Sonar exclusions not preventing C# code from being analyzed - sonarqube

i've read the documentation about exclusions, tried several combinations, but still Sonar is analyzing code that it was not supposed to. The following is a sample of my sonar-runner.properties file:
#----- Required metadata
sonar.projectKey=ProjectKey
sonar.projectName=ProjectName
sonar.projectVersion=1.0
sonar.sources=MySourceFolder
sonar.build-stability.url=-
sonar.language=cs
sonar.dotnet.visualstudio.solution.file=MySourceFolder\\Solution.sln
sonar.donet.visualstudio.testProjectPattern=*.Tests*
#----- Default source code encoding
sonar.sourceEncoding=UTF-8
#----- Default Sonar server
sonar.host.url=http://myserver
#----- MySQL
sonar.jdbc.url=jdbc:mysql://myserver:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true
sonar.jdbc.driver=com.mysql.jdbc.Driver
#----- Global database settings
sonar.jdbc.username=sonar
sonar.jdbc.password=sonar
#----- Static analysis
sonar.fxcop.installDirectory=C:/Program Files (x86)/Microsoft Fxcop 10.0
Last option i used was to configure the exclusions through the Sonar UI (Project Settings > Exclusions > Source File Exclusions) and set a value like the following:
MySourceFolder/FolderA/FolderB/*.cs
In the logs i see the following message:
[17:27:10][Step 7/9] 17:27:10.919 INFO - Excluded sources:
[17:27:10][Step 7/9] 17:27:10.919 INFO - MySourceFolder/FolderA/FolderB/*.cs
Still, i the code is being analyzed as it appears in sonar violations and duplications plugins info.
Any idea on what might be causing this behaviour or how to correctly configure exclusions for C# files ?
Thanks a lot!
Ricardo

As specified on the SonarQube analysis parameters page, the property to specify exclusions is "sonar.exclusions".
So here's what you can specify in your "sonar-project.properties" file:
sonar.exclusions=FolderA/FolderB/*.cs

Actually, for me it worked the opposite.sonar.exclusion didn't excluded the file from analysis but adding the file name to exclusion list through Sonar GUI worked fine.
I used it for JavaScript analysis.

Related

SonarCFamily only detects code-smells duplicate code blocks

I'm trying to use SonarScanner with SonarCFamily plugin on my C codebase on ubuntu. I see that the scanner is able to only detect "code smells - duplicate blocks of code" in my codebase and no other forms of bugs/vulnerabilities. I intentionally added a memory leak in the code and SonarQube couldn't detect it while open source SA tool Cppcheck was able to. Am I missing some setting in the sonar-project.properties file ? My sonar.properties file is as follows. Are there any settings needed in the server/SonarCFamily plugin for the tool to detect other forms of SA errors ?
# must be unique in a given SonarQube instance
sonar.projectKey=c-sa-test
# this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.
sonar.projectName=c-sa-test
sonar.projectVersion=1.0
# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
# This property is optional if sonar.modules is set.
sonar.sources=src
# Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8
sonar.host.url=http://localhost:9000
sonar.cfamily.build-wrapper-output=bw_output
sonar.c.file.suffixes=.c,.h
sonar.cpp.file.suffixes=.cc,.cpp,.cxx,.c++,.hh,.hpp,.hxx,.h++,.ipp
Found the root cause - Was missing providing some elements of the project build process as input to the build wrapper. Once those were added, SonarQ provided a detailed report.
I had the exact same problem where SonarCFamily was only reporting code duplications. It was due to an incorrect build process as input to the build wrapper. In my case, I was using SonarScanner.MSBuild and on my build-wrapper line, I didn't have the Configuration and Platform specified, so my projects were not getting built or scanned. The final working lines were:
SonarScanner.MSBuild.exe begin /k:"your key" /d:sonar.cfamily.build-wrapper-output=”bw_output”
build-wrapper-win-x86-64.exe --out-dir bw_output MSBuild.exe your_solution.sln /p:Configuration=Release /p:Platform=x64
SonarScanner.MSBuild.exe end

How to set sonar.projectBaseDir in SonarQube Scanner for Jenkins?

