I want to use a specific sonar profile with analysis mode preview for generating comments that go into our github pull requests.
The default quality profile for the project includes minor and info level rules which will cause hundreds of extra comments (and literally thousands of github notification emails). So it has to be a quality profile specific to this purpose.
Running the build like this:
mvn sonar:sonar -Dsonar.profile.java=PRComments -Dsonar.analysis.mode=preview
Fails with the following error:
sonar.profile was set to 'PRComments' but didn't match any profile for any language.
The PRComments quality profile exists and works perfectly if I don't specify the preview mode. And yes I know that -Dsonar.profile is deprecated and it makes me sad too.
For info I'm using the sonarqube github plugin http://docs.sonarqube.org/display/PLUG/GitHub+Plugin to push the comments into github - but the failure above appears even if I don't use this plugin. Unfortunately the github plugin doesn't seem to have an option to skip adding comments for violations below a configurable severity level.
Is this possible or do I have to give up?
Related
Cut to the chase : I think I need to disable SonarQube Github Plugin from the sonarqube server for specific projects if I want to do both of the following :
Publish to sonarqube server & report to github using github plugin.
It is my understanding that installing SonarQube Github Plugin on a SonarQube server forbids the whole server from storing any analysis, forever. Therefore, I need to find a way to stop using the github plugin for only specific projects. Is there a way to do that?
P.S. Backstory
My original question was Can't publish results to Sonarqube server).
However, Upon finding Why does SonarQube not show results, although the analysis succeeded?, user "Wirone" says that it doesn't show results in sonar server because Sonarqube Github plugin forces sonar.analysis.mode to be set as preview or issues, but not publish.
According to Wirone, sonarscanner doesn't send result to the server unless the mode is set as publish.
I've tried to find out the exact meaning of sonar.analysis.mode, but articles https://groups.google.com/forum/#!topic/sonarqube/JguVVO4OorE or SonarQube analysis mode: preview vs issues were not helpful at all, and I'm still confused about what mode to set if I want to see the analysis result in sonar server instead of github.
Fig.1 : The whole server is empty. This server is actually working, and it has been commenting on github for couple weeks now. However, the server itself does not store any analysis at all - it just pipelines everything to github and then forgets it without storing anything in the database itself. The reason? Fig 2.
Fig.2 : This is the reason. Github plugin prevents the sonar.analysis.mode from ever being set as publish. Without publish mode, the server can never store results in itself. I can't just uninstall this because I need the github commenting feature.
Therefore, I need a separate project to store the whole analysis, but to do that I need to disable this plugin behavior for just that specific project...
Solved : I think leaving in github credentials in SonarScanner properties was the problem. After removing all the github related information in properties, it seems to be working.
Scroll down to bottom to read the conclusion.
Git integration working config:
sonar.projectKey=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=issues
sonar.profile=My_Analysis_Profile
sonar.github.repository=${repository}
sonar.github.endpoint=https://customossendpoint/api/v3
sonar.github.login=someusername
sonar.github.oauth=somehashkey123
sonar.login=id
sonar.password=pass
sonar.github.pullRequest=${pr}
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=true
sonar.github.disableInlineComments=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Tried to make it publish to server but analysis couldn't start due to "Doesn't support sonar.analysis.mode=publish" error message:
sonar.projectKey=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=publish
sonar.profile=My_Analysis_Profile
sonar.github.repository=${repository}
sonar.github.endpoint=https://customossendpoint/api/v3
sonar.github.login=someusername
sonar.github.oauth=somehashkey123
sonar.login=id
sonar.password=pass
sonar.github.pullRequest=${pr}
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=true
sonar.github.disableInlineComments=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Rolling back to "issues" mode because nobody knew what the mode's purpose even was, and tried to make it stop publishing to github by erasing github related options (it didn't send to github, but now it didn't send to server either):
sonar.projectKey=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=issues
sonar.profile=My_Analysis_Profile
sonar.login=id
sonar.password=pass
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Finally figured out the answer:
sonar.projectKey=${componentName}
sonar.projectName=${componentName}
sonar.projectVersion=0.1
sonar.sourceEncoding=UTF-8
sonar.analysis.mode=publish
sonar.profile=My_Analysis_Profile
sonar.login=id
sonar.password=pass
sonar.host.url=http://sonarserver:19000
sonar.issuesReport.console.enable=false
sonar.sources=.
sonar.exclusions=
sonar.java.binaries=**/target/classes
Conclusion: sonar.analysis.mode is very confusing. issues and preview seem to be almost identical; it doesn't store results in the server, and it's just a pipeline either by showing on console when running sonarrunner manually, or by pipelining it to sonarqube github plugin to post as a comment.
When sonarqube github plugin is active, it prohibits any mode other than issues and preview. In order to post it to the server, it needs to be set as publish. To do that, we need to make sure the github plugin isn't used. We can "disable" the plugin project-wise simply by omitting any github related properties(ie. sonar.github.login).
