We are using sonarqube version 6.7. I would like to execute all sonar bugs and vulnerability java rules with blocker and critical severity locally on my Intellij Idea. I want to run these rules on multiple IDEA projects that are configured in my IDE.
I have installed the SonarLint plugin (version 3.2) and configured it to bind to the sonar server. On running the analysis from the "Project Files" tab I get errors for all iml files as
"File 'feature.iml' can't be analyzed. Skipping:
F:/modules/feature.iml"
.
My goal is to identify all sonar rules that are failing on my projects so that I can activate them on the sonar server for periodic runs as part of CI. To get started I thought of starting with blocker and critical vulnerabilities.
Could someone guide me on this?
You should activate all rules with the desired severity in the quality profile assigned to your project in SonarQube. Then you can bind your project in IntelliJ to the project in SonarQube. SonarLint will use the same quality profile.
About the iml files, it's not an error. SonarLint will exclude certain files from analysis that doesn't make sense to be analyzed, such as binary files.
Related
i have integrated sonarLint with sonarQube. In my eclipse i can see the issues after analysis.
I wanted to know the rules are taken from sonarQube or not
I depends on whether or not you have bound to the SonarQube Server.
You can check this by right clicking on the project => Sonar Lint => Bind to a SonarQube project.
If you bind to it then the rules will be used from the SonarQube.
I have installed Sonar Lint Extension for Visual Studio 2019 and according to the project i am working it is not required to fix the Code Smell Violations.
So is there a way that i can ignore the code smell violations using sonar lint in VS2019
please note that we are using sonar Lint in connected mode wit sonar cube server
Connected mode is to designed to configure the IDE to use the same set of rules as are configured in your Quality Profile on the SonarQube server, so if the code smell rules are part of your Quality Profile then they will be enabled in the IDE too.
If you don't want to see those issues reported in the IDE then you could either remove those rules from the Quality Profile, or use standalone mode and configure the set of rules to run locally as described here.
After doing some tweaks in the visual studio I was able to add the column category to the sonar output window and in that filtered out the sonar issues other than code smells.
We will be using sonarqube for code analysis and reviews .
How get my Visual Studio projects visible on sonar dashboard ?
Any leads regarding same will be appreciated.
Thanks.
To get your projects into SonarQube, you'll need to analyze them.
Since you're dealing with Visual Studio projects, take a look at the SonarQube Scanner for MSBuild (once you've set up your SonarQube instance, that is).
I've been setting up SonarQube analysis for one of our builds in VSTS, and I've noticed that there's a difference in the code analysis / build warnings if the advanced option "include full analysis report in build summary" is enabled in VSTS.
We have a custom ruleset enabled for our local builds in Visual Studio, which combines Microsoft CodeAnalysis warnings and StyleCop analyzers. When we run the build in VSTS with the full analysis report setting enabled, these warnings don't show up, and only the SonarQube warnings are displayed. I thought this was expected for all builds using SonarQube, as mentioned here in the link below.
https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Extension+for+VSTS-TFS#AnalyzingwithSonarQubeExtensionforVSTS-TFS-Note
However, if we disable this setting, we get additional SonarQube warnings, but the Microsoft and StyleCop warnings also show up.
Can anyone explain why the two behaviors are different? Ideally, we'd like warnings from Microsoft, StyleCop and SonarQube to show up, AND for the build to include the full analysis report - is there any way to do this?
I'm using SonarQube v6.7.1.35068, SonarC# v6.7.1 (build 4347), and v3.* of the VSTS SonarQube task.
The Include full analysis report in the build summary setting doesn't change the ruleset or analyzers that are run during the analysis. All it does is cause the End task to poll the SonarQube server until the server-side part of the analysis has completed so that it can show the final analysis results on the VSTS build summary page.
To work out what is different between the builds you could try enabling more verbose logging:
for SonarQube, set the Additional Settings property of the VSTS Begin task /d:sonar.verbose=true
for VSTS, set the system.debug build to true
You're right, the Begin task does limit the analyzers and rules that are run to those that are configured on the SonarQube server.
To have the Microsoft FxCop rules run as past of the analysis run you would install the FxCop plugin for SonarQube and include its rules in your Quality Profile.
To run the StyleCop rules (assuming you're using the new Roslyn-base StyleCop analyzers) you would first have to create a SonarQube plugin for it using the SonarQube Roslyn SDK, then install the plugin and add the rules to Quality Profile.
First, the Include full analysis report in build summary shouldn’t affect the result in Issues section of build summary, it is used to upload the report to build summary and the result will be show in the bottom of build summary (below Work items linked to associated changes section).
Secondly, the Issues section of build summary can’t show all analysis result, just part of it.
You can upload the result files to build through Logging Command (e.g. Write-Host "##vso[task.addattachment type=Distributedtask.Core.Summary;name=testsummaryname;]c:\testsummary.md") and it will show in the bottom of build summary (The sonarqube task uses this way too).
I installed the SonarLint 6.6 for Eclipse (neno) using Eclipse marketplace.
It successful scanned my java project and returned 4725 items found.
I bind the project to SonarQube server which installed at the same PC
After anaylized the project again, I click "update all project bindings" at the SonarQube at Eclipse server to syn the result to SonarQube
My Questions
1) How can I syn the analyzed result to my server?
2) Are there any tool to category the analyzed result such as by severity? as I only interest on the "BUG"?
3) How can I configure the rule of SonarLint in Eclipse Environment?
May I have your help? Many thanks!
1) How can I syn the analyzed result to my server?
To analyze your project and see the result on SonarQube, you need to use one of the scanners. For example, if you build your project with Maven, then you can use the scanner for Maven. Or if you build your project with Ant or Gradle, there is a dedicated scanner for those too (as I linked). If you don't use any build tool, then you can use the scanner for CLI.
2) Are there any tool to category the analyzed result such as by severity? as I only interest on the "BUG"?
I'm not aware of such tool. And, at the time of this writing, the SonarLint On-The-Fly view is not configurable to do this (unlike the "native" Problems view of Eclipse). (This might be a good idea for future improvement, if there's enough interest for it.)
3) How can I configure the rule of SonarLint in Eclipse Environment?
It seems your project is bound to a project on SonarQube.
You can configure this on SonarQube.
In SonarQube, each project is associated with a quality profile.
After you can configure what rules to include,
you can update the bindings in Eclipse to apply the same configuration for SonarLint in Eclipse.