SonarQube showing wrong information from clearcase "Blame" - sonarqube

I configured a project in SONAR(6.1) to run from jenkins and configured to use clearcase as scm.
sonar.scm.provider=clearcase
And our clearcase is configured to use Local and Tst Streams.
Now when i checkout and checkin any changes into Local Stream for the first time it creates new branch for the changes .
When i checked the clearcase annotate(BLAME) information, its showing up correctly. But in SONAR it is showing incorrect.
Here is the information from annotate
0 sgadey01 \main\FW_3.0.0.0_TST\FW_3.1.2.0_TST\FW_3.1.2.0_LOCAL\1 | | System.out.println("testing");
and information from SONAR as in the below link with user bdiaz.
https://s28.postimg.org/8m8l921rh/sonarerror.png
Is there any known limitation with sonar? for cvs plugin they mentioned revision has to be passed manually in limitations(https://github.com/SonarSource/sonar-scm-cvs).
Thanks
sandy

The SonarQube ClearCase SCM Provider is simply running cleartool annotate from command line and parsing output (see https://github.com/SonarQubeCommunity/sonar-scm-clearcase/blob/master/src/main/java/org/sonar/plugins/scm/clearcase/ClearCaseBlameCommand.java) so I'm really surprised you get different results.
You can try to restart analysis and force the SonarQube scanner to collect blame again (there is a cache to not compute blame on files were content was not changed compared to previous analysis):
sonar-scanner -Dsonar.scm.forceReloadAll=true

Related

Sonar scanner - Source not in SCM - assign new issues

Using SonarQube 5.6.6 to scan source not managed with a SCM (like GIT or SVN).
But with our "in-house" tool, we know who made the last changes (similarly than the last committer in Git or SVN).
is it possible; in sonar properties file used to make the analysis; to give the developer name (same than into Sonar) that change the source to have new issue automatically assigned ?
I did find the information here :https://docs.sonarqube.org/display/SONAR/Analysis+Parameters.
You cannot do this by specifying any parameters. You have to create your own SCM provider and next add a parameter to SonarScanner:
-Dsonar.scm.provider=custom-id

SonarQube preview mode for pull request shows all issues instead of diff

We'd like to have code analysis results from SonarQube in Stash pull requests, more precisely only for the changed/added code.
The setup looks like this:
Atlassian Bitbucket v4.14.4
Jenkins ver. 2.69
SonarQube Version 6.4 (with sonar-stash plugin from https://github.com/AmadeusITGroup/sonar-stash)
Jenkins fetches changes in branches and builds them. Depending on the branch it will then (for the development branch) call SonarQube to (per default) publish its analysis. For pull requests we want a preview, so SonarQube is called with the parameter -Dsonar.analysis.mode=preview. Additional parameters for the sonar-stash plugin are working so that the analysis result is sent to Stash (Bitbucket) from SonarQube. The problem is, that the results contain all issues/bugs/violations based on the complete source code, not on the changes.
Narrowed this issue down to a problem that the sonar-stash plugin uses a list of issues which are filtered to contain only those issues that are new and linked to a file. So it looks like all issues are marked as new which is strange because in SonarQube we have a baseline for our known (legacy) issues.
Thanks for your time and feedback!
I had a pretty similar issue, my resolution is outlined in the answers below.
My SonarQube Pull Request Issues only question

