Hi,
I’m wondering why to scan a Flutter/Dart project it requires to build the app.
Thank you in advance!
Hi @vbarba
For the Dart/Flutter analysis to be complete and accurate we strongly recommend to:
- retrieve all the dependencies of all project being analyzed
- this can be done via the package manager you use to normally gather them in your project before compilation:
dart pub get,flutter pub get,melos bootstrap, etc.
- this can be done via the package manager you use to normally gather them in your project before compilation:
- run a compilation of your project (which requires step 1)
- again, you can use your specific toolchain for that:
dart compile,flutter compile, etc.
- again, you can use your specific toolchain for that:
The code analysis don’t look into Dart/Flutter compiled binaries, yet we require compilation.
The reason we have such requirements is that many rules in the SonarDart Analyzer are not limited to the source file they analyze. Instead they make use of semantic information, such as type definitions, function declarations, references, class hierarchies, etc.
Very often such pieces of informations are not defined in the file or the project being analyzed, but elsewhere. Not unlikely the information is located in a library of a different package, on a direct or a transitive dependency.
Without semantic information it’s generally not possible to effectively carry on with the analysis under many circumstances. In those scenarios we emit S2260 issues (Dart build, compiler, or analyzer configuration errors), typically to indicate that there is a issue with dependency gathering or compilation.
Notice how we currently don’t stop the analysis when we encounter S2260 issues. Sometimes there are small parts of a big project that may not compile “by design” (such as templates, examples, test files, …). That shouldn’t block the analysis of the rest of the project.
Moreover, while some dependencies may have not been resolved correctly, and you may see S2260 on many import statements and on following statements using missing imports, many rules may still work correctly, and deliver good results, that may be useful even in non-compiling Dart sources.
Regarding why we don’t just require step 1 (depedency gathering), but also step 2 (full project compilation): that has to do with the fact that some project generate source files during compilation. Without those source files, the analysis may lack necessary semantic information, and would trigger S2260 issues at every import of a generated source.
One last note regarding compilation and analysis steps: unlike Maven and Gradle, where we have developed scanners that integrate the analysis into the build system, we currently don’t have a “Scanner for Dart”, or an extension of the dart command that trigger sonar analysis.
Building and analyzing are two different steps, that are required happen sequentially, and in the same context.
Hope it helps to clarify,
Antonio
2 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.