sleroy SonarEsLintPlugin EsLint Custom Rules - sonarqube

I am using sleroy/SonarEsLintPlugin plugin to integrate eslint with sonarqube v6.7.2. I have these three other eslint plugins that I want to integrate into sonarqube v.6.7.2.
A. redux-saga
B. react
C. jsx-a11y
and below is my sonar-project.propeties file:
sonar.projectKey=abc
sonar.projectName=xyz
sonar.projectVersion=0.0.0.1
sonar.sources=app/
sonar.exclusions= app/utils/**/*,
sonar.language=js
sonar.javascript.file.suffixes=.js,.jsx
sonar.profile=ReactJs
sonar.eslint.eslintpath=node_modules/eslint/bin/eslint.js
sonar.eslint.eslintconfigpath=package.json
sonar.eslint.eslintrulesdir=react,redux-saga,jsx-a11y
sonar.sourceEncoding=UTF-8
sonar.login=pqr
sonar.password=jkl
These three plugins rules are specified on eslint-rules.properties file and it is showing these rules on sonarqube also.
but the problem here is that sonarqube is not generating any report related to these three rules even I have intentionally made a mistake.
can anyine please check whether I have specified "sonar.eslint.eslintrulesdir" path right or I am missing something.
Please help me with this I am into this issue since past 3 days.

Related

How to prevent SonarQube not check specific vulnerability

I have some code that want to SonarQube not check this vulnerability while every deployment.
Any method for add rule for not check X type vulnerability with some error text ?
I found an answer and want to inform for who need answer
https://sqa.stackexchange.com/questions/24734/how-to-deactivate-a-rule-in-sonarqube
Need to copy existing SonarQube built-in profile and deactivate/add new rule in new profile,
after that go to project settings and change Quality Profile.

Add java rules in sonarqube

I want to add customized java rules in sonarqube. I have googled it and found that we need to make a pluggin for that. But can't find any proper link describing to make the rule. Any help would be appreciable.
You can follow "Writing Custom Java Rules 101", which describes how to make a sonar-packaging-maven-plugin artifact.
When implementing a rule, there is always a minimum of 3 distinct files to create:
A test file, which contains Java code used as input data for testing the rule
A test class, which contains the rule's unit test
A rule class, which contains the implementation of the rule.
As mentioned in "Custom Rules for Java", To go further, you can explore a sample plugin containing other custom rules.
This project can be browsed or downloaded.

Sonar Gerrit plugin not reporting results

We utilize the pipeline and after the build completes successfully we are running the following:
bat "mvn sonar:sonar -B -s ${buildSettings} -Dsonar.analysis.mode=preview -Dsonar.skipDesign=true -Dsonar.report.export.path=sonar-report.json"
sonarToGerrit(severity: 'Major', postScore: true, category: 'Code-Review', newIssuesOnly: true, issuesScore: '0', noIssuesScore: '0', changedLinesOnly: true)
The below build log shows that it found a good number of issues but yet the issues to be commented is 0.
Build log
Other posts suggest that it may not be finding the report but I don't believe it's the case as it found a number of issues. Any pipeline configuration advice would be much appreciated.
We are using Sonar Gerrit plugin version 2.2.1, Gerrit Trigger 2.27.3 and Jenkins Enterprise version is 2.60.3.1.
The most common case regarding to your question is related to the fact that SonarQube checks the whole project, regardless of amount of changes that were done in particular change. When creating a new report, it compares a result with a result that is stored to it's database (with previously found issues that were found in a mode other than preview). Thus sonar marks as new all the issues that it was not aware about before (and if you don't store this information in SonarQube at all - all the issues will be marked as new). But sonar-gerrit plugin can only post issues to the files that were affected by the change it is verifying. So, even if you set to "false" the settings "newIssuesOnly" and "changedLinesOnly", all the issues in files not affected by the change will be ignored.
Shortly, check that the issues marked with "isNew"="true" in your sonar report were actually changed (for changedLinesOnly=true) or located in the changed files (for changedLinesOnly = false) in the commit you are trying to check.
Another possible reason is the project configuration settings. If your files are part of a submodule, you'll need to include the submodule name to project base directories set. Or you may want to try a feature "allow auto match" instead. The feature tries to match SonarQube modules to Gerrit names automatically (available since 2.1).
Not related to your question advises regarding your pipeline code:
At the moment settings recognition for severity (and other enum values) is case-sensitive. In fact, the plugin ignores your "Major" setting as it cannot recognize it, and replaces it with default "INFO" value.
Another thing, I don't see why do you set your "postScore" to true as you set "issuesScore" = 0 and "noIssuesScore"=0. You can just set postScore=false and skip these settings along with "category" for sake of simplicity.
Also, if you use the version of plugin above 2.0, be aware that API has slightly changed and now uses the next structure:
sonarToGerrit (
reviewConfig: [
issueFilterConfig: [
severity: 'MAJOR',
newIssuesOnly: false,
changedLinesOnly: false
],
noIssuesTitleTemplate: 'Your text here',
someIssuesTitleTemplate: 'Your text here',
issueCommentTemplate: 'Your text here'
]
)
Though your code should also work (plugin does support previous versions), there is a bigger chance that there may be a bug.
I am also facing the same issue with Sonar-Gerrit jenkins plugin. Downloaded it from Jenkins plugins site.Using Sonar-Gerrit plugin 2.2.1, and analysing sonar scan against jenkins workspace.
For a sample,have changed just one file and provided the project base directory to the path of that file, and ran the sonar analysis in issues mode.
Issues are not loaded in Gerrit with logs
Report has loaded and contains 759 issues
Issues to be commented: 0
Issues to be involved in score calculation: 0
Review has been sent

