During Sonar analysis we have so many exceptions of symbolic execution(Described here). As far as I know the rules responsible for symbolic execution are S2259 S2583 , so I created a quality profile that exclude these rules but still have excetpions during Sonar analysis.
We use sonar-maven-plugin for the analysis and I tested with both sonar 6.5 and sonar 6.7 .
How can I exclude symbolic execution from analysis.
Is your project mapped to use the correct quality profile or is it still pointing to the default profile
Related
We're analysing arm-altera-eabi-gcc C/C++ code, and the Sonar analysis is not picking up the library includes as they're in a arm-altera-eabi-gcc specific installation area.
How do we configure the Sonar analysis to pick up the library/includes? (We've tried setting sonar.cfamily.library.directories and sonar.cxx.includeDirectories, but that doesn't seem to have worked)
Thanks,
Gerald.
Last day I was configuring a jenkins job to run sonar on my java project. I had sonar and jacoco plugins configured in my job. Sonar was throwing some error for which my sysadmin asked me to remove the jacoco plugin configuration from job. I removed and now sonar is saying it cannot find cobertura.xml.
So I am curious to know if sonar does analysis on already run jacoco or cobertura task or does it runs its own coverage analysis?
Short answer : In general, coverage is imported to SonarQube by reading a coverage report generated prior to any work of sonarQube.
Longer answer : Historically (read, about two years ago), SonarQube used to try to run coverage tool for java. This was a nightmare to maintain for every use cases and as such it is now up to the developers to provide a coverage report to SonarQube which will only act on those data (linking them to source, compute metrics, display them nicely).
In your case, that means you most probably have the cobertura plugin installed on your SQ instance and it is looking for a report to import.
When I run an incremental analysis on my project through maven, build warner plugin is not called, resulting in an analysis completing successfully even if there are violations.
I have quality gate setup correctly (0 violations) and I have tried configuring sonar sonar.preview.includePlugins with buildwarner plugin in General settings, but without luck - the plugin is still not called in an incremental analysis.
The plugin works correctly with SonarQube 5.1 as it is called in full analysis without problems.
It is the expected behavior. This plugin does not work for incremental analysis for now. But maybe soon. See http://sonarqube.15.x6.nabble.com/Sonarqube-and-Build-Breaker-Plugin-td5034703.html
According to the documentation I've found Sonar will not analyse test code by default. I found some Jira's that indicate it should be possible but nothing with enough information on how to do it.
It's java code setting under src/test/java. I use both the eclipse plugin for local analysis and sonar-runner plugin for gradle via a jenkins job on the CI server so ideally the solution would support both those.
Ta,
Andrew
As of SonarQube 4.2, the only way to have some test code analyzed is to activate rules from "PMD Unit Tests" repository inside your quality profile.
Note that these are rules specific to test code (like the existence of at least one assertion). You can't activate "standard" rules on test code yet. You can vote for the following ticket to extend the scope of source analysis: SONAR-3748
I am analysing a Java project that has been unit tested and Cobertura coverage.xml reported. I am using SonarQube 4.1.1 and latest Sonar Runner. I have successfully imported Cobertura coverage results to Sonar 3.2 and Ant analyzer, but with this new version I am running into problems. In the new Sonar analysis execution (through Jenkins) I see no reference in logs that it would have started any Cobertura engine or anything. My settings in Runner Jenkins project:
sonar.dynamicAnalysis=reuseReports
sonar.java.coveragePlugin=cobertura
sonar.cobertura.reportPath=[mypath]/coverage.xml
sonar.junit.reportsPath=[mypath]/
No mentioning of Cobertura in the analysis output (except my own property values) and SonarQube page shows "-" in coverage report. Unit test results are shown fine.
I have also added all source, bin, and test directories. Any ideas? Thanks.
Update
I wonder if the reason why Cobertura coverage is not reported on SonarQube page, is because in Jenkins my SonarQube project clones (Clone plugin) the workspace from a previous Project build? If the coverage.xml file contains static paths, then maybe it goes wrong somehow.
Ok the solution was quite obvious. SonarCube 4.1.1 does not come with Cobertura preinstalled, so I installed it and now it works :) Maybe it was preinstalled in 3.2 version, I can't remember.
For any "reuse reports" feature in SonarQube (may it be for code coverage, test execution or any other third-party tool that generates a intermediate report), the report must be generated based on the same source files (in terms of file system location) than the ones that will be used for the SonarQube analysis. Otherwise the SonarQube plugins won't be able to match paths from the reports with paths of the analyzed sources.
So you guessed it right: cloning the workspace and running the SonarQube analysis on this clone is the reason why the coverage can't be computed.
The root cause of this problem is that SonarQube does not support Cobertura format and you need OpenCover, or dotCover format. Using reportgenerator is one of the solutions but it's unnecessary complicated: you can make "dotnet test" command to return the report in Opencover format by passing special parameter and then pick up the Opencover report.
Use
dotnet test --collect:"XPlat Code Coverage" -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=cobertura,opencover
to get two reports: one in OpenCover format for SonarQube and default Cobertura for Azure DevOps.
Now you can specify the path to OpenCover report in SonarQubePrepare task.
There is also detailed article on this here