We are using the SonarQube Scanner for MSBuild and the default SonarQube Scanner through Jenkins in our project. The two scanners are executed from different jenkins jobs. One job for .net code and the default scanner for java & typescript.
As project version, the git commit hash is used. The results from both scanners seem to overwrite each other even with the same commit hash.
Either we have only C# results or only java / ts results.
How can we get merged results in one SQ project?
SonarQube Version 5.6
This is just impossible to merge analysis reports for one project.
Technically, this would probably be achievable to execute only 1 single SonarQube analysis that does both the .NET part and the Java/JavaScript part. This would answer your use case. But this would be a kind of hack.
IMO, the good way to do it is to split your source code in 2: the .NET part and the Java part. There are chances that these are 2 different technical components anyway, that might have different life cycles even though they relate to the same "business" application.
Related
I have a legacy project, which is having 40M+ lines of code. I just want to configure the sonar during build but when I run sonar with default settings, it fails with OutOfMemoryException or with TimeOutException.
I got to know that this is because of the large codebase that I am having, so I increased the memory arguments to use 5 GB of memory. I tried with more memory but the teamcity server doesn't have much free memory. Still failed.
Finally what I did was, built two pipelines, included a particular file pattern in one using sonar.inclusions rest of the files in other and separated my code into two different pipelines. Now when I run the sonar, it works fine and generates two different reports with different project keys.
But my requirement is to generate a single report because I can't attach two reports in bitbucket. My goal is to show the report in bitbucket. If it is possible to fetch two reports in single repository, that will also do the thing.
Can anyone please help me here to generate a single report even though I run sonar in multiple pipelines in teamcity?
I don't think you can. A project (you call it 'report') is the only unit you can scan in one execution of the sonar scanner - you can't scan part of a project.
If you're using Enterprise edition, you can create a portfolio of multiple projects, which will automatically generate and maintain aggregated metrics.
On the dashboard there is a cool block with new code analysis. I'd like to see something like this for every feature. I hoped to solve this using sonar-branch-community plugin, but it doesn't measure coverage of new code in short-lived branches. As for long-lived branches - I tried to make all the feature branches long-lived. There is an analysis of new code in this case, but it starts from first scan of this branch and there is no way to compare it to another long-lived branch (or is it?)
Is there a way to execute the new code analysis by features? May be it's possible to pass 2 scanning results to this widget to see the difference?
Newer versions of SonarQube support reporting of code coverage on branches and the introduction of new issues compared to the target long-lived branch.
The SonarQube Community Branch Plugin supports the new branch scanning features introduced in SonarQube 7.2, although I don't believe SonarQube provides the charted/visual history of the branches, just the numeric values.
SonarQube Quality Profiles are not being used during the sonarqube scan:
We have sonar tasks installed and enabled for build definition what we are seeing is that the quality profiles are being stopped for one build run and it is again started using the quality profiles for the next run automatically. We are consistently seeing the same behavior for the alternate build runs.
Image where we can see the profiles are stopped and started:
What you're seeing is the result of a bad configuration somewhere. You indicate your comments that along with the toggling of profiles, you also see large swings in issue counts
as most of the file types get excluded from analysis resulting in very few issues reported.
So let's break this down:
The profile events you're seeing simply record/reflect the changes in profile use from one analysis to another. If I have a project with Java and JavaScript, the first analysis will use the default profiles for that language. Then, let's say I use the deprecated property sonar.language to restrict analysis to just Java files and analyze again. Since JavaScript is no longer found in my project, the default JavaScript profile will not be used, and a profile event will be recorded.
That seems to be what you're seeing in your activity log.
So now to the detective work: why is this happening? First, this swings back and forth. That indicates configurations set not at the project level (in SonarQube itself) but properties that are only sometimes passed during the analysis, or some other analysis-side circumstance. There are a few possible causes which you'll need to investigate independently:
sonar.language - if this deprecated property is used during analysis, it will limit the by-default multi-language analysis to a single language. It could be in your properties files or passed on the analysis command line -Dsonar.language=foo
exclusions - exclusions are difficult to set properly from the analysis side, but this can happen
improper/incomplete checkout - is it possible that only part of your project is checked out?
In investigating this, you should be aware that analysis-side properties can be set at two levels; at the individual project/analysis or in the global scanner configuration.
I'm guessing that your CI system has multiple slaves and languages are dropped - or not - from your project depending on which slave the job lands on that night.
I was experiencing a similar problem and I believe I have tracked down the root of the issue for us. Capturing the source code and properties used during the build, I was unable to find any discrepancies in sonar properties or source code collected, as suggested in the previous answer.
Our solution we were trying to analyze with SonarQube has a few C# projects that are part of an external core solution, which is shared between several components. Compiling any one of these other components requires that core be compiled first. I believe the issue lies in that when compiling my component to be analyzed, MsBuild would sometimes rebuild some of the projects included in core. Depending on if they were rebuilt or not, the number of projects and files (and hence issues) would swing wildly in one direction or the other.
By enforcing MsBuild to clean my component solution before compiling,
MsBuild.exe MySolution.sln /t:Clean,Build
I ensure a consistent set of projects are built and analyzed by sonarqube. I am 30 builds in with this new approach and I have no more flopping back and forth between using and not using a quality profile.
We have just started using Sonarqube 5.1 integrated in TFS build as described on this page http://www.sonarqube.org/announcing-sonarqube-integration-with-msbuild-and-team-build/
We have one main branch, and two development branches for the same project.
What is the recommended strategy for handling this?
I want to be able to see analyze result trends over time and also let people working in different branches able to see analyze result for the branch they are working in. As far as I can see the Sonar msbuild runner (https://github.com/SonarSource/sonar-msbuild-runner) only supports projectkey, projectname and version, but not branch key.
Any advice and suggestions will be greatly appreciated!
Indeed Wangen, I do confirm that the MSBuild Runner 0.9 doesn't yet provide a way to inject some SonarQube properties and so including the "sonar.branch" property. This limitation is going to be dropped in version 1.0 of the MSBuild Runner. Nevertheless, you must be aware that the support of branches by SonarQube is really limited because at the end in your case you're going to have 3 different projects in SonarQube and for instance flagging an issue as false-positive won't lead to flag the same issue in another branch as false-positive.
We have something about 20 people in our team and we are using sonar for now to analyse new code before submiting it to the main stream. So each designer uses it's own Sonar installed on his machine.
What I'm trying to do is to create a one instance of the Sonar which each designer will be able to use. The only concern I have is what will happen if:
One designer will launch analysis on one revision of file and right after that the second designer will launch analysis on another revision of this file (in the worst case we can have a bunch of such a files). First designer won't be able to see his violations and won't be able to see code he wrote at all. Do we have some mechanism to overcome this?
What will happen if two designers will analyse the same project at the same time? AFAIK, Sonar won't allow them to do so. Any workaround for this?
Of course, we can, somaehow, create a project on the sonar side for each team member, but this has it's drawbacks, such as issues, marked as false positive in one proect won't appear as such an issues in another project and so on.
Any ideas on such an issues?
What you probably want to set up is:
a central Sonar instance that analyses the code base on a regular basis (for instance every day) based on the code located in the repository. This instance should be the reference and the project manager(s) will use it to monitor the project.
ask the developers to run local analyses before commiting their code:
either using Sonar Eclipse if you're coding in Java, C++ or Python. Everything is perfectly described in the documentation, more precisely the "Checking code prior to commit" section
or using the Issues Report plugin if your language is not supported yet in Sonar Eclipse.