Create Custom Rule to Track breaches of an XPath rule

SonarQube
, ,
1

Hi,
I want to create a custom sonar-xml-plugin for the below custom rule

Log4j2.xml

<?xml version="1.0" encoding="UTF-8"?>

  • *
  •    <Property name="appenderPatternLayout">[%t] %d{dd MMM yyyy HH:mm:ss,SSS} %-5p %-15c{1} [%X]: %cm%ex%n</Property>*
  • *

I want to make sure that “%ex” is present in the Property tag mentioned above in the log4j2.xml file.

XPath: not(contains(/Configuration/Properties/Property[@name=‘appenderPatternLayout’]/text(),‘%ex’))

For creating the plugin, I cloned the code from Git and created files similar to XPathCheck since I wanted to extend this check.

I was able to build sonar-log4j-xml-plugin-2.1.0-SNAPSHOT.jar using maven.

When I try to add this custom jar in the existing sonarqube folder “sonarqube-8.2.0.32929/extensions/plugins”. I am not able to restart the sonarqube server on my mac. The server comes up and the shuts down immediately.

Could anyone please suggest any solutions?

Thanks

2

Hey there.

Whatever reason your server isn’t starting up will probably be found in your logs/web.log file.

And, I’m not really sure why you felt you needed to fork the plugin! XPathCheck is a templated rule where you can plugin your own XPath expression and create a custom rule.

Screenshot 2020-03-30 at 18.21.54
Screenshot 2020-03-30 at 18.21.542658×1512 342 KB
Screenshot 2020-03-30 at 18.22.06
Screenshot 2020-03-30 at 18.22.061194×1456 71.1 KB

No custom java development required. :slight_smile:

Colin

3

Hi Colin,
Thanks for responding.

I had created a custom rule on my local sonar server using the template as mentioned above to test, but the sonar team in my company needs a jar files that they can use as a plugin to integrate with the enterprise sonar instance. Hence I was trying to create a custom jar file for xml as it is done for customizing java rules. Is there a way to do that or it is not possible?

Thanks

4

Hi,
I have created a custom xml rule as mentioned above. Added it to Quality Profile under XML Sonar Way and assigned my project to it. But I am not able to see the violation in the log4j file on the console.
Is some configuration missing?

[INFO] Quality profile for java: Sonar way
[INFO] Quality profile for xml: AvoidExtendingExceptionInLog4j

[WARNING] Missing blame information for the following files:
[WARNING]   * pom.xml
[WARNING]   * src/main/resources/log4j2.xml
[WARNING] This may lead to missing/broken features in SonarQubePreformatted text

Also, would this Rule be lost incase the sonar server is restarted?

Thanks

5

Custom rules made from templates are stored in the database – so not lost on restart.

I’m surprised to hear your SonarQube admins would rather a custom plugin – and I think you should challenge them. Installing custom plugins on a SonarQube instance comes with some risk (What if APIs change? What if you leave the company and nobody else knows how the source code works?). A server restart is also required anytime you’d want to make an update.

I’m not an xPath expert so I’m not sure how much help I’ll be – but how exactly did you configure the custom rule (screenshots are welcome!) and what project did you analyze where you expected an issue to be raised (a zipped up reproducer also welcome :slight_smile: )

6

Hi Colin,
It worked on my local. I had not activated the Quality Profile in the Rules tab. Good to know that the changes will not be lost. I will try and convince the SonarQube Admin to create a XPath configuration instead of a plugin, but is there any way to create a custom plugin for XML, if at all they don’t agree?

Thanks