How to delete an issue from SonarQube interface

I have a web app project where the quality is measured under sonarqube.
As i'm dealing with an external code within my project files
Recently i have had some issues appearing due to that exetrnal code and which i'm not focusing on its quality :
So i wanna just delete the issue to appear from my sonar dashboard (which looks like the following):
The solutions that i have had where not really usefull , as :
i was suggested to change the level of the rule itself from "issue" to "info" :
And of course that seems to be not usefful because , i won't affect the rule itself
the second suggestion was to use the :
#SuppressWarnings decorator in my blocks of code where the issues appeared ; : for example use it under classes or methods or even fields
-> this method results in adding some code to my extarnal code and that won't be also good as i'm not even having the permission to do it.
I wanna just the simpliest solution to delete the issue from the sonar dashboard , just suppress it from the SonarQube interface , strangely it seems that there is no a direct way to do it :
Any better ideas ??
The easiest way is excluding external code from the report with narrowing the focus feature.
Just add to your sonar-project.properties file path pattern to exclusion, for example
# Exclude all classes ending by "Bean"
# Matches org/sonar.api/MyBean.java, org/sonar/util/MyOtherBean.java, org/sonar/util/MyDTO.java, etc.
sonar.exclusions=**/*Bean.java,**/*DTO.java
# Exclude all classes in the "src/main/java/org/sonar" directory
# Matches src/main/java/org/sonar/MyClass.java, src/main/java/org/sonar/MyOtherClass.java
# But does not match src/main/java/org/sonar/util/MyClassUtil.java
sonar.exclusions=src/main/java/org/sonar/*
If you're not interested some issues because it's not your code, then you should not have SonarQube analyze that code. According to the SonarQube documention:
We recommend that you exclude generated code, source code from
libraries, etc.
You should check in particular the following settings in the same documentation page:
sonar.sources
sonar.exclusions
These settings will be taken into account the next time you run an analysis.

How do I import existing phpcodesniffer results into sonar?

I'm starting out with Sonar. We've got about 10 custom sniffs in our own standard for PHP_Codesniffer and are using a subset of various sniffs of other standards. PHP_Codesniffer works like a charm and generates a report in Checkstyle format.
How can I get Sonar5.1 to import this codesniffer-results-in-checkstyle-format.xml file?
I heard this was possible in older versions of the PHP plugin, but I'm not sure if that relates to a ruleset.xml or to the actual results of the run.
It's no longer possible to import external rules from tools like CodeSniffer, PHPDepend, ... The PHP Plugin rely now exclusively on SonarQube Rules Engine as it is mentioned here : http://docs.sonarqube.org/display/PLUG/PHP+Plugin and it provides out of the box 110 predefined rules.
You can write as of now custom rules unless you customize directly the PHP Plugin.
If some rules are missing, you are more than welcome to share with us your suggestions.

Resources