We set a lot of false-positive violations using SonarQube UI.
Can you advise how to keep those false-positive violations during upgrade?
We are trying to upgrade Sonar from 3.5.1 to 4.0 and it seems that the those false-positive violations were removed.
One thing you can do is export the list of false positives so that you will at least know what they are and which files/issues they are attached to. I'm not sure how to then import the list, but in the worst case you can just mark violations as false-positive again, after first checking against the exported list.
The Sonar Rest API query to obtain the list of false positives is as follows. It worked in Sonar 3.2, but I'm not sure if it works in your particular version. It does not work in SonarQube 4.5.4 and possibly other versions, but I don't know.
http://sonar.your-server.com/api/reviews?resource=com.yourpackage.yourcomponent:yourtag&review_type=FALSE-POSITIVE&format=json
Related
We launched sonar 4.5.4 in one of our application. Then, we have upgraded sonar with 6.7.5 version and we have got different results.
e.g.: the rule DLS_DEAD_LOCAL_STORE. When we passed our code with 4.5.4 version, this critical rule was not broken at all. With the new version, it appears as a new critical bug even when no changes have been implemented (last commit for this classes was made more than one year ago).
Is there any documentation about rule implementation changes per versions?
Does anyone any experience with this?
When you upgrade SonarQube you have to prepare yourself for some (big) changes. There is a large gap between 4.5.4 and 6.7.5 so, do not be surprised that checkers have been enhanced and severity revised.
It is normal and you should analyze changes before performing any application upgrade.
SonarC# 6.7.1 (build 4347)
SonarQube Version 6.7.1 (build 35068)
Quality Profile: Sonar way (outdated copy) because the current Sonar Way quality profile returns nothing at all.
Running the current MSBuild.SonarQube.Runner (SonarQube Scanner for MSBuild 4.0.2.892) only reports Code Smells. No vulnerabilities or bugs are being reported.
Using https://github.com/SonarSource/sonar-scanning-examples - CSharpProject to test. I've added bugs from the quality profile above into the code but they never get reported. I've tried this with other CS projects with the same results.
Are there any known issues reporting vulnerabilities/bugs for C#? Is any additional configuration required to get this information reported back to SonarQube?
This isn't a known issue, and I couldn't reproduce it using the same versions of the scanner, the C# plugin and a clean install of SonarQube 6.7.1.
Analysing the sample project reported one bug (csharpsquid:S2583, Program.cs line 9), and one code smell (csharpsquid:S1118, Program.cs line 4).
Code Smells, Bugs and Vulnerabilities are all handled the same way by the Scanner for MSBuild - they are all just Roslyn issues with different categories applied. No additional configuration is required.
I'm guessing you've migrated from an older version of SonarQube since you have an outdated SonarWay. However, that shouldn't make any difference to how issues are reported. The rules included in the default SonarWay might change between versions, but you've checked for rules you know are in the active QP.
If you haven't already, you could try installing SonarLint for VS and checking it correctly detects the bugs you've injected into the code.
Other options:
the .sonarqube\conf file will contain a ruleset file showing which rules are being executed by the scanner. Check that contains the expected rules.
the bin directory of each project will contain a XXX.RoslynCA.json file containing all of the issues that were detected during the build. Check they contains the expected issues.
check the console logs for errors or warnings. You could also increase the verbosity of the logged output by passing /d:sonar.verbose=true on the command line in the Begin step.
I see 26,253 warnings in MSbuild log with SonarScanner (Red marked). It includes 558 compiler warnings, rest are from the code analyzer.
But, I see only 16,396 issues in SonarQube (blue marked)
Why there is huge difference of around 10,000 issues, why are not those issues reported in SonarQube !!
There are three four (thanks #Julian) possibilities here:
~10k issues in your project have been "resolved" False Positive or Won't Fix. Okay, this volume of FP/WF issues is unlikely, so on to
You have set some exclusions which filter out some issues. This is possible, but 10k seems a bit high for that, so...
The number you're looking at is the total number of SonarC# issues, plus compiler warnings, plus (insert some other checker run automatically during the build here), but only issues that correlate to Rules active in your Quality Profile will be reflected in SonarQube
.cs files outside the project base directory may be excluded automatically by the SonarQube Scanner for MSBuild
My project is analysed by SonarQube for every VCS check-in and I have observed some strange behavior:
The dependency cycle-count changes to extremes every now and then.
When viewing the details (e.g. clicking the link) the old (smaller number) value is displayed. What could be the cause of this?
This feature has been dropped from SonarQube platform in version 5.2 thus even if there might be some flaws on this on sonar java analyzer side there is not point to make an effort to fix them as this will be dropped when it will move to LTS version 5.x
See this ticket for detailed explanation : https://jira.sonarsource.com/browse/SONAR-6553
We have just started using Sonarqube 5.1 integrated in TFS build as described on this page http://www.sonarqube.org/announcing-sonarqube-integration-with-msbuild-and-team-build/
We have one main branch, and two development branches for the same project.
What is the recommended strategy for handling this?
I want to be able to see analyze result trends over time and also let people working in different branches able to see analyze result for the branch they are working in. As far as I can see the Sonar msbuild runner (https://github.com/SonarSource/sonar-msbuild-runner) only supports projectkey, projectname and version, but not branch key.
Any advice and suggestions will be greatly appreciated!
Indeed Wangen, I do confirm that the MSBuild Runner 0.9 doesn't yet provide a way to inject some SonarQube properties and so including the "sonar.branch" property. This limitation is going to be dropped in version 1.0 of the MSBuild Runner. Nevertheless, you must be aware that the support of branches by SonarQube is really limited because at the end in your case you're going to have 3 different projects in SonarQube and for instance flagging an issue as false-positive won't lead to flag the same issue in another branch as false-positive.