External reports not importing / showing

Software:

  • Sonarqube version: 9.5.0.56709
  • FindSecBugs plugin version: 4.1.5

Goal: Import FindSecBugs report files to Sonarqube working on local machine

The problem is that the logs show that the report is being imported

[INFO] Sensor Import of SpotBugs issues [java]
[INFO] Importing /Users/mmardanyan/Documents/SAST-tools-comparison/owasp-benchmark-java/BenchmarkJava/results/findbugs-result.xml
[INFO] Sensor Import of SpotBugs issues [java] (done) | time=450ms

but the issues are not shown in the web console.

I have tried with different directories and different files, all of them with a valid syntax, using different Quality profiles and reading all the logs but I didn’t find any hint on what is the problem

Hi,

Welcome to the community!

Do you have the FindBugs plugin installed in your SonarQube instance?

And are you also trying to import an externally-generated report?

I don’t know that the two would clash, but generally it’s going to be one or the other. SpotBugs reports are imported natively, so there’s no need for a plugin to do that.

Beyond that, though, the analysis report snippet you’ve shared indicates that the report is imported.

Is it possible that they’re there but you’re not seeing them because of filtering on the Issues page?

 
Ann

Hi Ann!

Thanks for your quick response. Yes, I had the plugin installed, I removed it and restarted the sonarqube console, but I am getting the same results.

I think the results are not filtered, find attached a screenshot.

The two code smells that can be seen are found by a custom quality profile that only has one rule. The reason is that in this way it is easier to see the imported ones from the external report.

Hi,

Thanks for the screenshot. I know you can’t prove a negative, but this helps.

So now… can you turn on debug analysis logging so we can see if it says anything else about the import of that report?

Can you take a look at the report contents and make sure the file paths in the report match up with what analysis is seeing in terms of file paths (either relative or absolute)?

 
Ann

Hi Ann,

I turned the analysis logging to DEBUG and checked all the generated logs, none of them is logging anything about the importing of the file. Find attached a screenshot of the console.

Also checked the report paths and everything is correct.

Finally, also added the -Dsonar.verbose=true. flag to the scan from the command line but I am not getting additional log info.

Hi,

What you’re showing in the screenshot is about server-side logging. When you tune that value, the server logs get big fast. Hopefully you’ve re-set it to INFO by now.

Really? Could you post that analysis log?

 
Ann

Hi,

The input is

mvn clean verify sonar:sonar \
  -Dsonar.projectKey=owasp-benchmark-report \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=<key> \
  -Dsonar.verbose=true \
  -Dsonar.java.spotbugs.reportPaths=/Users/mmardanyan/Documents/SAST-tools-comparison/owasp-benchmark-java/BenchmarkJava/results/findbugs-result.xml

And the output is

[INFO] Sensor Import of SpotBugs issues [java]
[INFO] Importing /Users/mmardanyan/Documents/SAST-tools-comparison/owasp-benchmark-java/BenchmarkJava/results/findbugs-result.xml
[INFO] Sensor Import of SpotBugs issues [java] (done) | time=380ms

Please find attached the whole log file for more detail:
logs.txt (1.2 MB)

On the other hand, I don’t understand if you are pointing any error on me on your first sentence:

Regards

1 Like

Hi Ann, any clue about this?

Thanks

Hi,

Since debug logging didn’t give us any more to work with, I’m out of my depth & have called in the experts.

 
Ann

Great! Thank you, I am looking forward for your response

Hi @ganncamp ,

Do we have any possible solution?

Thanks

Hi,

Pinging again so the issue does not get closed.

Regards

Hi Mikayel,

Please excuse the wait. If I am understanding you correctly, you would like to import the FindSecBugs results and don’t mind whether this happens via the FindSecBugs plugin or the SonarQube built-in report importing mechanism. Is that accurate? We can try to help you with the latter, for the FindSecBugs plugin I would refer you directly to the developers of the plugin, who will be of more help. Hence, I am assuming we are talking about the report importing feature from now on.

You are running the scan with maven, so to actually display the debug logs you need to use the additional -X or --debug flag, such that maven does not swallow the debug output produced by the Sonar plugin. Could you please re-run the maven command you posted above with this additional flag and report back on the output?

What are you actually analyzing? Is it a public project? If so, could you share it with us, so we can try to reproduce your issue?

Could you please also share the findbugs-result.xml file as far as it doesn’t contain any sensitive information? I can also open a private channel for you to share this file, if you prefer.

Hi Johann,

Thank you for your response, my goal is to import the FindSecBugs results using only the SonarQube built-in report importing mechanism, so your answer helps me.

I re-run the maven command adding the -X flag and got a lot of detailed information, thanks :slight_smile: . The output that I get is the following:

[INFO] 12:54:58.172 Importing /Users/mmardanyan/Documents/SAST-tools-comparison/owasp-benchmark-java/BenchmarkJava/results/findbugs-result.xml
[DEBUG] 12:54:58.261 Unexpected missing 'BugCollection/Project/SrcDir/text()'.
[DEBUG] 12:54:58.261 Unexpected missing 'BugCollection/Project/SrcDir/text()'.
[DEBUG] 12:54:58.262 Unexpected missing 'BugCollection/Project/SrcDir/text()'.
... (more than 1000 thousend times)
[INFO] 12:54:58.702 Sensor Import of SpotBugs issues [java] (done) | time=531ms

I can share the whole output with you but I think this is the part we have to focus on. I understand that the report is not being imported because there is a missing SrcDir/text() tag inside BugCollection/Project. However, I don’t understand why is it missing as this report is generated directly from FindSecBugs or what info do I have to add in this tag.

I am analyzing a public project, this one: OWASP Java Benchmark project

I am okay with opening a private channel to share the findbugs-result.xml.

Thank you
Regards

Hello Mikayel,

Please excuse the delay and thanks for sharing the report file. I’ve been able to look into your issue in more depth in the meantime.

Your logs show that the correct sensor is running and that it is reading the XML, which is a good sign. It simply seems to be missing some information. For Sonar to know where to raise issues, it must know where the source directories are. You’re getting the warning Unexpected missing 'BugCollection/Project/SrcDir/text()'. because these source directories are not included in your report file. For the importing to work correctly, you need to supply these SrcDirs to SpotBugs, such that it can add them to the report.

When I add the following line in BugCollection/Project, the issues show up. (Replace the ... with whatever applies in your case of course).

<SrcDir>/.../BenchmarkJava/src/main/java</SrcDir>

Of course, by supplying SpotBugs with this path during its analysis, it will add it to the report file itself.