I would like to know if it's possible to focus a sonar analysis in the classes you have modified.
Imagine you have a huge project, analyzed with a SonarQube Ant Task that can spend a lot of time analyzing all its code and generating the results in the server.
If you only modified 3 classes in this huge project... would be possible to make a shorter analysis with only that 3 classes and update the results?
I'm looking the 'sonar.sources' and 'sonar.exclusions' properties, but I cant find a solution.
My idea is to have the complete proyect analyzed in sonar server. If you use the Sonar Eclipse Plugin you can see all the info displayed, and if you use the sonar ant task you can update the information, but only analyzing the source you have modified.
This feature will be implemented in next version of SonarQube (4.0).
You can vote and watch the following ticket: SONAR-3677
Related
It has been cleared here that from Sonarqube version 6.2 that coverage reports are merged and there won't be separate unit and integration coverage report anymore.
We still interested to have these two coverage reports separately. So, We have three sonar projects: unit-tests, integration-tests, whole-project(which is responsible to create overall coverage report)
Problem: All source files are analysed in all three projects. Since the number of files are too many, it takes several minutes to perform the analysis.
Question: Is it possible to turn off sonar issue analyser somehow in a project? It is desired to report only test coverage in the the first two projects(unit-tests & integration-tests) without analysing all files, and then run the issue analyzer only on the last project(whole-project). It could help us to analyse all files once instead of three times.
Additional info: We use sonar gradle plugin version 2.6.2 and sonarqube version 7.4
SonarQube/SonarCloud main responsibility is informing users about issues. Displaying code coverage is just an additional feature. It means there is no flag/parameter which allows you to do it.
Luckily, there is a workaround. You can create empty quality profiles, and use them to scan those two projects (unit-tests & integration-tests). You will get 0 issues because there are zero rules enabled.
The following feature request should be interesting for you: Making test coverage measures mode useful. Feel free to vote on it.
Last day I was configuring a jenkins job to run sonar on my java project. I had sonar and jacoco plugins configured in my job. Sonar was throwing some error for which my sysadmin asked me to remove the jacoco plugin configuration from job. I removed and now sonar is saying it cannot find cobertura.xml.
So I am curious to know if sonar does analysis on already run jacoco or cobertura task or does it runs its own coverage analysis?
Short answer : In general, coverage is imported to SonarQube by reading a coverage report generated prior to any work of sonarQube.
Longer answer : Historically (read, about two years ago), SonarQube used to try to run coverage tool for java. This was a nightmare to maintain for every use cases and as such it is now up to the developers to provide a coverage report to SonarQube which will only act on those data (linking them to source, compute metrics, display them nicely).
In your case, that means you most probably have the cobertura plugin installed on your SQ instance and it is looking for a report to import.
We are trying to install a CI Platform with (Jenkins,sonar,eclipse ...).
So that every developer can make analysis on his code before commit, I'm wondering between two alternatives :
running local analysis with the sonar plugin.
install the different plugins that sonar use (findbug,pmd,checkstyle ...) and configure them to meet the sonar configuration.
I'm not sure which alternative to use? I used to work with findbugs,pmd, checkstyle in eclipse and they look great.
Can you tell me which is the best alternative?
Thanks in advance.
Regards.
With Sonar plugin you can manage the violations like:
Create a review
Mark a violations as false positive or fixed
View the hot classes and hot violations
View yours reviews
If you use separate plugins you have to go sonar web to do that.
The great advance of sonar is the reviews.
Other question is how many projects you have and will have. I currently work with more than 70 projects and many profiles. Is more simple to me run analysis with one plugin, because I need just add the server and find the project. With other plugin you need add the link for each project in each plugin configuration.
Why not install the Sonar Eclipse plugin?
This was designed to solve the following problems:
Sonar does not support parallel analysis of the same project. This issue rules out the option of each developer running Sonar locally. (See SONAR-2761, SONAR-3306)
You don't really want developers uploading metrics and source code into the Sonar database. They could be working on an uncommitted workspace and would therefore cause both inaccuracies and confusion if Sonar is being used for code review.
Sonar is really designed to be run from a continuous integration server (like Jenkins), building code that has been submitted onto a shared codestream (or branch)
The big advantages of using the Eclipse plugin are:
True local analysis, no updates of the Sonar database
Configuration of the other tools is retrieved from the Sonar server and jars automatically downloaded.
Centralized management of Sonar quality profiles
I have configured one project in sonar and integrated sonar with maven for build time analysis of the project.
