I'm using gitlab-ci pipeline, it will run a new docker container with following commands:
mvn --batch-mode verify sonar:sonar
-Dsonar.analysis.mode=preview
-Dsonar.gitlab.project_id=$CI_PROJECT_ID
-Dsonar.gitlab.commit_sha=$CI_COMMIT_SHA
-Dsonar.gitlab.only_issue_from_commit_file=true
-Dsonar.gitlab.ref_name=$CI_COMMIT_REF_NAME
-Dsonar.host.url=xxx
-Dsonar.test.inclusions="/src/test/java/**/*.java"
-Dsonar.login=xxx
It becomes quite slow for my project, almost run for 20mins.
I found it will scan all files instead of only the commited files.
Is there anything wrong with my configurations?
In some past SonarQube versions we changed the preview mode to only scan changed files. But it has some drawback, like not being able to properly detect cross file issues.
In recent SonarQube versions, the preview mode is deprecated in favor of pull request analysis. But even this PR analysis feature is scanning all files, for the same reasons (cross file issues, coverage measures, duplication detections, ...).
We stopped trying to do partial analysis, and are instead trying to optimize full analysis duration. How big is your project? Is SonarQube analysis time long compared to your regular build (compile + tests)? If yes, then I suggest you report you case on the SonarSource community forum.
Related
I have set up SonarQube, Maven and Cobertura to upload unit test coverage at every build run. I want to use the differential views to get coverage for the delta (new code only).
The coverage itself is successfully uploaded, and I can see the delta in lines of code. However, I can't get the "Coverage on new Code" to work.
I tried different values for the leak period, including previous_analysis and previous_version (changing the version from 1.0 to 1.1 in the new analysis). I also used -Dsonar.projectDate to simulate a past date of analysis but still no luck.
Any thoughts?
The key requirement to obtain new_code -related information/metrics is to leverage SonarQube SCM integration. And to benefit from that you have to install a compatible SCM Plugin applicable to your project (e.g. Git Plugin, SVN Plugin etc.).
"Coverage on New Code" is only displayed if you are using/activating SCM support (SVN, Git, ...).
sonar.scm.disabled=false
Adding this sonar.java.binaries=classes directory, most likely target/classes
helped me in fixing this issue. No JaCoCo analysis of project coverage can be done since there is no class files
When I run an incremental analysis on my project through maven, build warner plugin is not called, resulting in an analysis completing successfully even if there are violations.
I have quality gate setup correctly (0 violations) and I have tried configuring sonar sonar.preview.includePlugins with buildwarner plugin in General settings, but without luck - the plugin is still not called in an incremental analysis.
The plugin works correctly with SonarQube 5.1 as it is called in full analysis without problems.
It is the expected behavior. This plugin does not work for incremental analysis for now. But maybe soon. See http://sonarqube.15.x6.nabble.com/Sonarqube-and-Build-Breaker-Plugin-td5034703.html
I've configured sonarqube server on my local machine to run and I committed the initial project with Analysis mode. Also, I created an ant target for the developers to run in incremental mode to view their new issues. I installed issuesReport on sonar server and using it from the ant file to generate html files.
However, when each developer syncs with svn and runs the ant target, they see violations by other developers under the new issues instead of only their issues.
I expected the sonarqube plugin only scan newly edited file by the developer, but is instead showing all the new files that are introduced by other developers.
To make it work properly I have to run an analysis mode from my machine. However this fixes the problem only for me, my colleagues still see all the violations as new.
How does SonarQube decide if an issue is new or not? If each developer has to run a full analysis every time, this would be big over head. Is there something am I missing?
Thanks in advance for your time and help.
An issue is considered "new" if it does not exist on the analysis server. If you run a full analysis on a CI server on a scheduled basis, it will feed the server with issues and reduce the risk of developers seeing other developer's issues in issues report in preview mode.
Please note, that the sonar documentation says, incremental mode is only for the developers and that too for the code they run against sonar prior to scm (SVN or GIT) commit.
See incremental section on the page: http://www.sonarqube.org/analysis-vs-preview-vs-incremental-preview-in-sonarqube/
The sonar report, when run with incremental mode, will show the developer, how much issue will be generated, if he commits the code. This way developer gets to know, what he can do to keep the sonar issues low. This is the whole purpose of incremental mode.
Hope this answers your question!!!
I recently started using SonarQube on my Maven Java Project. The problem is that I modified a single line in a Class which causes Sonar failing to load the project into the database. Why does Sonar know that my project is checked into a SVN and why does mvn sonar:sonar fails with "can not blame XXX on line YYY" if a class is not committed into the SVN?
I am the only one working on this and I dont want to check in every single change or experimental code snipet. How can I turn this feature off?
Thank you!
SCM integration (which detects that your projects uses SVN) allows SonarQube to track changes to source code, e.g to compute coverage on new code, new issues etc.
A standard analysis is supposed to be performed from commited code (e.g by a continuous integration server) to serve as a reference.
In your case, I would advise you to use the incremental mode: this will allow you to perform an analysis on your local code changes, which will not be persisted to the central server, but which will show you which issues your new code introduced/fixed (this is the analysis mode used by the IDE integration plugins).
We are currently using Bamboo for our build tool and one of our stages contains a task to run Sonar analysis.
It works great except for the fact that results are published for both master and feature branches. Of course this means that if we build a branch then results will override the existing ones.
We have looked into Auto Branch in the Sonar task but we don't want a large number of branch projects in Sonar so this is a no-go for us.
How else can we selectively run Sonar analyses depending on the branch? I heard that using a property in our Maven pom.xml could work, I wonder if anyone has an example of that?
I add the -Dsonar.projectVersion=${bamboo.repository.branch.name} at runtime. That adds the branch as the project version.
I am using sonar-runner to execute the sonar analysis so since you're using maven, your mileage may vary - in other words convert that to whatever the maven version of that argument is.
So when I run the sonar-runner task I include that -D argument on the command line. Even running it with maven you should be able to pass it in on the command line. Whatever branch is building that's the one that will show up on the SonarQube dashboard.