code only on latest perforce changelists.I don't want code review on the whole code base as its Legacy code written 10-15 yrs back.
can you please help me here or point me to any documentation.
Thanks in Advance.
What you're looking for is the Leak Period. I.e. you want to focus on the recent changes to the code. SonarQube is designed to help you do that.
The entire code base will be analyzed, but by default the Quality Gate tests changes on new/leak period code, and the interface is designed to highlight leak period changes.
I know that the 5.0 release note say "After the migration, source syntax-highlighting won't be available on a project until it has been successfully analyzed"
BUT, i can't imagine that there is no way to activate just by running another analysis. In fact, when you have thousands of components (it's our case), you can't plan 4500 analysis just to "restore" a basic but helpful functionality ! And it's more true when you know that the majority of theses components wasn't changed since a time ago... :(
So, please, say me that we can write a little batch or program that will do the job without need to pull all the sources ! I don't know how because i don't' understand this limitation of this upgrade (why sources aren't accessible)
You should trust the release notes. Information required for syntax highlighting is computed during analysis. Note that it also requires the language plugins to support this feature. I suggest to upgrade them to latest versions.
I am using Sonar 4.5.5, and I tried to use manual metrics in filters. No luck, also not with the ones provided by default. I searched the archives and Stackoverflow and Jira for that, nothing. Any insights?
Edit: The same behavior applies to version 5.1.2, justed tried that out today.
Never mind, I found out why Sonar behaves like this!
After creating a measurement, it takes another analysis run to activate the measurements. The 'Manual Measures' dialog of any project tells me that in bold letters: "Pending measures are marked with orange box. Their values will be integrated to project during next analysis.". Maybe my question and answer helps others to be faster with this.