Is there a way to get SonarQube to raise a violation if certain files/folders are found in source?
For example, specifically-named configuration files which contain sensitive data (e.g. passwords) should not be included in version control, and neither should IDE-specific configuration directories like IntelliJ's ".idea" and Eclipse's ".settings" folders.
(Side-note: I'm aware these can/should be part of a global ignore in version control - but that's not what I'm asking about)
I'd like SonarQube to raise a violation during analysis if any of a set of files/folders exist, preferably using a regex-or-similar pattern to do the checking.
I've read up on the fact that SonarQube plugins can be written in Java, but this seems such a simple concept (and one I'm sure isn't unique) that I'm a little surprised I haven't been able to find any existing rules or plugins. The closest I've found is sonar-text-plugin, though that focuses on file contents rather than whether files exist at all.
Before I go reinventing the wheel, is there something pre-existing which could offer this?
SonarQube version 4.5.7 - upgrading is an option if there's no other route.
I do confirm that there is no such built-in feature in SonarQube.
You may be want to write a custom rule for the java plugin.
Related
I have a simple question: what is "C:\Users\\%USERNAME%\\.gradle" folder used for?
I need to know whether it's safe to remove the folder without any unwanted consequences, I'd also like to know what information is stored in this folder.
From Gradle Docs:
The Gradle user home directory ($USER_HOME/.gradle by default) is used to store global configuration properties and initialization scripts as well as caches and log files
If you don't use Gradle for development, then there is probably something else on your system that does. I wouldn't recommend deleting it, but feel free to check it out yourself. Here's what it should look like: directory structure.
If you are unsure of whether you are using Gradle inadvertently, which I think is more likely than something else using it completely by itself, I suggest checking out the tools you are using to develop (If you are developing Java, this is a common tool).
You may have Gradle installed because of Android Studio
I'm wresting with SonarQube reporting errors on C# files which I didn't write. For example, I might import a particular piece of code from an open source library where I didn't want to take the entire library as a dependency.
This usually raises a lot of SQ warnings.
Instead of dealing with these one by one, is there a way to just mark the entire file to be ignored? I'n thinking something similar to the new #nullable disable directive.
Thanks very much.
Yes, there is way to remove or better to say exclude the particular files from being analysed by sonarqube.
You can use the sonar.exclusionswhich is a sonar analysis parameter, using this parameter you can exclude files or folders.
Here is the article from sonarqube on this https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus/
Is it possible for a rule in SonarQube to be active only for files which were created after specific date?
I have a rule which checks for particular suffix in classes' name but I want it to work only for classes which were created as an extension to the existing system not for classes present there out of the box.
Is there any known approach to do it? Maybe a plugin for Sonar which allows such thing?
You don't need such complex feature, all you need is to use SonarQube the right way, by focusing on fixing the leak !
You'll find more details in the documentation, and also in this blog entry.
I've just learned the hard way that Visual Studio 2010 and MSBuild extremely lenient when it comes to which vcxproj MSBuild files they will successfully execute - they will overlook missing configurations for subtasks and single files and still successfully execute the build tasks. However this is causing problems for me as it is leading to inconsistent builds across multiple configurations, plus due to the internal inconsistencies in the project files I cannot necessarily edit them in Visual Studio's property view.
So far I have managed to get rid of the most problematic inconsistencies by editing the vcxproj files by hand but this is not really an acceptable strategy given that this particular solution contains over 80 project files.
Is there a tool that can check an MSBuild file for internal consistency and highlight missing configurations along the lines of "your project files says it offers configurations X, Y and Z but the custom build task for file X only supports configurations X and Z"?
Update: The specific problem I am trying to solve right now as opposed to the more general problem of linting the vcxproj file is that of missing conditionals for certain configurations. Unfortunately adding and updating the conditionals seems to require a little more than I can safely accomplish using a find-and-replace tool. Doing it programmatically and correctly would most likely require DOM manipulation and given that I am rather familiar with the internal structure of the build files so far it appears that using a text editor that is able to do basic structural XML validation is the quickest way to accomplish the task at hand.
What I would really like to see however would be a tool that can at least highlight these problems automatically to cut down on the time spent tracking them down.
Configurations are, in general, a VS concept. They are not built-in to MSBuild but achieved using Conditional attributes on property groups. Most likely your project files are valid MSBuild projects, but some of them don't build with default parameters - I'd suggest not to edit them by hand, but either
use a find-and-replace tool to fix them
write a small app that uses Microsoft.Build.Construction API to inspect and fix the project files
There's nothing that would perform this for you, I'm afraid.
This request is currently tracked under https://github.com/dotnet/msbuild/issues/1777
This is not a real answer yet, but as soon as the issue gets resolved to a tangible solution, I'll update it here.
There are so many examples of how to set up your dotnet projects but none seemed to fit our situation.
We have one solution with multiple applications, multiple dependencies. We're on SourceSafe currently and are planning to move to subversion but are finding it difficult to organize our source the right way.
Example solution
App1
App2
BizObjects
DataAccess
CustomControls
Dependencies
BizObjects->DataAccess
App1->CustomControls
App1->BizObjects
App1->DataAccess
App2->CustomControls
App2->BizObjects
We also have a configuration management system which deploys (via copy from the database) depending on which workload the operator is working. We mark an application "release" with a version and to that release, we add multiple file dependencies. Bear in mind the solution we have in place now is an attempt to band-aid the old (windows 3.1 developed) solution to work with .NET file/dependency structure.
In the case of App1, we have App1.exe, BizObjects.dll, DataAccess.dll, and CustomControls.dll.
We have the same set of dependencies for App2 due to BizObjects referencing DataAccess -- but this is defined manually. We don't have a system in place to identify the dependency tree.
Each of the dependencies for a "release" is a file and version id. And the same application could contain different versions of each file for a different workload.
Where in the world have we gone wrong? Did we go wrong?
How can we structure an svn source tree to accommodate the deployment requirements?
or
how can we restructure the code the better support a deployment strategy which makes sense for our setup?
We have an old and over-engineered solution to (it would seem) a relatively simple problem. Can anyone steer me/us in the right direction?
edit: I read this question and remembered we also have the same dev/test/prod areas which the code must move through.
Sounds like you're trying to do configuration control with a source code control system.
Subversion my not be the right choice, since it's really for source code (ascii files) and build dependencies, not executable files (binary) and run-time dependencies.
My guess is you really need an installer:
http://en.wikipedia.org/wiki/List_of_installation_software
Or maybe just a script to launch the correct configuration from a network drive.