I'm trying to create method without add comment or documentation it, I expected SonarLint would show errors based on rules, but I don't see any errors or warnings. Why?
The particular rules you're looking for are "common" rules applied at the server. You're not going to see them in SonarLint. But in general:
Out of the box, SonarLint runs with the Sonar way (default) profile. If you want additional rules applied in the IDE, you'll need to:
set up a SonarQube instance (assuming you don't already have one)
configure a Quality Profile to your liking
apply it to your project
connect your project in the IDE to the project on the server
At this point you will see (almost) all the same issues in both places.
I've setup a build job in Travis with the Sonarcloud plugin so that it analyzes one of our C/C++ projects, links:
GitHub source - https://github.com/inilabs/libcaer
Travis job - https://travis-ci.org/inilabs/libcaer/jobs/247488797
Sonarcloud - https://sonarcloud.io/dashboard?id=com.inilabs.libcaer
Now if I run this with the default C quality profile "Sonar way" it works fine. Then I created a test profile where I added a one rule and deleted another, and this also worked, so basic custom quality profiles seem to work fine. Then I created our main quality profile "inilabs" that I want to use, where many more rules are enabled (~50) and several (~10) are disabled. Surprisingly this build fails during the 'sonar-scanner' step, with the following exception:
java.lang.IllegalStateException: Unable to load component class org.sonar.scanner.report.ActiveRulesPublisher
(see the above linked build for full error, run with 'sonar-scanner -X)
It seems to get the files with the custom quality profiles fine, so the only thing I can think of is that there must be a specific rule in one of the ~60 changes that makes this fail, but I have no clue how to debug this to understand which one it is. I hope you can help me in pinpointing the problem, thanks!
The error is due to some deactivations of rules in your Quality profile, for example see "restrict should not be used" in the changelog: https://sonarcloud.io/organizations/inilabs-github/quality_profiles/changelog?language=c&name=inilabs.
This bug is tracked in https://jira.sonarsource.com/browse/SONAR-9489 and will be fixed as soon as possible.
A workaround is to copy the profile to another one. Corrupted rules won't be copied.
Sorry for the inconvenience.
Having a look to our build logs, I can see this warning:
build 31-Dec-2015 10:37:39 [WARN] [10:37:39.896] Ability to set quality profile from command line using 'sonar.profile' is deprecated and will be dropped in a future SonarQube version. Please configure quality profile used by your project on SonarQube server.
Even if I can easily understand why it could be deprecated, I have an issue with that. We have a single SonarQube installation for all our teams. Each team must be compliant with a given Quality Gate but can define its own profile, depending on the needs. We are working with git branches. We have "static" branches such as master and develop, but also feature and bugfix branches which are also scanned (to insure code quality before merge). Entries in sonar are created also from command line
Dsonar.project.branch=${bamboo.planRepository.branch}
Which helps us to get one sonar entry per development branch.
Issue: Each time we create a feature, not having the command line will force us to go to Sonar and manually change the profile.
Do you have any suggestions, ideas, which may help us ?
Thanks
I have a similar problem with the potential deprecation of this feature. We have too many projects to be managing this administratively in sonarqube.
The best approach for our site is to allow the teams to select an approved profile using setting in the maven pom.xml.
I have configured one project in sonar and integrated sonar with maven for build time analysis of the project.
After analysis, report is generated and uploaded to Sonar for browsing. But once another user compiles the same project their report overwrites mine.
Basically I want that one user's report on one project is not overwritten by report from other user. A user must be able to see their current violations independently. Is it possible in Sonar?
Sonar stores it's analysis on a daily basis, which explains why it's kind of pointless to run analysis several times in a day. Each analysis run will overwrite that day's existing results, which in turn spoils ongoing statistical analysis.
I would suggest running Sonar, from a dedicated build server like Jenkins (which has a Sonar plug-in). This daily analysis will populate the Sonar database and keep the project dashboard current. This architecture also enables you to keep the database credentials confidential.
Obviously developers would like to see the results of their bug fixing. For that I'd recommend running the Sonar Eclipse plug-in. The latest version will run the same Sonar analysis locally. Recent versions of Sonar also enable you to assign violations to developers for resolution.
This is not possible, last performed analysis will always be the one you browse in the interface. However, I guess what you need is the Issue Report Plugin which will enable analysis to store results locally, with the dry-run option.
This way your developers will be able to run an analysis on their code and see the violation delta without pushing the results.
You can do it by explicitly setting the below properties in pom.xml
<properties>
<sonar.projectKey>Test</sonar.projectKey>
<sonar.projectName>Test</sonar.projectName>
</properties>
Every user should set different projectKey and projectName, if you want that one user's report on one project is not overwritten by report from other user.