I'm evaluating SonarQube 5.4 with SonarLint eclipse plugin.
SonarQube as well as the plugin are set up and are running. But now I'm pretty confused how SonarLint is supposed to run in 'connected mode':
SonarLint is connected with SonarQube and is bound to the corresponding project. But some issues are only shown in SonarQube. It was my understanding SonarLint should be able to identify issues like Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object. But it does not. SonarQube does.
When analysing a single file with SonarLint, there are a lot of debug messages in the SonarLint Console like Class not found in resource cache : org/company/project/CommonSuperClass. But even worse: Class not found in resource cache : java/lang/Class. Is it supposed to do that?
We are specifically interested in highlighting the issues introduced by developer. SonarQube is connected our repo and does a nice job in blaming the committer. But it seems there is no way of showing my own issues in sonarlint.
I'd like to run the SonarLint analysis at a time of my choice, so I decided to deactivated "Run SonarLint automatically". But it seems I can only analyze files manually, not packages or projects. Am I missing something again? I do not want to click on every one of my ~2000 files and analyze it by hand.
SonarLint and SonarQube are 2 different products:
You want very fast feedback on the code you are working on to make sure you don't inject issues => SonarLint analyses the files as you open them to write or review code
You want a 360° vision of the quality of your code => SonarQube analyses all the files of your project
The "connected mode" is the bridge between the 2 worlds, and its development is still underway. For instance, we plan to make it possible to see inside SonarLint all the issues found on the project by SonarQube (see and vote for SLE-54).
Related
I am working on a project which already has sonarqube integrated. Now, we want to have a plugin in our local IDE(with some sort of XML) so that everyone in the team can have the same set of rules.
I see two options :
SonarLint: I read that SonarQube already has rules that are a replacement of what checkstyle/pmd and other analyzers have.
So if I use sonarlint and connect it with our sonarqube server, will sonarlint be able to identify all the checkstyle/PMD violations on our IDE or we will miss some important violations provided by these external analyzers?
Checkstyle/PMD: We can have different plugins for each of these analyzers with their XML file that can be shared with team. But this way, we won't be able to integrate with sonarqube.
What would be the better approach?
I using JaCoCo + Scoverage for a project with a mixed codebase (Java (using JUnit), Scala (using Scalatest)). I'm not seeing any code duplication being reported and I have clearly added some copy/pasted code (in more than a few places; around 10 lines).
I don't see any of this as being reported as duplicate code. Is there some plugin I need for Gradle, or in Sonarqube that handles this?
I am not seeing it neither for the Java code, nor for the Scala code (I know that sonar-scala doesn't currently support such reports, but I was hoping that there would be some for Java.
We're using Sonarqube 6.7.6.
What do I need to enable to get this working?
I'm getting started with SonarQube usage for JSF page static analysis[1] in Maven. I'm only really interested in using it in Maven since I don't like the idea to introduce another build command.
After going through Analyzing the source code and the specific Maven guide I gained the impression that the plugin can only be used after downloading, installing/unpacking and starting a SonarQube instance at localhost and specifying the connection information in the plugin declaration in the POM. The plugin configuration parameter confirm that.
While this workflow might have advantages it is painful to use on CI services and the necessity to start a service manually in order to be able to build seems not very user friedly (given the fact that other development tools like Selenium or Arquillian pull entire browser, driver and servers in the background without one single line of configuration). Am I missing something about a separate plugin or configuration which manages an embedded or otherwise temporary instance to perform the analysis with a single plugin declaration?
[1] I'm aware that there're other tools based on XML validation which could do the job, but setting up a much more powerful tools like SonarQube seems to be a more flexible approach which will probably pay off.
You don't have to install SonarQube on your build server, but it is necessary to execute analysis (results will be pushed to it). It means that you have a working server somewhere and next you have to set required parameters:
sonar.host.url (http://localhost:9000 is a default value)
sonar.login and sonar.password (if your SonarQube server is secured)
See all Analysis Parameters.
I am using Sonar-Lint as my static code analysis plugin in intellij. When I run that after setting configurations, it can fetch rules form the server and show issues.
But still it can't clearly indicate code-duplication and coverage. Can anyone tell me, what has gone wrong or it's a bug?
SonarLint doesn't support those features, it goes out of its scope as SonarLint won't necessarily scan the entire project. SonarLint only shows code issues.
