I am new to SonarQube and using SonarQube 5.1. I read from somewhere that it is a replacement for FindBugs and CheckStyle. So does it mean it internally runs FindBugs and CheckStyle? But I counldn't find any FindBugs and CheckStyle plugins inbuilt. From where does Sonar take the rules?
You can install Checkstyle and FindBugs plugins separately, enable their rules in your profile and thus use them in your analysis. However, #SonarSource has made a concerted effort to replace such rules with 'native' rules, and if you do install these extra plugins, you will find many of their rules marked Deprecated.
You can see the replacement progress in the deprecation reports for FindBugs, Checkstyle and PMD.
You can install FindBugs and CheckStyle from the Update Center, on the administration section of SonarQube (default: login as user "admin" with password "admin" )
Once installed the plugins, when you do a sonar analysis in your code (for example: mvn sonar:sonar ), the machine running the analysis will get the .jars from Sonar itself, run locally, and then upload the results back to Sonar.
Related
I have setup SonarQube Ver 4.3.3 , but when i navigate to Quality Profile -> Sonar Way with find bugs -> Coding Rules -> Repository i do not see any PMD rule repository.
I can only see Common Sonar, FindBugs and Sonar Qube rule repositories.
Does it means that my SONAR is not is not checking PMD rules ?
You do not see any PMD rule repository because the java plugin reimplemented the PMD rules (not a 1 on 1 match).
For more details, please read this.
Please note the sonar-pmd-plugin is still supported. I advice to install a more recent version of the java plugin.
If you specifically want to see the PMD rules, please install the PMD plugin
I have scoured the forums and cannot seem to quite understand the config for the fortify plug-in with Sonar.
I understand it simply builds a widget based on data from a previously generated .fpr file.
My setup:
Maven 3 project
Jenkins 1.606
SonarQube 5.0.1
Sonar-Fortify plug-in 2.0
Prerequisites:
.fpr file is in Jenkins workspace
Sonar is added to pom.xml
sonar-fortify-plug-in v2.0 added to pom.xml - (wasn’t sure this was needed or not)
Sonar server configured in Jenkins
sonar fortify plug-in v2.0 added to Sonar – (only see a dropdown to ‘enableReportLink’ under ‘Configure widgets’
should there be more config somewhere?
Questions:
Where should this property be set? Jenkins Sonar config, Sonar, pom file?
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
Is that path to the .fpr file where it is within the Jenkins workspace?
The setup instructions on Github seem short and I feel I am missing something specific in my understanding.
Any help or direction to additional documentation is great appreciated.
First of all as documented version 2.0 can not be used anymore. Version 2.1 is going to be released soon. Vote for release will be started this week. Meanwhile you can:
download 2.1-SNAPSHOT version and copy it in extensions/plugins of your SonarQube server installation
restart server. The Fortify rules should be available in the page "Rules".
execute Fortify command "sourceanalyzer", independently from SonarQube. It generates a report file suffixed by .fpr.
execute a standard SonarQube analysis of your project by adding the property sonar.fortify.reportPath, for example:
mvn sonar:sonar -Dsonar.fortify.reportPath=/path/to/project.fpr
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
If everything works, then you can automate these steps in Jenkins.
I'm calling sonar from maven:
mvn clean install sonar:sonar
How can I configure the findbugs rules?
Do I have to configure the rules in maven as suggested in Import FindBugs configuration from Sonar to Maven?
Where can I find a documenentation how to write the configuration file?
Is the configuration in sonar still relevant?
The documentation doesn't help.
How can I configure the findbugs rules?
Use the SonarQube web GUI. Click on "Quality Profiles" in the black area at the top, then choose "Java". The Maven plugin will download your definitions from there and use them.
Do I have to configure the rules in maven as suggested in Import FindBugs configuration from Sonar to Maven?
Nope. Configure them only in SonarQube, and you're all set.
Where can I find a documenentation how to write the configuration file?
That would be the FindBugs docs. But you don't need to do that if you're using SonarQube.
Is the configuration in sonar still relevant? The documentation doesn't help.
Yes it is relevant. The SonarQube documentation is generally not very helpful, but configuring rules is quite straightforward using the GUI. You should have a good chance even without documentation.
I want to learn how to use CheckStyle.
I am doing static code analysis in Hudson, as first part, I installed Static Analyser and CheckStyle plugins in Hudson. But I am not able to find out how to use it in official Hudson checkstyple page also.
official page : http://wiki.hudson-ci.org/display/HUDSON/Checkstyle+Plugin
I saw some documents in Maven checkstyle plugin that we have to mention some configuration in pom file and run the targets.
Then, I got doubt, if I am doing with Maven, why we need the CheckStyle plugin install in hudson?
Is it possible to configure CheckStyle in Hudson job for a Java project instead of changing in pom or not? It here is both ways, then which one is better?
Do you have the steps to configure CheckStyle plugin in Hudson?
If you've installed the plugin in Jenkins/Hudson, you should now be able to add the checkstyle goal to your project/job.
In the goals section of your Jenkins Maven job, add "checkstyle:checkstyle" to enable the checkstyle plugin to analyse your project.
I have a multi-module maven build configured to run CheckStyle. It works, but it fails as soon as it comes across a module with a violation. How can I process all modules but not fail until the very end? I'd like to be able to see all violations without having to fix/re-run repeatedly.
I'd advise to do this in your IDE, to get checkstyle violations feedback while you code, and not only late when building using Maven. Still keep maven checking for violations, and fail a build as early as possible, on first module with violations.
E.g. there is eclipse-cs, checkstyle plugin for eclipse IDE. To have both maven-checkstyle-plugin and eclipce-cs use same checkstyle configuration file, install m2e eclipse plugin and it's extensions including one for eclipse-cs.