Can SonarQube scan SwiftUI well?

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) : Community EditionVersion 9.1 (build 47736)LGPL v3CommunityDocumentationPluginsWeb APIAbout
• what are you trying to achieve

• Scan in project IOS including Swift and SwiftUI languages

• what have you tried so far to achieve this

• The Data that SonarQube returned is very low.
  
  

  SonarQube1524×476 52.6 KB
  
  For the above image, SonarQube scans Kotlin well, but cannot regconize Swift UI?
  Can someone help me answer ?
  Thanks a lot

Hey there.

Swift is supported in the Developer Edition of SonarQube and above ($) and free for open-soruce projects on SonarCloud.

The question is about SwiftUI not Swift.

Which, if I understand correctly, is still written in swift and would therefore require Developer Edition and higher to analyze.

Yeah except that it is declarative way of building UI which comes with a lot of curly braces that Sonarqube flags as call-backs.

A bit late to the game, but I’ll add my $0.02 here.

I’ve started using SonarCloud to scan our iOS app project written in Swift/SwiftUI

For the SwiftUI code, it complains a lot about SwiftUI DSL with closures everywhere, as @Darotudeen_Durosomo said

image1920×1065 155 KB

It’s a bit of a pain the neck as it adds a lot of noise to the analysis.

SwiftUI code almost always has import SwiftUI somewhere, so it would be nice to turn the warnings off in this case.

Hey @ladislas

Can you provide a specific reproducer for the issue? Then I’m happy to pass it over to the relevant team.

I think if we split the rule based on (1) functions that return a SwiftUI.View and (2) everything else, then it would work much better. Then, we could have a rule like 5 or 6 for the max nesting for SwiftUI views and 2 for regular code.

Here’s an example from our code. It’s fairly basic SwiftUI, but still triggers the Code Smell. We do have valid cases where this rule is flagging things we should fix, but as we add more SwiftUI to our project, we’re also getting a lot of these false positives in the scan results.

public var body: some View {
        if isEditing || (text.isEmpty && isEditable) {
            ZStack {
                TextFieldBackground()
                HStack {
                    SwiftUI.TextField(text: $text) {
                        PlaceholderLabel(text: title)
                    }
                    .textFieldStyle(EmailTextFieldStyle())
                    .focused($isFocused)
                    .onChange(of: isFocused) { newValue in
                        isEditing = newValue
                        if !isEditing {
                            finishedEditingAction()
                        }
                    }
                    TextfieldAccessory(text: text, imageName: trailingAccessoryName, action: { text = "" })
                }
            }
            .onTapGestureForced {
                isFocused = true
            }
        } else {
            HStack {
                RowLabel(title: title, subtitle: text)
                Spacer()
            }
            .onTapGestureForced {
                if isEditable {
                    isEditing = true
                    isFocused = true
                }
            }
        }
    }

Screenshot 2023-07-12 at 9.32.26 AM829×794 61.6 KB

Thansk @jbuhler-c4. And what version of SonarQube are you using?

Here’s the info from our most recent scan:

SonarScanner 4.7.0.2747
Analyzing on SonarQube server 8.9.1
Enterprise 8.9.1.44547
Plugins:
  * CSS Code Quality and Security 1.4.2.2002 (cssfamily)
  * PL/SQL Code Quality and Security 3.6.1.3873 (plsql)
  * Scala Code Quality and Security 1.8.3.2219 (sonarscala)
  * C# Code Quality and Security 8.22.0.31243 (csharp)
  * Vulnerability Analysis 8.9.0.11439 (security)
  * Java Code Quality and Security 6.15.1.26025 (java)
  * HTML Code Quality and Security 3.4.0.2754 (web)
  * Flex Code Quality and Security 2.6.1.2564 (flex)
  * XML Code Quality and Security 2.2.0.2973 (xml)
  * VB.NET Code Quality and Security 8.22.0.31243 (vbnet)
  * Swift Code Quality and Security 4.3.1.4892 (swift)
  * CFamily Code Quality and Security 6.20.1.32841 (cpp)
  * Python Code Quality and Security 3.4.1.8066 (python)
  * Go Code Quality and Security 1.8.3.2219 (go)
  * JaCoCo 1.1.1.1157 (jacoco)
  * Kotlin Code Quality and Security 1.8.3.2219 (kotlin)
  * RPG Code Quality 2.5.1.2575 (rpg)
  * PL/I Code Quality and Security 1.11.1.2727 (pli)
  * T-SQL Code Quality and Security 1.5.1.4340 (tsql)
  * VB6 Code Quality and Security 2.7.1.2721 (vb)
  * Apex Code Quality and Security 1.8.3.2219 (sonarapex)
  * JavaScript/TypeScript Code Quality and Security 7.4.4.15624 (javascript)
  * Ruby Code Quality and Security 1.8.3.2219 (ruby)
  * Vulnerability Rules for C# 8.9.0.11439 (securitycsharpfrontend)
  * Vulnerability Rules for Java 8.9.0.11439 (securityjavafrontend)
  * License for SonarLint 8.9.1.44547 (license)
  * Vulnerability Rules for JS 8.9.0.11439 (securityjsfrontend)
  * COBOL Code Quality 4.6.2.4876 (cobol)
  * Vulnerability Rules for Python 8.9.0.11439 (securitypythonfrontend)
  * PHP Code Quality and Security 3.17.0.7439 (php)
  * ABAP Code Quality and Security 3.9.1.3127 (abap)
  * Vulnerability Rules for PHP 8.9.0.11439 (securityphpfrontend)

Hello, I’m facing a similar problem.
Do you have any updates about yours?
Thanks!

I haven’t yet. I’ve tried to tag Colin in my responses, but the software here says that I’m too new of a user to tag others.

hello,

thanks for reporting this issue, indeed I believe that this rule should have an exception for swiftui code. I created the ticket to track this issue [SONARSWIFT-541] - Jira

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.