I have enabled sonar lint plugin to my IntelliJ IDE for capturing code violations during my development. i have connected to my remote SonarQube server for rules binding.
Plugin capture rules for major, minor issues and not capturing critical rule violations on my local IDE.
my binding updated to latest rules , but critical issues are not getting picked up by the intellji plugin.
dont know how to fix this on my machine, or should i need to raise a bug?
EDIT
All critical issues are not getting reported.
sonarqube reporting below critical issue
An 'int' is expected rather than a String
but in intellji sonarlint plugin, the above issue is not getting reported.
Related
I try to configure a whole dev environment with pipelines on AzureDevOps and SonarQube as a static code analyzer.
I added several Roselyn Analyser (StyleCop for instance) and expected to see the issues on SonarQube. Some of them do appear but some don't.
For instance: SA1600 never show up on Sonar.
I added an .editorconfig file which works fine as i can switch off some issues. But whatever the parameter is for the SA1600, it does not appear.
This is quite uncumfortable as my devs would not have the same issues in VS and on Sonar.
How is it possible to configure Sonar to have the same configuration as it is in Visual Studio.
Any idea is welcome :)
I have issues reported for my project through PMD analysis and am allowing sonarqube to consume the report through external properties.
Now I can see the external issues in sonar UI, but am not able to change the issue status from open to confirmed…there is no dropdown available.
I am using SonarQube 8.5.1 version.
Could someone help how will be able to change the issue status for these?
see here
There are a couple of limitations with importing external issues:
you can't manage them within SonarQube; for instance, there is no ability to mark them False Positive.
you can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in Quality Profiles.
SonarC# 6.7.1 (build 4347)
SonarQube Version 6.7.1 (build 35068)
Quality Profile: Sonar way (outdated copy) because the current Sonar Way quality profile returns nothing at all.
Running the current MSBuild.SonarQube.Runner (SonarQube Scanner for MSBuild 4.0.2.892) only reports Code Smells. No vulnerabilities or bugs are being reported.
Using https://github.com/SonarSource/sonar-scanning-examples - CSharpProject to test. I've added bugs from the quality profile above into the code but they never get reported. I've tried this with other CS projects with the same results.
Are there any known issues reporting vulnerabilities/bugs for C#? Is any additional configuration required to get this information reported back to SonarQube?
This isn't a known issue, and I couldn't reproduce it using the same versions of the scanner, the C# plugin and a clean install of SonarQube 6.7.1.
Analysing the sample project reported one bug (csharpsquid:S2583, Program.cs line 9), and one code smell (csharpsquid:S1118, Program.cs line 4).
Code Smells, Bugs and Vulnerabilities are all handled the same way by the Scanner for MSBuild - they are all just Roslyn issues with different categories applied. No additional configuration is required.
I'm guessing you've migrated from an older version of SonarQube since you have an outdated SonarWay. However, that shouldn't make any difference to how issues are reported. The rules included in the default SonarWay might change between versions, but you've checked for rules you know are in the active QP.
If you haven't already, you could try installing SonarLint for VS and checking it correctly detects the bugs you've injected into the code.
Other options:
the .sonarqube\conf file will contain a ruleset file showing which rules are being executed by the scanner. Check that contains the expected rules.
the bin directory of each project will contain a XXX.RoslynCA.json file containing all of the issues that were detected during the build. Check they contains the expected issues.
check the console logs for errors or warnings. You could also increase the verbosity of the logged output by passing /d:sonar.verbose=true on the command line in the Begin step.
I'm trying to create method without add comment or documentation it, I expected SonarLint would show errors based on rules, but I don't see any errors or warnings. Why?
The particular rules you're looking for are "common" rules applied at the server. You're not going to see them in SonarLint. But in general:
Out of the box, SonarLint runs with the Sonar way (default) profile. If you want additional rules applied in the IDE, you'll need to:
set up a SonarQube instance (assuming you don't already have one)
configure a Quality Profile to your liking
apply it to your project
connect your project in the IDE to the project on the server
At this point you will see (almost) all the same issues in both places.
When I run an incremental analysis on my project through maven, build warner plugin is not called, resulting in an analysis completing successfully even if there are violations.
I have quality gate setup correctly (0 violations) and I have tried configuring sonar sonar.preview.includePlugins with buildwarner plugin in General settings, but without luck - the plugin is still not called in an incremental analysis.
The plugin works correctly with SonarQube 5.1 as it is called in full analysis without problems.
It is the expected behavior. This plugin does not work for incremental analysis for now. But maybe soon. See http://sonarqube.15.x6.nabble.com/Sonarqube-and-Build-Breaker-Plugin-td5034703.html