Our organization is using SonarQube for managing code quality as well as Docco for handling production of documentation from code comments.
We're running into a conflict between including things like method names in comments for Docco and the 'Sections of Code should not be "commented out"' rule in SonarQube.
Are there any known best practices to get SonarQube to ignore code in comments that are for documentation (even better if for Docco in particular) while still catching old code that has been commented out instead of being removed?
The rule "Sections of code should not be commented out" could be simply disabled in the quality profile related to your project.
sharing this as it could help if anyone having similar issue.
one way is to comment the code along with additional lines or single quote to ignore that line which worked for me
example
# print("sample")
you can write this as
# ' print("sample")
Related
I am trying to find a portable way to produce code annotations for GitHub in a way that would avoid a vendor-lockin.
Mainly I want to dump annotations inside a file (yaml, json,...) during build process and have a task at the end that does transform this file into github annotations.
The main goal here is to avoid hardcoding support for github-annotation into the tools that produce them, so other CI/CD systems could also consume the annotation-reports and display them in their UI.
linters -> annotations.report -> github-upload
Tools like flake8 are able to produce output in parsable format file:line:column: message, but I need to know if there is any attempt to standardize annotations so we can collect and combine them from multiple tools and feed them to the CI/CD engine.
Today I googled up what the heck those "Github Action Annotations" are all, and this was among the hits:
https://github.com/marketplace/actions/annotations-action
GitHub action for creating annotations from JSON file
As of now that page also contains:
This repository uses npm packages from #attest scope on github; we are working hard to open source these packages.
Annotations Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
I didn't try it, again, just a random google hit.
I am currently using https://github.com/yuzutech/annotations-action
Sample action code:
- name: Annotate
uses: yuzutech/annotations-action#v0.3.0
with:
repo-token: ${{secrets.GITHUB_TOKEN}}
input: ./annotations.json
title: 'Findings'
ignore-missing-file: true
It does its job well but with one minor defect. If you have a findings on a commit/PR you get to see the finding with a beautiful annotation right where you need it. If you re-push changes, even if the finding persists, the annotation is not displayed on later commits. I have opened an issue but I have not yet received an answer.
The annotations-action mentioned above has not been updated and it does not work with me at all (deprecated calls).
I haven't found anything else that worked exactly as I wanted it to.
Update: I found that you can use reviewdog to annotate based on findings. I also created a GitHub action that can be used for Static Code Analysis here https://github.com/tsigouris007/action-semgrep-reviewdog. You can visit the entrypoint.sh file and check how I piped the custom output to reviewdog utilizing jq.
I am trying to extend Sonarqube with custom Javascript rules. I find that the documentation is fairly limited on this subject. The extension tutorials on sonarqube website show only the most basic stuff.
The only javadoc I could find is this one: http://javadocs.sonarsource.org/latest/apidocs/ and it doesn't cover anything about extending Javascript.
What I ultimately want to do is add a JS rule that will check for hardcoded secrets (such as passwords, api keys, etc). I already created one for Java, and that was a lot easier as I could take an already pre-made plugin and complete it with my custom regex.
The problematic spot that made me post here was actually this one:
cannot find symbol
symbol: class VariableTree
location: package org.sonar.plugins.javascript.api.tree.expression
I was following the same scheme as with Java and used
import org.sonar.plugins.javascript.api.tree.expression.VariableTree;
which is obviously wrong. I was not able to find the source code for this either... if anybody can point me to some secret doc stash or at least where I can find a javadoc for org.sonar.plugins.javascript.api that would be amazing!
Thanks very much for any help
I have a web app project where the quality is measured under sonarqube.
As i'm dealing with an external code within my project files
Recently i have had some issues appearing due to that exetrnal code and which i'm not focusing on its quality :
So i wanna just delete the issue to appear from my sonar dashboard (which looks like the following):
The solutions that i have had where not really usefull , as :
i was suggested to change the level of the rule itself from "issue" to "info" :
And of course that seems to be not usefful because , i won't affect the rule itself
the second suggestion was to use the :
#SuppressWarnings decorator in my blocks of code where the issues appeared ; : for example use it under classes or methods or even fields
-> this method results in adding some code to my extarnal code and that won't be also good as i'm not even having the permission to do it.
I wanna just the simpliest solution to delete the issue from the sonar dashboard , just suppress it from the SonarQube interface , strangely it seems that there is no a direct way to do it :
Any better ideas ??
The easiest way is excluding external code from the report with narrowing the focus feature.
Just add to your sonar-project.properties file path pattern to exclusion, for example
# Exclude all classes ending by "Bean"
# Matches org/sonar.api/MyBean.java, org/sonar/util/MyOtherBean.java, org/sonar/util/MyDTO.java, etc.
sonar.exclusions=**/*Bean.java,**/*DTO.java
# Exclude all classes in the "src/main/java/org/sonar" directory
# Matches src/main/java/org/sonar/MyClass.java, src/main/java/org/sonar/MyOtherClass.java
# But does not match src/main/java/org/sonar/util/MyClassUtil.java
sonar.exclusions=src/main/java/org/sonar/*
If you're not interested some issues because it's not your code, then you should not have SonarQube analyze that code. According to the SonarQube documention:
We recommend that you exclude generated code, source code from
libraries, etc.
You should check in particular the following settings in the same documentation page:
sonar.sources
sonar.exclusions
These settings will be taken into account the next time you run an analysis.
How to get rid of "Copyright and license headers should be defined"? Even after providing the header Sonar 5.4 gives error? Can someone give a sample header which is working for Sonar 5.4 ?
This is a configurable rule, so look closely at the header you have configured. You don't say which language this pertains to, so I'll mention that in some languages it's possible to have the configured header evaluated as a regex while in others it can only be evaluated as an exact string match. Either way, this is a question of matching a pattern, and something as simple as a missing or additional space character could be what's throwing it off.
An online regex tester may be helpful to you in properly configuring the value for the rule.
I've been evaluating Hudson, with an eye to convert to it from CC.NET. In CC.NET, I've gotten my emails to include test statistics, such as # of tests run, how many failed, etc. It even shows in red "this project has no tests" which is a great motivator, right?
Is there any way to accomplish this in Hudson?
I've tried the email-ext plugin, because I'm told that it can get test output and other great stuff into the email, but I just can't figure out "how."
It looks like I need to put a token in for "content" but I dont see any token available that looks like "test results" to me :) Or any that would parse some xml that I provide a path to, or such.
Has anyone done this and can help?
Thanks!
From the Email-ext plugin wiki page:
To see a list of all available email tokens and what they display, you can click the "?" (question mark) at the top of the email-ext section on the project configuration screen.
I can't check if it's listed in the online help right now but I think you're looking for the $FAILED_TESTS token.
If you need more guidance, check this blog post: Continuous Integration with Hudson, ColdFusion, and MXUnit: Advanced Notification Control. There are some screenshots that might help.
See this question - Having Latest Tests Results info in the notified email with Hudson . It seems like the only answer is to hack in your own solution, until Email-ext is improved.