I have read all of the threads about SonarLint not being in synch with SonarQube, but it's just not clicking.
I created a simple Maven project to test SonarLint & SonarQube. I added the sonar-maven-plugin to the project and then ran mvn sonar:sonar.
The project was uploaded to SonarQube. When I looked in SonarQube, I see that it shows squid:S2699 (junit test doesn't have an assertion) as a blocker.
However, in eclipse, there is no such issue shown by SonarLint.
I purposely chose this one as it's not a PMD/FindBugs/Checkstyle issue.
I have verified that squid:S2699 is active on the server. Obviously it is, because SonarQube displayed it.
There is only 1 Quality Profile: SonarWay.
Edit: I am in connected mode.
Does anyone have any idea why?
I am using:
Eclipse Neon.3 Release (4.6.3)
sonar-maven-plugin 3.0.2
maven 3.3.9 (the one embedded in eclipse)
SonarLint 3.2.0.201706271328
SonarQube 6.3 (build 19869)
Here are the screenshots as proof.
It seems your test file is not treated as a test file, but as a source file. I say this based on the kind of errors that are reported (remove unused variable) and the kind of errors that are not reported (no assertions).
As you might know, different rules are applied to sources and tests.
SonarLint decides whether a file is a test file or not based on the Test file regular expressions preference, which you can find in Window / Preferences / SonarLint. The default value is **/*Test.*,**/test/**/*,
this seems to work well in a wide range of cases, and looking at your screenshot, it should work for yours too.
So first of all verify this setting.
If the value is different from the default,
I suggest to change it back to the default as a sanity check.
Then you can tweak the value according to your needs.
It's also good to verify that my theory is correct about SonarLint treating the file as test instead of source, by inspecting the SonarLint Console:
In the Console view, click on the Open Console dropdown, select SonarLint Console
In the Configure logs dropdown enable Verbose output
Trigger an analysis of the test file (make a change and save the file)
You should see output like this:
[
baseDir: ...
workDir: ...
extraProperties: ...
inputFiles: [
/path/to/your/test/SonarProofTest.java [test]
]
]
The [test] at the end of the filename indicates the file is treated as a test file. If it's not there, then the file is treated as a source file.
Related
I'm working on the project, where the developers are trying to write understandable code, so there is no sense to use comments in a lot of places. We have a SonarQube, which is used in other projects and we cannot configure it. All we can do is configuring Sonar in our project's POM file. SonarQube is complaining, that there are not comments in our code with the rule "common-java:InsufficientCommentDensity". I know, that we can ignore some rules using sonar.issue.ignore.multicriteria properties like
<sonar.issue.ignore.multicriteria>junit.assertions.include.messages</sonar.issue.ignore.multicriteria>
<sonar.issue.ignore.multicriteria.junit.assertions.include.messages.ruleKey>squid:S2698</sonar.issue.ignore.multicriteria.junit.assertions.include.messages.ruleKey>
<sonar.issue.ignore.multicriteria.junit.assertions.include.messages.resourceKey>**/*.java</sonar.issue.ignore.multicriteria.junit.assertions.include.messages.resourceKey>
but it's not working with "common-java:InsufficientCommentDensity" rule. Why? And is there a way to ignore this rule in our case?
SonarQube version is 6.7 (build 33306)
Sonar Maven Plugin version is 3.4.0.905
I tested this quite a lot and finally found that setting common rules (anything that starts with "common-xxxx") from scanner side (pom, command line etc) will be ignored and wont work. The language specific rules can be passed as command line arguments and thats why the "squid:S2698" rule is getting ignored correctly. Here is the issue link on the SonarQube JIRA board and it says that it "wont be fixed".
https://jira.sonarsource.com/browse/SONAR-8230
The only option for you is to set the issue exclusion from UI. Here are the steps to set it from U.
If this is a common rule that you want to ignore, then make sure you have admin rights to your project. On the project Dashboard you should see the administration tab:
Click on Administration → General Settings
Click on Analysis Scope on the left hand side
Now set the below property:
Save and run the scan again.
SonarC# 6.7.1 (build 4347)
SonarQube Version 6.7.1 (build 35068)
Quality Profile: Sonar way (outdated copy) because the current Sonar Way quality profile returns nothing at all.
Running the current MSBuild.SonarQube.Runner (SonarQube Scanner for MSBuild 4.0.2.892) only reports Code Smells. No vulnerabilities or bugs are being reported.