After analysis, report is generated and uploaded to Sonar for browsing. But once another user compiles the same project their report overwrites mine.
Basically I want that one user's report on one project is not overwritten by report from other user. A user must be able to see their current violations independently. Is it possible in Sonar?
Sonar stores it's analysis on a daily basis, which explains why it's kind of pointless to run analysis several times in a day. Each analysis run will overwrite that day's existing results, which in turn spoils ongoing statistical analysis.
I would suggest running Sonar, from a dedicated build server like Jenkins (which has a Sonar plug-in). This daily analysis will populate the Sonar database and keep the project dashboard current. This architecture also enables you to keep the database credentials confidential.
Obviously developers would like to see the results of their bug fixing. For that I'd recommend running the Sonar Eclipse plug-in. The latest version will run the same Sonar analysis locally. Recent versions of Sonar also enable you to assign violations to developers for resolution.
This is not possible, last performed analysis will always be the one you browse in the interface. However, I guess what you need is the Issue Report Plugin which will enable analysis to store results locally, with the dry-run option.
This way your developers will be able to run an analysis on their code and see the violation delta without pushing the results.
You can do it by explicitly setting the below properties in pom.xml
<properties>
<sonar.projectKey>Test</sonar.projectKey>
<sonar.projectName>Test</sonar.projectName>
</properties>
Every user should set different projectKey and projectName, if you want that one user's report on one project is not overwritten by report from other user.
We are working on a web project from scratch and are looking at the following static code analysis tools.
Conventions (Checkstyle)
Bad practices (PMD)
Potential bugs (FindBugs)
The project is built on Maven. Instead of using multiple tools for the purpose, I was looking at a single flexible solution and came across SonarQube.
Is it true that we can achieve the results from Checkstyle, PMD and Findbugs with SonarQube?
Sonar will run CheckStyle, FindBugs and PMD, as well as a few other "plugins" such as Cobertura (code coverage) by default for Java projects. The main added value, however, is that it stores the history in a database. You can then see the trend. Are you improving the code base or are you doing the opposite? Only a tool with memory can tell you that.
You should run Sonar in your CI system so that even things that take some time to execute (such as CPD – copy paste detector) can run. And you'll have your history. Whereas with an Eclipse plugin, for example, you'll detect violations sooner – which is great – but you will be tempted to run it less often if it starts taking too long, or run less "quality plugins" (such as skipping CPD or skipping code coverage analysis). And you won't have history.
Also, Sonar generates visual reports, "Dashboard" style. Which makes it very easy to grasp. With Sonar in Jenkins, you'll be able to show developers and your management the effects of the work that was performed on the quality of the code base over the last few weeks and months.
Sonar uses these 3 tools as plugins and aggregates the data from all three giving addition value by showing graphs and such from these tools. So they are complementary to sonar.
Yes and no. In addition to the other answers.
SonarQube is currently on the way to deprecate PMD, Checkstyle and Findbugs and use their own technology to analyze Java code (called SonarJava). They do it, because they don't want to spend their time fixing, upgrading (or waiting on it) those libraries (e.g. for Java 8), which for example uses outdated libraries.
They also got a new set of plugins for your personal IDE called SonarLint.
Sonar is great, but if you want to use the mentioned tools separately and still have nice graphs, you can use the Analysis Collector Plugin as part of your Jenkins CI build. A slight advantage of this is that you can check in your PMD/Findbugs/Checkstyle configuration into your SCM and have it integrated into your Maven build, rather than relying on a separate Sonar server.
... a few years later: no, it is not! SonarQube supposes to be able to cover all the rules with its own analyzer, but there are still rules from PMD or CheckStyle not covered by SonarQube. See for example: PMD ReturnFromFinallyBlock.
Sonar is much more than these tools alone.
The greatest benefits is the gui, which lets you configure anything easily.
The statistics it offers are very detailed (lines of code etc).
And it even offers great support for test coverage etc :)
Here you can take a good look:
http://nemo.sonarsource.org/
I would still use these tools in addition to sonar because they can fail the maven build when someone violates a rule. Where as sonar is more retrospective.
Well at least since SonarQube 6.3+ it seems to be that Findbugs is (at the moment) no longer supported as a plugin. Sonarsource is working on replacements of Findbugs-rules with its own Java-plugin.
They even had a list for the replacement status of each rule here, but it got removed by now.
See https://community.sonarsource.com/t/where-is-dist-sonarsource-com-content/5353 for more details.