Use SonarQube and one of its Scanners to have that information.
We are experiencing a problem with our Jenkins CI server.
Our CI implementation relies on several Groovy scripts, which we execute in Jenkins as "System Groovy scripts". This has been this way for years, and the scripts have undergone no recent modifications, and implement build flows, business logic steps such as version checking, etc.
Yesterday we started experiencing an exception in every Jenkins job that we tried to lauch that, one way or another, tried to execute Groovy scripts. The exception is:
java.lang.StackOverflowError
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.additiveExpression(GroovyRecognizer.java:12478)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.shiftExpression(GroovyRecognizer.java:9695)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.relationalExpression(GroovyRecognizer.java:12383)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.equalityExpression(GroovyRecognizer.java:12307)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.regexExpression(GroovyRecognizer.java:12255)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.andExpression(GroovyRecognizer.java:12223)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.exclusiveOrExpression(GroovyRecognizer.java:12191)
hundreds of similar lines
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.compoundStatement(GroovyRecognizer.java:7510)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.compatibleBodyStatement(GroovyRecognizer.java:8834)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.statement(GroovyRecognizer.java:899)
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.compilationUnit(GroovyRecognizer.java:757)
at org.codehaus.groovy.antlr.AntlrParserPlugin.transformCSTIntoAST(AntlrParserPlugin.java:131)
at org.codehaus.groovy.antlr.AntlrParserPlugin.parseCST(AntlrParserPlugin.java:108)
at org.codehaus.groovy.control.SourceUnit.parse(SourceUnit.java:236)
at org.codehaus.groovy.control.CompilationUnit$1.call(CompilationUnit.java:161)
at org.codehaus.groovy.control.CompilationUnit.applyToSourceUnits(CompilationUnit.java:846)
at org.codehaus.groovy.control.CompilationUnit.doPhaseOperation(CompilationUnit.java:550)
at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:526)
at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:503)
at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:302)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:281)
at groovy.lang.GroovyShell.parseClass(GroovyShell.java:731)
at groovy.lang.GroovyShell.parse(GroovyShell.java:743)
at groovy.lang.GroovyShell.parse(GroovyShell.java:770)
at groovy.lang.GroovyShell.parse(GroovyShell.java:761)
at groovy.lang.GroovyShell$parse.call(Unknown Source)
at com.cloudbees.plugins.flow.FlowDSL.executeFlowScript(FlowDSL.groovy:80)
at com.cloudbees.plugins.flow.FlowRun$FlyweightTaskRunnerImpl.run(FlowRun.java:219)
at hudson.model.Run.execute(Run.java:1759)
at com.cloudbees.plugins.flow.FlowRun.run(FlowRun.java:155)
at hudson.model.ResourceController.execute(ResourceController.java:89)
at hudson.model.Executor.run(Executor.java:240)
at hudson.model.OneOffExecutor.run(OneOffExecutor.java:43)
This looks like that the Groovy parser inside Jenkins is reaching the top of the stack while trying to parse the groovy script (as I have said, this abruptly started to happen with many scripts that worked perfectly before and had undergone no recent modification).
Currently our Jenkins installation (v1.594) runs on a Websphere 8.5.5.2 application server on AIX v7.1 (don't know exactly the fix pack level and / or if it has recently suffered any kind of update, still trying to gather the info).
After a restart, we returned to normal behavior (all the scripts were working as usual again without any modification to them).
Does anyone know about some incompatibility of any underlying library with Jenkins Groovy parsing?
There is a problem with the groovy code; causing the parser to go nuts:
java.lang.StackOverflowError
at org.codehaus.groovy.antlr.parser.GroovyRecognizer.additiveExpression(GroovyRecognizer.java:12478)
Based on a similar ticket:
https://issues.apache.org/jira/browse/GROOVY-1783,
it is possible that your code has circular references; or creating too many functions on the fly. You can take the approach of analyzing your code and trying to put anything that is going to make allocations outside of loops; in particular complex inline functions.
Another approach is to go look at the Build Flow plugin and scroll down the documentation and see how you could write an extension point rather than use groovy. This may not be easy to do and requires effort; but you can write a lot of tests for your code that way. You would still use groovy for the glue; but use java directly for the hot spots.
A third approach would be to file a ticket on the Groovy issue tracker; and see what the experts find out.