I was trying to scan a java bytecode by following instructions given in this link
Looks like sonar scanner looks for property sonar.source as it is a mandatory property so it gives error... but in this case i don't have source code as i am doing scanning on binaries files.
So i put the sonar.source property in the property file but didn't mention folder name. In this case i am not getting any report out of it however the scan is running fine through scanner. When i looked into the output of the scanner it shows zero files indexed not sure why.
TLDR: if you only have the bytecode, then you can't analyze.
The SonarQube platform analyzes and reports on the quality of source code. For some languages, such as Java, binaries are also used to get a fuller, more precise analysis. But at root, SonarQube is about source code quality.
That's why sonar.sources is a required property: there's no scan without source code. If you're not providing an accurate path to the project's Java source files, then... of course no files are indexed.
Related
my project generates at runtime source code from thrift file. Is there a way to avoid Sonarqube analyzes this source code automatically generated? This because I have some code smell and bug detected by Sonarqube in that generated code I can't modify and correct.
Yes. Excluding the source files or any other files from sonar analysis is possible, by using sonar.exclusions property in your sonar.properties
For example, if your source file generated is xyz.java in some folder say target, so you can exclude the file, like this
sonar.exclusions=**/target/*.java
or you can give the file name directly
sonar.exclusions=**/target/xyz.java
You can find more details here: https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus/
I am using Spotbugs plugin within Eclipse IDE. I can run the Spotbugs over a whole project, which gives me the impression that the tool needs to build the project to present its analysis report.
But the documentation says that it's a static analysis tool.
So, I was curious if it requires to build the project, then can we call it a Static Analysis Tool?
And if it doesn't require to build the project, can we run Spotbugs on single .java files?
The meaning of static analysis is that it analyses your project files "at rest", as opposed to monitoring a running application. https://en.wikipedia.org/wiki/Static_program_analysis
Analyzing bytecode has both strengths and weaknesses compared to analysing source code. It's faster, and better suited to deep analysis of program flow, but won't pick up mistakes that get compiled away, like unnecessary imports and inconsistent-but-legal whitespace.
You can't properly run it on a single file, even if you compiled that file, because there are detectors that take multiple files into consideration, eg detecting when you try to pass null to a method whose parameters are annotated as non-null, or when you've defined a method as public and then never called it from outside the class.
Yes, since SpotBugs analyzes bytecode (.class files), you must first build the project (at least the part you want to analyze).
After that, you can analyze just a single file, for example in IntelliJ IDEA (still FindBugs plugin, but SpotBugs can do all that FindBugs could, same code base):
I exclude our JUnit test from the scanning, however, I would like for it to be scanned for certain set of rule, how can I configure SonarQube to do this?
The SonarQube documentation page Narrowing the focus allows you to specifically target some files for given set of rules. It probably can help you achieve what you want to do.
Now, the SonarJava analyzer already separates Main sources files from Test Source files. Correctly configured, your project will then apply only rules targeting tests on files categorized as "Test Sources". The same way, rules are usually targeting Main sources only.
The code base I am working with has a lot of generated code. In addition, there are also some deprecated files that I would want to exclude from SonarQube analysis. I've read up the documentation and looked at some answers on here about that, but it does not help in my case.
I have a multi-module maven project. So I have multiple projects in my workspace that are all part of a large application. Say I want to exclude this file:
/home/username/workspace/com.mst.rtra.importing.message/bin/com/mst/rtra/importing/message/idl/parse/idlparser.java
I don't really know how to write this in the exclusions settings on SonarQube because of how long the filepath is. Also, what if I want to exclude another file, but from a different module, say :
/home/username/workspace/com.mst.rtra.interpreter.create/
I am confused about I should write this in the exclusions box in project settings. Should I write the absolute file path due to the multi-module nature of this project? Or is there some other convention used?
In addition, if I want to exclude generated files from analysis, I would need to put file:/generated-sources/ as I saw in another answer. However, after analysis, I can still view the analysis results of those files when I open up the project in SonarQube dashboard.
We use ant rather than maven, and an older version of the Sonar ant task at that. But what works for us is setting a sonar.exclusions property in our build.xml, which accepts wildcards for filenames. For example:
<property name="sonar.exclusions" value="**/com/ex/wsdl/asvc/*.java,**/com/ex/wsdl/bsvc/*.java"/>
That skips analyzing all the code generated from a wsdl file for two services. You ought to be able to do something similar for maven.
I am using SONAR for Code Quality checks of my projects. In one project I would like to know the code coverage of a library which is included in the classpath (maven dependency).
Is it possible to configure SONAR (with embedded COBERTURA) to also instrument the specific library for code coverage analysis? As cobertura instruments the bytecode this should be possible but I do not know if it is supported by cobertura (even indepentend from SONAR).
Any hints are welcome.
Regards
Klaus
You would have to set up cobertura(maven target) yourself and import the results(See dynamic analysis)
sonar.dynamicAnalysis=reuseReports
sonar.cobertura.reportPath=PATH_TO_RESULT
But I will not help much:
you would need the src files of the jar to see the coverage, otherwise you would just get % numbers and I'm not even sure sonar will show the extra covered files
the coverage for your whole project will always include the % of the library, so it will go down
It is better to test each project with its own unit tests on its own.