I am scanning a WP Plugin with SonarCloud and it flagged the usage of <?php language_attributes(); ?> in html tag as Add "lang" and/or "xml:lang" attributes to this "<html>" element
This is a false positive, since WordPress will indeed add the HTML language attribute thru the function <?php language_attributes(); ?>
How do I update my SonarCloud instance so that in this and future projects, said function is recognised as a valid HTML lang attribute?
I would prefer to not just “mark as false positive” or “ignore” instead set a proper rule, that takes care of this
Same goes for the title tag, which in WP we produce with a special support statement in the code (it does not even appear in the actual HTML head, it will appear elsewhere, for example, in a theme’s functions php file, or so.
It would be really useful if someone could tell me how to modify this.
There are more such issues, like Class names should comply with a naming convention flags, which are 100% wrong when using star cloud on WP Code.
WP Code expects underscores in the classname, sonar cloud forbids them
I have read thru hundreds of threads here in the community and they all point to You can have a look to our extension guide in order to figure out how to proceed Said extension guide is a 404 in all cases, the link is usually this: https://docs.sonarqube.org/display/DEV
So, how do we use this tool efficiently on WP Code base? If it is not possible, it would still be useful to know that it is not possible.
When you then visit the rule, you can change it’s “format” parameter for your custom profile (something like ^[A-Z][a-z0-9]*(_[A-Z][a-z0-9]*)*$ should match what you are looking for):
Of course, you also have to make sure to analyze the project with your custom quality profile. Either by setting it as default for PHP, or by changing it in your project’s settings.
Regarding your first point with the HTML attributes: this seems to be a problem with the HTML analyzer. I’ll verify that and get back to you.
Note that the first issue is not really due to HTML attributes, the thing is, SonarCloud expects an HTML attribute, but we pass it with PHP, which likely isn’t known by SonarCloud to be producing actual HTML attribute later (since it is a WP function)
I will try the custom ClassName Rule today, excited abut this…
Regarding the missing lang attribute rule (S5254) combined with language_attributes(), the issue is already tracked in this ticket as it was already reported in this thread.
Unfortunately, for now, there is no better solution than marking the findings as false positives, or creating a custom quality profile (as you might have already done), and deactivating the rule in it. Same for the title tag rule.
Thanks @Karim_El_Ouerghemmi - I successfully changed the ClassName rule in my own quality profile, which I "forked’ off the SonarCloud default.
That worked great. I then scanned a new project after setting my new Quality Profile as the default and ta-da, no more notice to rename those Classes.
So far, excellent.
About the HTML lang attribute, acknowledged.
However a question here. I tried, just because It worked so well with PHP Profile, to create a custom HTML profile. Located the Language rule, and tried to change it, just as I did with PHP rule. However… I can’t seem to alter any HTML rule, just change its priority.
How comes we can alter PHP rules, but not HTML rules? Is this something that will be possible in future?
I mean, it would allow the user to add such things themselves, instead of requiring an actual bug-fix within SonarCloud, if we could alter the HTML rules as well.
Thanks!
BTW, if and once I finish my own profile for WP… is there some way to share this with you so you can perhaps release it as a standard WP Ruleset? At least for PHP, that is.
I just discovered that only some rules actually can be edited… and I can’t seem to add my full own custom rules.
Like, say - if I have a rule I want to add to use wp_unslash when accessing $_POST global, and said rule doesn’t exist in SonarCloud, how would I add it?
Not all rules have parameters that can be customized. It is usually rules that raise when something doesn’t match a specific pattern (like the one with the class names), or when something is above/below a specific threshold (e.g., maximum number of function parameters, lines of code, etc…).
In case of the HTML rule you are having trouble with, the implementation of the rule has to be adapted to account for the possibility that the tag gets injected in the HTML by some other language (e.g., PHP). This is something that was missed in the initial implementation, and requires a bug-fix from our part.
Custom quality profiles can be exported and be imported in other instances (be it SonarQube or SonarCloud). For this, in the “Quality Profiles” page, you have to click on the settings icon besides your custom profile, and then on “Back up”.
We are always happy to receive suggestions for new rules (the suggestions category in this forum can be used for that). Good WordPress support is also something we are definitely interested in. We did already greatly improve our support for it (especially for the security analysis) in the past weeks/months (see MMF-2470, MMF-2479, and MMF-2466). So don’t hesitate to let us know when you have ideas for new rules.
Unfortunately, this is not possible. In SonarQube it is possible but requires writing a custom analysis plugin (see the “Custom Rules” section here).