Using https://github.com/SonarSource/sonar-scanning-examples - CSharpProject to test. I've added bugs from the quality profile above into the code but they never get reported. I've tried this with other CS projects with the same results.
Are there any known issues reporting vulnerabilities/bugs for C#? Is any additional configuration required to get this information reported back to SonarQube?
This isn't a known issue, and I couldn't reproduce it using the same versions of the scanner, the C# plugin and a clean install of SonarQube 6.7.1.
Analysing the sample project reported one bug (csharpsquid:S2583, Program.cs line 9), and one code smell (csharpsquid:S1118, Program.cs line 4).
Code Smells, Bugs and Vulnerabilities are all handled the same way by the Scanner for MSBuild - they are all just Roslyn issues with different categories applied. No additional configuration is required.
I'm guessing you've migrated from an older version of SonarQube since you have an outdated SonarWay. However, that shouldn't make any difference to how issues are reported. The rules included in the default SonarWay might change between versions, but you've checked for rules you know are in the active QP.
If you haven't already, you could try installing SonarLint for VS and checking it correctly detects the bugs you've injected into the code.
Other options:
the .sonarqube\conf file will contain a ruleset file showing which rules are being executed by the scanner. Check that contains the expected rules.
the bin directory of each project will contain a XXX.RoslynCA.json file containing all of the issues that were detected during the build. Check they contains the expected issues.
check the console logs for errors or warnings. You could also increase the verbosity of the logged output by passing /d:sonar.verbose=true on the command line in the Begin step.
I'm trying to create method without add comment or documentation it, I expected SonarLint would show errors based on rules, but I don't see any errors or warnings. Why?
The particular rules you're looking for are "common" rules applied at the server. You're not going to see them in SonarLint. But in general:
Out of the box, SonarLint runs with the Sonar way (default) profile. If you want additional rules applied in the IDE, you'll need to:
set up a SonarQube instance (assuming you don't already have one)
configure a Quality Profile to your liking
apply it to your project
connect your project in the IDE to the project on the server
At this point you will see (almost) all the same issues in both places.
I am trying to learn how to use SonarLint plugin in Eclipse. I downloaded the plugin and I have 4 views in my Eclipse now - SonarLint on the Fly, SonarLint Report, SonarLint Rule Description, SonarQube Servers.
In the SonarLint on the Fly, I am able to see only the JavaScript bugs scanned by SonarQube. Not the Java ones (I have Java rule set in SonarQube server as well). But if I open a Java file, then I am able to view java bugs and errors in this window.
In SonarReport, I have two tabs at the bottom - Current Project and All Projects. When I click on Current Project it scanned the current project and showed me only JavaScript errors but not Java.
So, my question is - Is there any way to see Java errors along with JavaScript? I should be able to view the Java errors throughout my project (without having to open java files and then see the bugs).
If analysis of JavaScript files is working, it should be easy to also have Java files. Few things to check:
For Java analysis to work fine, you should have installed the optional feature "SonarLint For Eclipse Java Configuration Helper"
Java files that are not part of an Eclipse Java project are ignored
Also, in the SonarLint Report view, the two buttons will only analyze changed files (ie files that are reported as changed by your SCM) so be sure that you also have some Java files with modifications.
Looking at SonarLint console while enabling verbose + analysis logs may help to understand your issue.
I want to use a specific sonar profile with analysis mode preview for generating comments that go into our github pull requests.
The default quality profile for the project includes minor and info level rules which will cause hundreds of extra comments (and literally thousands of github notification emails). So it has to be a quality profile specific to this purpose.
Running the build like this:
mvn sonar:sonar -Dsonar.profile.java=PRComments -Dsonar.analysis.mode=preview
Fails with the following error:
sonar.profile was set to 'PRComments' but didn't match any profile for any language.
The PRComments quality profile exists and works perfectly if I don't specify the preview mode. And yes I know that -Dsonar.profile is deprecated and it makes me sad too.
For info I'm using the sonarqube github plugin http://docs.sonarqube.org/display/PLUG/GitHub+Plugin to push the comments into github - but the failure above appears even if I don't use this plugin. Unfortunately the github plugin doesn't seem to have an option to skip adding comments for violations below a configurable severity level.
Is this possible or do I have to give up?