I am using Sonar-Lint as my static code analysis plugin in intellij. When I run that after setting configurations, it can fetch rules form the server and show issues.
But still it can't clearly indicate code-duplication and coverage. Can anyone tell me, what has gone wrong or it's a bug?
SonarLint doesn't support those features, it goes out of its scope as SonarLint won't necessarily scan the entire project. SonarLint only shows code issues.
Use SonarQube and one of its Scanners to have that information.
Related
I am working on a project which already has sonarqube integrated. Now, we want to have a plugin in our local IDE(with some sort of XML) so that everyone in the team can have the same set of rules.
I see two options :
SonarLint: I read that SonarQube already has rules that are a replacement of what checkstyle/pmd and other analyzers have.
So if I use sonarlint and connect it with our sonarqube server, will sonarlint be able to identify all the checkstyle/PMD violations on our IDE or we will miss some important violations provided by these external analyzers?
Checkstyle/PMD: We can have different plugins for each of these analyzers with their XML file that can be shared with team. But this way, we won't be able to integrate with sonarqube.
What would be the better approach?
I using JaCoCo + Scoverage for a project with a mixed codebase (Java (using JUnit), Scala (using Scalatest)). I'm not seeing any code duplication being reported and I have clearly added some copy/pasted code (in more than a few places; around 10 lines).
I don't see any of this as being reported as duplicate code. Is there some plugin I need for Gradle, or in Sonarqube that handles this?
I am not seeing it neither for the Java code, nor for the Scala code (I know that sonar-scala doesn't currently support such reports, but I was hoping that there would be some for Java.
We're using Sonarqube 6.7.6.
What do I need to enable to get this working?
I've started working with jHipster on a recent project which is a tool you can use to autogenerate the full stack of a REST api application using a Spring Boot back end. Which should save a great deal of time writing boilerplate code...
Unfortunately, at my work we have coding standards to adhere to in the form of a set of CheckStyle rules. Any code that does not adhere to these rules causes the build to fail. What I am experiencing at the moment is that this autogenerated code is failing the CheckStyle rules in a large number of places. Currently I am handling this by manually trawling through the code fixing each of the issues.
I can't help feeling in the back of my mind there must be a better way of doing this e.g.:
Configuring the IDE (intelliJ) to ensure the generated code matches the CheckStyle rules. This is certainly possible when coding directly into the IDE.
Configuring jHipster to be aware of the CheckStyle rules before autogenerating the code.
Running a script afterwards which can automatically fix any CheckStyle failures. (I'm sure this must be doable!)
It would be good to hear if anyone knows what the best way to address this issue might be and if anyone has done something similar in the past.
Suppress violations on all auto-generated files as it is out of your control.
http://checkstyle.sourceforge.net/config_filters.html#SuppressionFilter
If you have auto-generated code inside a file with non-generated code that you maintain manually, use comment suppressions.
http://checkstyle.sourceforge.net/config_filters.html#SuppressionCommentFilter
You shouldn't be styling code you don't write for this exact purpose, you aren't writing it and some utility is and it wasn't built to your style specifications. If you generate the files again, it will undo any manual changes you made.
I'm creating some rules to SonarQube where it will analyze a Android Project and raise some Security vulnerabilityes points on code.
I've already created a custom rule by Sonar Tutorial to create my own rules following the same structure, but I had some complications. For instance, when I tryed to run the test classes, I've found some problems to identify Android Classes and validate my rule, and after some research, I solved the problem, but seems like when I put my plugin on SonarQube and run it, the problem remains with the tool not identifying Android Classes (I coudn't comprove this because coudn't find a way to debug the web tool and see why the Rule is not checking).
By this, I need to know if I'm really doing this of the right way. Analyze with custom rules a Android Project directly by SonarQube can be done just following the Sonar Tutorial? Do I need of custom configurations inside my template or any other step to do it?
If beyond the answer or the instruction, someone could provide some documentation to help me, I would be deeply grateful.
Since now, thanks for your attention!
I'm evaluating SonarQube 5.4 with SonarLint eclipse plugin.
SonarQube as well as the plugin are set up and are running. But now I'm pretty confused how SonarLint is supposed to run in 'connected mode':
SonarLint is connected with SonarQube and is bound to the corresponding project. But some issues are only shown in SonarQube. It was my understanding SonarLint should be able to identify issues like Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object. But it does not. SonarQube does.
When analysing a single file with SonarLint, there are a lot of debug messages in the SonarLint Console like Class not found in resource cache : org/company/project/CommonSuperClass. But even worse: Class not found in resource cache : java/lang/Class. Is it supposed to do that?
We are specifically interested in highlighting the issues introduced by developer. SonarQube is connected our repo and does a nice job in blaming the committer. But it seems there is no way of showing my own issues in sonarlint.
I'd like to run the SonarLint analysis at a time of my choice, so I decided to deactivated "Run SonarLint automatically". But it seems I can only analyze files manually, not packages or projects. Am I missing something again? I do not want to click on every one of my ~2000 files and analyze it by hand.
SonarLint and SonarQube are 2 different products:
You want very fast feedback on the code you are working on to make sure you don't inject issues => SonarLint analyses the files as you open them to write or review code
You want a 360° vision of the quality of your code => SonarQube analyses all the files of your project
The "connected mode" is the bridge between the 2 worlds, and its development is still underway. For instance, we plan to make it possible to see inside SonarLint all the issues found on the project by SonarQube (see and vote for SLE-54).