How can I restrict the Sonar JavadocMethod rule to filenames including "Controller"? - sonarqube

I have a pre-existing Java project, that Sonar Analysis was recently applied to. There are a large number of CheckStyle JavadocMethod rule violations.
How would I restrict the JavadocMethod rule, to apply only to java filenames with the pattern "Controller.java" ?

The JavadocMethod check does not offer an option to limit itself to certain files, so this cannot be done easily. But - you could:
Write a custom filter which suppresses all JavadocMethod warnings that occur in files which do not match a pattern. This is not difficult - the example on the linked page covers just that case. But it requires you to deploy the filter and that may be a bit of a hassle.
I am not sure if this works in Sonar. I use custom Checkstyle checks in Sonar all the time, but I haven't tried custom filters yet.
Write a subclass of Checkstyle's JavadocMethodCheck which adds an option to apply itself only to certain files (Sonar Examples, Checkstyle tutorial). This is a sure bet if custom filters cannot be added to Sonar.
If you are using Eclipse, you can configure it to use different rule sets based on filename. You would do that using the "advanced" configuration setting in the project properties. Your regexes would be Controller\.java$ to match all controllers, and .{10}(?<!Controller)\.java$ to match the other Java files. This approach could also be applied to a stand-alone or Ant-based Checkstyle run, but not to Sonar.
I am sorry that there is nothing easier available to you - but that's how things are at the moment ... Good luck!

Related

Copy all Gradle dependencies without pre-registered custom task

Use Case
The use case for grabbing all dependencies (without the definition of a custom task in build.gradle) is to perform policy violation and vulnerability analysis on each of them via a templated pipeline. We are using Nexus IQ to do the evaluation.
Example
This can be done simply with Maven, by specifying the local repository to download all dependencies and then supply a pattern to Nexus IQ to scan. In the example below we would supply maven-dependencies/* as the scan target to Nexus IQ after rounding up all the dependencies.
mvn -B clean verify -Dmaven.repo.local=${WORKSPACE}/maven-dependencies
In order to do something similar in Gradle it seems the most popular method is to introduce a custom task into build.gradle. I'd prefer to do this in a way that doesn't require developers to implement custom tasks; it's preferred to keep those files as clean as possible. Here's one way I thought of making this happen:
Set GRADLE_USER_HOME to ${WORKSPACE}/gradle-user-home.
Run find ${WORKSPACE}/gradle-user-home -type f -wholename '*/caches/modules*/files*/**/*.*' to grab the location of all dependency resources (I'm fine with picking up non-archive files).
Copying all files from step #1 to a gradle-dependencies folder.
Supply gradle-dependencies/* as the scan target to Nexus IQ.
Results
I'm super leery about doing it this way, as it seems very hacky and doesn't seem like the most sustainable solution. Is there another way that I should consider?
UPDATE #1: I've adjusted my question to allow answers that have custom tasks, just not pre-registered. Pre-registered means the custom task is already in the build.gradle file. I'll also provide my answer shortly after this update.
I'm uncertain if Gradle has the ability to register external, custom tasks, but this is how I'm making ends meet. I've created a custom task in a file called copyAllDependencies.gradle, appending the contents of that file (after replacing all newlines and instances of two or more spaces with a single space) to build.gradle when the pipeline runs, and then running gradlew copyAllDependencies. I then pass gradle-dependencies/* as the scan target to Nexus IQ.
task copyAllDependencies(type: Copy) {
def allConfigurations = [];
configurations.each {
if (it.canBeResolved) {
allConfigurations += configurations."${it.name}"
}
};
from allConfigurations
into "gradle-dependencies"
}
I can't help but feel that this isn't the most elegant solution, but it suits my needs for now.
UPDATE #1: Ultimately, I decided to go with requiring development teams to specify this custom task in their build.gradle file. There were too many nuances with echoing script contents into another file (hence the need to include ; when defining allConfigurations and iterating over all configurations). However, I am still open answers that address the original question.

SonarQube Generic Execution Report is ignored

The whole morning I have been trying to setup e2e tests reporting via SonarQube's Generic Execution, by using the Generic Test Data -> Generic Execution feature.
I created a custom xml report that gets added to the scan properties like this:
sonar.testExecutionReportPaths=**/e2e-report.xml
So far, SonarQube seems to completely ignore this property and I no attempt to parse the file in the logs. Has anyone made it work?
These are links by Sonar about the Generic Execution feature:
https://docs.sonarqube.org/display/SONAR/Generic+Test+Data
https://github.com/SonarSource/sonarqube/blob/master/sonar-scanner-engine/src/main/java/org/sonar/scanner/genericcoverage/GenericTestExecutionSensor.java
This is a SonarQube 6.2+ feature. Make sure to use an appropriate SonarQube version.
In addition sonar.testExecutionReportPaths does not allow matchers (like *).
Please provide relative or absolute paths, comma separated.
See also:
The official documentation of the Generic Test Data feature
The source code, that looks up the generic execution files

