Dart: support Melos dependency management?

Great to see Dart support added to SonarCloud!
We use Melos to manage the packages of our app and unfortunately the dart analyzer by itself can’t make sense of the dependencies before melos bootstrap has been executed, naturally this leads to a ton of issues reported in SonarCloud.
I can imagine the decision to skip Melos support for an early access release so I’d like to know if Melos support is already on your backlog for the full release before I start making feature requests :slight_smile:

1 Like

Hello,

Thanks for the feedback. I move your post into a dedicated thread; it should be easier.

We haven’t identified Melos as a package manager to support, so I can’t guarantee we will be able to support it for the full release. We will definitely have a look and evaluate what it costs to support it.

Thanks
Alex

1 Like

Hello @meelisd,

Technically this shouldn’t be an issue and analyzer should be able to see the dependencies, if the melos bootstrap was executed before.

However, I will need to look at your project to see why packages aren’t resolved. Maybe we need something else for Melos. Could you please share a link or reproducer?

Let me know if the project a private and you need a private conversation.

Best,
Margarita

The project I’m working on is private, what options do you have for a private conversation?

Oh, and the sonar scanner step is after the Melos bootstrapping, this is what happens in our github workflow job:

SonarCloud then reports about 1.8K issues that resemble issues I get when running flutter analyze after a melos clean.
Code coverage of the dart code is working properly.
I’m using Sonar modules in my sonar-project.properties, one for each package/app in my Melos workspace.

1 Like

Am I right you’re using this Sonar GitHub Action: GitHub - SonarSource/sonarqube-scan-action?

We’re currently investigating a potential issue with it when analyzing Dart or Flutter projects. Could you please try replacing it with simple bash:

- name: SonarCloud Scan
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        run: |
          export SONAR_SCANNER_VERSION=6.1.0.4477
          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux-x64
          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux-x64.zip
          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
          export PATH=$SONAR_SCANNER_HOME/bin:$PATH
          export SONAR_SCANNER_OPTS="-server"
          sonar-scanner \
            -Dsonar.organization=your_org \
            -Dsonar.projectKey=your_project_key\
            -Dsonar.sources=. \
            -Dsonar.host.url=https://sonarcloud.io 

And get back to us with the results.

Yes, that’s what we use. I will try you snippet right away

It looks like your snippet fixes it! Can you link whatever changed in that build to my specific issue? Oh, and do you have an estimate of when these updates are expected to land in GitHub - SonarSource/sonarqube-scan-action?

2 Likes

Nice to hear, that it fixes the issue.

The snippet I suggested is actually a simple bash script that does almost the same as Sonarqube Github Action (downloads scanner and runs analysis). You can even extract it into a separate .sh script to make your build script more concise.

The current problem of Sonar GitHub Action is that it runs in Docker (an isolated environment) and doesn’t have access to the dependencies that were downloaded during flutter pub get (or any similar comment). At the moment we’re still investigating what would be the best way to deal with this issue.

Meanwhile, please do not use the Sonarqube Github action but rely on the script I provided. We’ll probably update our docs soon.

Sorry for the inconvenience and thanks a lot for your feedback.

Best,
Margarita

3 Likes

Ah, that makes sense. I’ll keep using this for our flutter project in the meantime.
Thank you very much for the awesome support!

Regards,

Dennis

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.