I'm trying to use SonarScanner with SonarCFamily plugin on my C codebase on ubuntu. I see that the scanner is able to only detect "code smells - duplicate blocks of code" in my codebase and no other forms of bugs/vulnerabilities. I intentionally added a memory leak in the code and SonarQube couldn't detect it while open source SA tool Cppcheck was able to. Am I missing some setting in the sonar-project.properties file ? My sonar.properties file is as follows. Are there any settings needed in the server/SonarCFamily plugin for the tool to detect other forms of SA errors ?
# must be unique in a given SonarQube instance
sonar.projectKey=c-sa-test
# this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.
sonar.projectName=c-sa-test
sonar.projectVersion=1.0
# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
# This property is optional if sonar.modules is set.
sonar.sources=src
# Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8
sonar.host.url=http://localhost:9000
sonar.cfamily.build-wrapper-output=bw_output
sonar.c.file.suffixes=.c,.h
sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp
Found the root cause - Was missing providing some elements of the project build process as input to the build wrapper. Once those were added, SonarQ provided a detailed report.
I had the exact same problem where SonarCFamily was only reporting code duplications. It was due to an incorrect build process as input to the build wrapper. In my case, I was using SonarScanner.MSBuild and on my build-wrapper line, I didn't have the Configuration and Platform specified, so my projects were not getting built or scanned. The final working lines were:
SonarScanner.MSBuild.exe begin /k:"your key" /d:sonar.cfamily.build-wrapper-output=”bw_output”
build-wrapper-win-x86-64.exe --out-dir bw_output MSBuild.exe your_solution.sln /p:Configuration=Release /p:Platform=x64
SonarScanner.MSBuild.exe end
Related
I try to analyze one module of a multi module project in Jenkins with SonarQube Scanner plug-in (version 2.5). Unfortunately, Jenkins picks the wrong module as working directory.
In this particular case, I could change the order of the modules, but in general (more than one analyzed module) it is not working. So I want to fix the problem with the property sonar.projectBaseDir, see Advanced SonarQube Scanner Usages:
Alternate Analysis Directory
If the files to be analyzed are not in the directory where the analysis starts from, use the sonar.projectBaseDir property to move analysis to a different directory. E.G. analysis begins from jenkins/jobs/myjob/workspace but the files to be analyzed are in ftpdrop/cobol/project1.
sonar-project.properties
sonar.projectBaseDir=/home/ftpdrop/cobol/project1
sonar.sources=src
sonar.cobol.copy.directories=/copy
I tried following ways to set the sonar.projectBaseDir property to right module (module2 instead of module1):
sonar.projectBaseDir in sonar-project.properties file
But it doesn't work. The property in sonar-project.properties file is ignored. The log shows that the property is overriden with JVM option:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -X -e -Dsonar.host.url=http://sonarqube:9090 -Dproject.settings=/Users/test/jenkinsslave/workspace/Test/module2/sonar-project.properties -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module1
I think that is a bug in SonarQube Scanner plug-in, because project.settings is incompatible with sonar.projectBaseDir, see Advanced SonarQube Scanner Usages:
The property project.settings can be used to specify the path to the project configuration file (this option is incompatible with the project.home and sonar.projectBaseDir properties).
sonar.projectBaseDir as JVM Options
But it doesn't work. The property is ignored. The log shows that the property is overriden:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -X -e -Dsonar.host.url=http://sonarqube:9090 -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module1
sonar.projectBaseDir as Additional arguments
But it doesn't work. The log shows that the property is configured twice:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module2 -X -e -Dsonar.host.url=http://sonarqube:9090 -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module1
I think that is a bug in SonarQube Scanner plug-in, because it should not add sonar.projectBaseDir option if there is already such option.
I found a solution, I have to add the property sonar.projectBaseDir as Analysis properties.
Configuration:
Log:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -X -e -Dsonar.host.url=http://sonarqube:9090 -Dsonar.projectBaseDir=./../module2
I am using sonar-web-frontend-plugin
I have the following sonar-project.properties file which is located at this path
E:\agent2\test\sonar-project.properties
sonar.projectKey=Test
sonar.projectName=Test
sonar.projectVersion=1.0
sonar.sources=src/app
sonar.sourceEncoding=UTF-8
I have my source code in the following location
E:\agent2\test\src\app
My runner is located here
E:\agent2\test\.sonarqube\bin\sonar-scanner-2.8\bin\
and I am running the following in cmd E:\agent2\test>
E:\agent2\test\.sonarqube\bin\sonar-scanner-2.8\bin\sonar-runner -Dproject.settings= E:\agent2\test\sonar-project.properties -X
It is all running fine but no issues are being reported and no LOC are being picked up in the log it says the following
Calculating CPD for 0 Files
So it does not actually seems to analyse anything, I know there are issues because when i run TSlint locally i get issues found
Your analysis setup looks okay.
It is very likely that you don't have the relevant language plugin installed on your SonarQube instance. Either that, or your code is contained in files with unrecognized extensions.
Each language plugin tells SonarQube scanner "I'm interested in files with these extensions:..."