Disable specific sonarqube rule for all java files in a project

I am running sonarqube analysis for one of my java project and it is reporting a lot of violations and majority of the violations reported are for the maximum number of parents a class can have squid:MaximumInheritanceDepth
This class has 6 parents which is greater than 5 authorized
I have more than 100 classes in the project and I do not want to add #SuppressWarning annotation for each of the classes.
Is there a way I can disable this rule for all the Java files in my project?
One option is to analyze this project with a copy of that profile from which you've removed this rule.
Another is to create a another profile, inherit the rules from your existing profile and update the parameter value on this particular rule, bumping the value to 6 (or 7 or ...)
A third option is to use exclusions to effectively turn that rule off for the files in your project.
Go to Project Administration > General Settings > Analysis Scope > Ignore Issues on Multiple Criteria and fill in the rule key (squid:MaximumInheritanceDepth) and file pattern (**/*.java) and that should do the trick.

SonarQube sonar.issue.ignore.multicriteria and MSBuild

I have a Console project and want to disable the rule Console logging should not be used on it.
But it seems MSBuild don't get theses exclusions (anything found in Agent logs, or .sonarqube logs) added in project configuration (sonar.issue.ignore.multicriteria).
Rule Key Pattern: csharpsquid:S2228
File Path Pattern:**/MyProject/**/*.*
Do I have to have a configuration file or MSbuild should retreive Sonar configuration for projects ?
For the first project, the runner try to get server rules:
2016-01-29T08:37:36.3162048Z 09:37:36.217 INFO - ------------- Scan FisrtProject
2016-01-29T08:37:36.3172057Z 09:37:36.288 INFO - Load server rules
2016-01-29T08:37:36.8185565Z 09:37:36.629 INFO - Load server rules (done) | time=341ms
But not the others. I thougt that, as the runner has passed once for this rule and this file, these default are not deleted automatically, but should I to find logs about this ?
I try to change sonar.global.exclusions and sonar.exclusions and they are found by the runner.
The sonar.exclusions / sonar.global.exclusions are not what you want to use. They are for excluding files from the analysis not rules.
To exclude a rule specifically for a project you must define, in SonarQube, a quality profile and remove that rule from the profile, and assign that quality profile to your project. You can copy your standard profile in a new one and remove the rule on the new one, or use the more flexible quality profile inheritance mechanism (QP for consoles apps inherits from the default QP minus the csharpsquid:S2228 rule)
Then run the analysis as usual.
None of the SonarQube.Issue.* properties can be set by the command line since they are multivalued. Please find the official documentation here.
You can have SonarQube ignore issues on certain components and against certain coding rules. Go to Administration > General Settings > Analysis Scope > Issues.
Note that the properties below can only be set through the web interface because they are multi-valued.
These are the SonarQube issue properties:
Ignore Issues on Files - Key: sonar.issue.ignore.allfile
Ignore Issues in Blocks - Key: sonar.issue.ignore.block
Ignore Issues on Multiple Criteria - Key: sonar.issue.ignore.multicriteria
Restrict Scope of Coding Rules - Key: sonar.issue.enforce.multicriteria
If you want to set this property globally for all SonarQube projects then go to the Administration -> Analysis Scope of your SonarQube server:
Browse to the your Sonar instance : http://servername:9000
Login as Admin
Click on Administration
Choose the Analysis tab on the left hand side
Go down to the issues block and look at the "Ignore Issues on Multiple Criteria"
If you want to apply this exclusion for a specific SonarQube project then select the project and then browse the project -> Administration -> Analysis Scope.

Sonar False-Positive Feature

I am using sonar false-positive feature in my project deployed on sonar server and i have marked some violation instances(lets 50 instances) as false positive.
Now i create a new project in sonar having the same code base and deploy it on sonar. As code base is same for both of my projects this is obvious that those "50" violation instances will occurs here also, which i have marked as false-positive in my previous project.
Now i dont want to spend time to mark these instances as false-positive again so i want to ask is there any way to mark these "5o" violation instances as false-positive by refering my first project without doing manually??
Can i make a template/profile type feature to copy false-positive marks from one project and apply it on other project having same code base so that i can save my time??
Kindly revert if anyone know any way to execute this.
Your response will be appreciable..
Thankks in advance!
It is not currently possible to achieve what you want, unless you write a small Java program that uses Sonar Web Service Java client and that does the job.
The only trick I found was to add a // NOSONAR comment on line containing the false positive.
This way, the information is shared among branches.
But, as the NOSONAR masks any sonar issue, you may miss another sonar issue as the one intended to mask.
Example:
var myVar; // NOSONAR

Resources