I’d like to add some custom rules for Go, to supplant some other code analyzers I currently use and have everything integrated in SonarQube. I currently use the linter import feature for this, but that’s not nearly as good as having them as integrated rules (I can’t set priority and assign issued and add help text and so on if they just come from a linter import.)
The rules I want to add are fairly simple – they’re basically regex checks, so I can write them using the code for, e.g., slang/checks/HardcodedCredentialsCheck.java as a template.
However, since Go is now part of the Slang framework, I’m having trouble figuring out what all I need to do to get the check to actually run, but only for Go code. I’m amenable to either forking the slang plugin or writing my own separate plugin, but I can’t seem to locate any documentation equivalent to the “Registering the rule in the custom plugin” section of the Java documentation to make it run.
Is there any sample code or instructions on how to add a rule to the current slang-based sonar-go?
Custom rules for Go (and all slang based languages) is not yet supported. We take good note of your interest and will be eager to consider it if there is a popular interest.
Concerning the rules you want to implement, do you think they may benefits to others? If yes, you should definitely consider proposing them directly.
I’m amenable to either forking the slang plugin […]
I have to warn you should think twice before starting in this direction. Slang is still in his early age, path the plugin (and even the whole Sonar ecosystem) may take in the future could give you a hard time, and troubleshooting such kind of issue is hard.
Now that you are correctly warned, if you just want to play with it…
Despite the fact that Slang is initially designed for language agnostic rules, you could add a new one (based on Slang, therefore not using any language specific node) with proper metadata, and add it to the GoCheckList. At first glance, it’s already enough to naively have a first rule running.
This is not possible to write custom rules for Go. However, the Go analyzer provided by SonarSource is open-source, you can contribute to it => GitHub - SonarSource/slang
If you don’t feel comfortable to do that then the best option is to detail (in a dedicated thread) what you want to detect and maybe we will write the rule(s) for you.
You can import the results from gosec using the formatter “sonarqube” and then using the property sonar.externalIssuesReportPaths referencing the path to the output of gosec.