I try to analyze one module of a multi module project in Jenkins with SonarQube Scanner plug-in (version 2.5). Unfortunately, Jenkins picks the wrong module as working directory.
In this particular case, I could change the order of the modules, but in general (more than one analyzed module) it is not working. So I want to fix the problem with the property sonar.projectBaseDir, see Advanced SonarQube Scanner Usages:
Alternate Analysis Directory
If the files to be analyzed are not in the directory where the analysis starts from, use the sonar.projectBaseDir property to move analysis to a different directory. E.G. analysis begins from jenkins/jobs/myjob/workspace but the files to be analyzed are in ftpdrop/cobol/project1.
sonar-project.properties
sonar.projectBaseDir=/home/ftpdrop/cobol/project1
sonar.sources=src
sonar.cobol.copy.directories=/copy
I tried following ways to set the sonar.projectBaseDir property to right module (module2 instead of module1):
sonar.projectBaseDir in sonar-project.properties file
But it doesn't work. The property in sonar-project.properties file is ignored. The log shows that the property is overriden with JVM option:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -X -e -Dsonar.host.url=http://sonarqube:9090 -Dproject.settings=/Users/test/jenkinsslave/workspace/Test/module2/sonar-project.properties -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module1
I think that is a bug in SonarQube Scanner plug-in, because project.settings is incompatible with sonar.projectBaseDir, see Advanced SonarQube Scanner Usages:
The property project.settings can be used to specify the path to the project configuration file (this option is incompatible with the project.home and sonar.projectBaseDir properties).
sonar.projectBaseDir as JVM Options
But it doesn't work. The property is ignored. The log shows that the property is overriden:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -X -e -Dsonar.host.url=http://sonarqube:9090 -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module1
sonar.projectBaseDir as Additional arguments
But it doesn't work. The log shows that the property is configured twice:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module2 -X -e -Dsonar.host.url=http://sonarqube:9090 -Dsonar.projectBaseDir=/Users/test/jenkinsslave/workspace/Test/module1
I think that is a bug in SonarQube Scanner plug-in, because it should not add sonar.projectBaseDir option if there is already such option.
I found a solution, I have to add the property sonar.projectBaseDir as Analysis properties.
Configuration:
Log:
/Users/test/jenkinsslave/tools/hudson.plugins.sonar.SonarRunnerInstallation/SonarQube_Scanner_2.8/bin/sonar-scanner -X -e -Dsonar.host.url=http://sonarqube:9090 -Dsonar.projectBaseDir=./../module2

How can I configure sonar-scanner to not warn on files not matching forced language?

We're using SonarQube 6.3 with a PHP project. We have the sonar.language property set to php since that's what we're interested in. We have exclusions configured so some vendor libraries are not included in the scan. These exclusions work for the actual analysis but our scan log is full of warnings about files being ignored because they aren't php.
Sample warning:
WARN: File 'vendor/somejavascriptlib/cooljavascript.js' is ignored because it doens't belong to the forced langauge 'php'
We have sonar.exclusions set to "vendor/**/*" but that doesn't seem to impact the file indexing that is creating these warnings. Is there a way to supress the warning? Or a different config property we should be using?
This issue will be fixed in SonarQube 6.6: https://jira.sonarsource.com/browse/SONAR-9561

Unable to scan Cobol project using SonarQube

I am trying to workout code analysis for my COBOL code with SonarQube. I installed sonarcobol plugin and using sonarscanner I am trying to check for analysis. when I do sonar-scanner in respective directory, it says success but unable to see analysis in SonarQube server.
Attached is my sonar-project.properties
sonar.host.url=http://xxxxx:9000/
sonar.login=admin
sonar.password=admin
sonar.projectKey=cobol
sonar.projectName=cobol
sonar.projectVersion=1.0
sonar.sources=.
sonar.sourceEncoding=UTF-8
## Cobol Specific Properties
# comma-separated paths to directories with copybooks
sonar.cobol.copy.directories=copybooks
# comma-separated list of suffixes
sonar.cobol.file.suffixes=cbl,cpy
sonar.cobol.copy.suffixes=cpy
## Flex Specific Properties
# retrieve code coverage data from the Cobertura report
#sonar.flex.cobertura.reportPath=coverage-report/coverage-cobertua-flex.xml
# PL/I Specific Properties
sonar.pli.marginLeft=2
sonar.pli.marginRight=0
from the Author's comment above:
I solved this by adding sonar.languages=COBOL in sonar-project.properties
Pasting here for convenience.

how to disable fxcop analysis in sonar

I am trying to analyze code coverage for .NET project.
Here is my sonar.project file.
# Project identification
sonar.projectKey=ABC
sonar.projectVersion=trunk
sonar.projectName=ABCD
# Info required for Sonar
sonar.sources=.
sonar.language=cs
sonar.sourceEncoding=UTF-8
sonar.visualstudio.enable=true
sonar.visualstudio.testProjectPattern=UnitTest
#Core C# Settings
sonar.dotnet.visualstudio.solution.file=./MySample.sln
#sonar.silverlight.4.mscorlib.location=C:/Program Files (x86)/Reference Assemblies/Microsoft/Framework/Silverlight/v5.0
sonar.dotnet.excludeGeneratedCode=true
sonar.dotnet.4.0.sdk.directory=C:/Windows/Microsoft.NET/Framework64/v4.0.30319
sonar.dotnet.version=4.0
# To prevent any issues while analyzing multiple solutions containing projects with similar keys
# Will be set by default to safe starting at version 2.2: http://jira.codehaus.org/browse/SONARDOTNT-339
sonar.dotnet.key.generation.strategy=safe
sonar.cs.opencover.reportsPaths=C:/openCoverAnalysis/Sample.xml
# FXCop
sonar.fxcop.mode=skip
sonar.fxcop.mode=skip
is not working. Am I missing anything ?
SonarQube version 4.5

Resources