Sonar preview mode all new issues

I am trying to run SonarQube using Sonar runner in local dev box for pre-commit check. We have a central SonarQube server where a analysis is done every day and published to the dashboard. When we are running on local dev box everytime the the issue report contains all the issues as new hence incremental data is not available. I have also tried both incremental and preview mode but the result is some.
Please find below the version of the tools used.And also configuration files. Please let me know if some other data is required.
SonarQube version : 5.1
Sonar Runner version : 2.4
sonar-runner.properties
sonar.host.url=http://[central sonar server]:9000/
sonar.issuesReport.html.enable=true
sonar.login=admin
sonar.password=admin
sonar-project.properties
sonar.projectKey=myProj:myProj-master
sonar.projectName=MASTER_PROJECT
sonar.projectVersion=21.0
sonar.sources=./src
sonar.binaries=./bin/
sonar.issuesReport.html.enable=true
sonar.exclusions=com/**/test/*.java
sonar.skipPackageDesign=true
sonar.profile=SonarWay
sonar.preview.excludePlugins=devcockpit,buildstability,pdfreport,report,buildbreaker,views,jira,issueassign,scmstats
Command Used :
c:\sonar-runner-dist-2.4\sonar-runner-2.4\bin\sonar-runner -e -Dsonar.analysis.mode=preview -Dsonar.issuesReport.console.enable=true -Dsonar.issuesReport.html.enable=true
Updated with additional properties tried as well. in sonar-runner.properties
I believe your problem is tied directly to your use of a local server.
The purpose of preview analysis is to allow you to compare your local changes with what's on the remote SonarQube server. Since your remote server is update every night, running your preview against it will show you the issues you've introduced that day. Instead, you're running against a local instance which gets updated with a full analysis... never? Which (if true) would be why all your issues show up as new.
To execute a preview analysis against your remote server, you will need both the global Execute Preview Analysis permission and the project-level Browse permission for the project in question.
If for some reason you're unable to get those permissions (which is possibly why you're running a local SonarQube server?) Then you'll want to do the same full checkout and analysis locally every night that's being done for the official, remote server. I.e. you'll probably have to set up a second, parallel architecture. In short, it's probably easier in the long run to nag to get the appropriate permissions on the remote server.
Issue is resolved . 2 things fixed the issue.
Creating a user with the required permissions.
Installing "Issues Report" plugin

Can't see line based SCM blame infomation in Sonar

I am currently trying SCM blame feature in latest (5.1.2) SonarQube. My problem is that retrieved blame shows only latest commit for entire file. This mean that one user is responsible for entire file. According to documentation it should be possible to have SCM info line-based - Each line with commit ID, Date and user.
We are using Perforce for SCM.
In TeamCity, it is set as maven build step with flowing parameters:
-Dsonar.jdbc.url=%system.sonar.staging.jdbc.url%
-Dsonar.jdbc.driverClassName=net.sourceforge.jtds.jdbc.Driver
-Dsonar.jdbc.dialect=postgresql
-Dsonar.jdbc.username=%system.sonar.staging.jdbc.username%
-Dsonar.jdbc.password=%system.sonar.staging.jdbc.password%
-Dsonar.host.url=%system.sonar.staging.host.url%
-Dsonar.scm.forceReloadAll=true
-Dsonar.perforce.port=%vcsroot.port%
-Dsonar.perforce.username=%vcsroot.user%
-Dsonar.perforce.password.secured=%vcsroot.user%
-Dsonar.scm.provider=perforce
-Dsonar.perforce.clientName=%env.P4Workaround%
-Dmaven.scm.perforce.clientspec.name=%env.P4Workaround%d%
Do I need to adjust something or this might be bug in SonarQube?
What is the version of SonarQube Perforce plugin you are using. This issue should have been fixed in version 1.2. But you may have to analyze project from scratch to see the changes (delete project in UI then do a new analysis).

Sonar - Failure because Class is not committed in svn?

I recently started using SonarQube on my Maven Java Project. The problem is that I modified a single line in a Class which causes Sonar failing to load the project into the database. Why does Sonar know that my project is checked into a SVN and why does mvn sonar:sonar fails with "can not blame XXX on line YYY" if a class is not committed into the SVN?
I am the only one working on this and I dont want to check in every single change or experimental code snipet. How can I turn this feature off?
Thank you!
SCM integration (which detects that your projects uses SVN) allows SonarQube to track changes to source code, e.g to compute coverage on new code, new issues etc.
A standard analysis is supposed to be performed from commited code (e.g by a continuous integration server) to serve as a reference.
In your case, I would advise you to use the incremental mode: this will allow you to perform an analysis on your local code changes, which will not be persisted to the central server, but which will show you which issues your new code introduced/fixed (this is the analysis mode used by the IDE integration plugins).

Resources