The fact that the analysis is over "0 Files" indicates that no file extensions were recognized.
I am running the SonarScanner using the sonar-web-frontend-plugin from the commandLine, it picks up the files and runs and I get an execution Failure
ERROR: Error during SonarQube Scanner execution
java.lang.IllegalStateException: Report processing did not complete successfully
: FAILED
My sonar-project.properties look like this
# must be unique in a given SonarQube instance
sonar.projectKey=Test.UI
# this is the name displayed in the SonarQube UI
sonar.projectName=Test.UI
sonar.projectVersion=1.0
# Comma-separated paths to directories with sources (required)
sonar.sources=src/app
# exclude some files and folders (typically dependencies)
sonar.exclusions=bower_components/**/*, node_modules/**/*
# Encoding of the source files
sonar.sourceEncoding=UTF-8
You have the Build Breaker plugin installed on your SonarQube instance.
Your project failed its quality gate.
The Build Breaker plugin did its job, and "broke" (returned a non-success status code) your build.
Seems like it was because i had the default JS rules still installed and they can't exist side by side.
I am using SonarQube 5.1 with MSBuild SonarQube Runner for our quality inspection. Currently SCM support is not there although I have already installed TFVC plugin. I get the following log from the analyze process
07:18:22 07:18:22.352 INFO - Sensor SCM Sensor
07:18:22 07:18:22.352 INFO - No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
07:18:22 07:18:22.352 INFO - Sensor SCM Sensor (done) | time=0ms
Then I set the following properties in the general "sonar.properites" file loacated in \sonarqube-5.1.2\conf folder (which I might be doing wrong)
sonar.scm.enabled=true
sonar.scm.provider=tfvc
sonar.tfvc.username=myTFSusername
sonar.tfvc.password.secured=myTFSpassword
I guess these properties should be set in the "sonar-project.properties" file and passed at the time of analysis (correct me if I am wrong). But the problem is since I am using MSBuild SonarQube Runner, sonar-project.properties file is not used anymore and the project properties are passed at the analysis time. If that is the case how should I pass them in?
I searched a lot but could not find a proper solution in this manner and I'd be very glad if someone could help.
Thanks in advance.
Additional properties are passed to the MSBuild SonarQube Runner during its begin phase using the following syntax: /d:key=value.
So, you can pass all of them:
MSBuild.SonarQube.Runner begin /k:... /n:... /v:... /d:sonar.scm.enabled=true /d:sonar.scm.provider=tfvc /d:sonar.tfvc.username=... /d:sonar.tfvc.password.secured=....
Auto-detection of the SCM will work if there is a $tf at the "project base dir" level. That directory is computed as the first ancestor path common to all your *.csproj files. You can see its value following the file generated during the end phase: .sonarqube\out\sonar-project.properties. Look for the sonar.projectBaseDir property value near the end of the file. See https://jira.sonarsource.com/browse/SONARMSBRU-8 for details.
I'm trying to use sonar for static analysis on a c++ code. I've installed sonar and configured my project (it appears on the localhost sonar page, but i do not see any code violation for the respective code). I have the C++ community plugin installed.
My sonar-project.properties looks like this:
# required metadata
sonar.projectKey=DiceInvaders
sonar.projectName=Dice Invaders
sonar.projectVersion=1.0
# optional description
sonar.projectDescription=DiceInvaders by CS
# path to source directories (required)
sonar.sources=D:\\DiceInvaders\\Code
# path to test source directories (optional)
#sonar.tests=D:\\DiceInvaders\\Code
# path to project binaries (optional), for example directory of Java bytecode
#sonar.binaries=binDir
# optional comma-separated list of paths to libraries. Only path to JAR file is supported.
#sonar.libraries=path/to/library/*.jar,path/to/specific/library/myLibrary.jar,parent/*/*.jar
# The value of the property must be the key of the language.
sonar.language=c++
sonar.exclusions=**/*.ipch, **/**/*.rc
sonar.cxx.cppcheck.path = "C:\Program Files (x86)\Cppcheck\cppcheck.exe"
sonar.cxx.cppcheck.reportPath="D:\DiceInvaders\Code\cppcheck-reports\cppcheck.xml".
# Additional parameters
#sonar.my.property=value
I do not get any error when running sonar-runner from cmd.
If i run manually the cppcheck.exe tool on my project I can find violations. Why don't the violations appear on sonar's page?
Is there something else I should configure, am I doing something wrong?
I was able to make it work by running the cppcheck tool independently before sonnar-runner, and placing the generated xml report in the bin folder of sonnar-runner.
In the sonar-project.properties file I've specified the xml directly:
sonar.cxx.cppcheck.reportPath=cppcheck-result-1.xml
I had a similar problem, which was caused by a whitespace after 'sonar.language=cs'. Be sure that there is a linebreak immediately after 'cxx'. Hope it works.
The language key of the Sonar C++ Community plugin is not 'c++' but 'cxx'. See http://docs.codehaus.org/pages/viewpage.action?pageId=185073817.
So you must replace 'sonar.language=c++' by 'sonar.language=cxx'