We would like to submit a new plugin for SonarQube, hoping it would be useful. Hadolint is a tool used to analyze Dockerfiles, so the plugin basically parses Hadolint reports, creates a Dockerfile language with metrics & highlightings, and a dedicated Quality Profile.
Here is the required content :
Short description: Sonar Hadolint Plugin allows users to import results from Hadolint into SonarQube.
You can use the Sonar Hadolint Plugin projet to test it, as it contains a sample Dockerfile for unit tests purposes.
Just run Hadolint on this file “src/test/resources/project/Dockerfile”, and add the documented options during scanner analysis (here : https://github.com/cnescatlab/sonar-hadolint-plugin#plugins-properties), and you should have some data to test it.
Otherwise, you could use another of our projects, with a Dockerfile in the root directory, here : https://github.com/cnescatlab/docker-cat
This one will trigger quality issues for sure.
And now I’m on to the plugin itself. Generally this looks pretty good:
Must do
Your docs say
For identified Dockerfiles in your projects, the plugin calculates two metrics : number of comments, and number of lines of code.
Did you also provide NCLOC_DATA, as described in the requirements?
Nice to have
Your docs make it sound like you’ll eventually fire off the Hadolint checker directly. That will be nice. It’s not a stumbling block for Marketplace inclusion, but I know your users will appreciate it
Your docs say:
sonar.lang.patterns.dockerfile :
Comma separated list of patterns matching Dockerfiles inside your project.
This property MUST be defined if you want the plugin to work.
It’s not clear to me why you don’t set a sane default (ehm… “Dockerfile”?) for this … the way you did for the report path.
It’s also not clear to me why the property is not configurable via the UI
Regarding the PR, I agree with you and will update it accordingly.
Regarding the plugin now :
The NCLOC_DATA metric is indeed provided. If you want to be sure, I copy below an extract of our “src/main/java/fr/cnes/sonar/plugins/hadolint/metrics/DockerfileMetrics.java” file, which contains this line : linesOfCode.forEach(line -> fileLinesContext.setIntValue(CoreMetrics.NCLOC_DATA_KEY, line, 1));
We decided to not implement the call to the hadolint checker in the first version, but it might be a good idea for the next one. Not sure if we have enough time right now to do it, so if you think this could wait, we will schedule this for later.
Maybe it’s not clear for you because we just obviously forgot to do it I’ll do it quickly then.
Again, just a silly oversight I’ll do it quickly too.
Now I have some questions for you !
We saw that some modifications should be made to the plugin before being published so… what is the best way to do it regarding our request ?
We will create a new version (1.1.0 ?), but then, should we modify the PR to publish 1.1.0 as the first and only marketplace release ? Or should we put the 1.0.0 as an archived version, and add the 1.1.0 as the last available version ?
Since you’ve already handled the only must-do (I figured it was there, I just needed to make sure) we can put this version in the Marketplace as-is if you like once the PR is updated.
In fact… I think I’d prefer to do that since I might feel compelled to re-test if you made pre-addition changes.
The other things can be handled in some future version.
Alright, we can start with this version if it can save you some useful time !
I will create issues to work on these topics later then…
The PR should be OK now.
