Generic issue data & ad-hoc rules

rsenden · May 10, 2019, 3:04pm

Recent SonarQube versions provide support for importing external/generic issue data as described here: https://docs.sonarqube.org/latest/analysis/generic-issue/

One of the fields in the described issue JSON data is the ruleId, however the documentation doesn’t specify how the external rules referenced by this issue ruleId field can be imported into SonarQube. For example, how would you add an appropriate rule description for these external rules?

For comparison, in a SonarQube plugin you could use SensorContext.newAdHocRule() to define an ad-hoc rule, and add a rule description using NewAdHocRule.description(). You can then use SensorContext.newExternalIssue() to generate external issues for these ad-hoc rules.

Is a similar approach solely based on the generic issue JSON data possible, without requiring a custom SonarQube plugin?

ganncamp · May 13, 2019, 5:53pm

Hi,

The ruleId is expected to be the external analyzer’s id for the rule. There’s no requirement to feed rules ahead of time, and no there’s no need for a custom plugin.

HTH,
Ann

felipebz · May 16, 2019, 12:00pm

@ganncamp I think I have the same question. If we import some generic issue data, we can’t show the rule description in the SonarQube UI:

To see the rule description, we need to copy manually the rule id and check the description in other tool. It’s OK but not perfect, will you improve it in the future?

rsenden · May 16, 2019, 12:40pm

Correct; it seems like in the JSON-based external issue data import you can only provide a rule id, no rule description.

In comparison, a SonarQube plugin can generate ad-hoc (external) rules and provide descriptions for those ad-hoc/external rules, so why is this functionality not available (or not documented) through the JSON-based import?

Another related issue that I ran into; if SonarQube cannot find the corresponding source file for an external issue (or if no source file is defined in the external issue data), the issue will simply be ignored. I think it would be much better to report these issues at project-level instead of just ignoring them.

Likewise, a SonarQube plugin can only report external issues against InputFile components; a plugin is not allowed to report external issues at project level.

I know SonarQube is meant as a static analysis tool, and not as a generic dashboard for all project-related issues. Nonetheless, many people want to use SonarQube as a generic dashboard, and for example want to have visibility of DAST issues (which are not related to any specific source file) in SonarQube.

rsenden · October 17, 2019, 11:10am

I have now developed a simple plugin that adds support for importing rule data from a generic issue data JSON file; see https://github.com/fortify-ps/sonarqube-scanner-externalissue-rule.

Any chance this functionality could be added to the core SonarQube scanner implementation?

I have followed the code structure of https://github.com/SonarSource/sonarqube/tree/master/sonar-scanner-engine/src/main/java/org/sonar/scanner/externalissue, allowing you to easily incorporate this into the core SonarQube scanner implementation.

Thanks,
Ruud

ganncamp · October 17, 2019, 11:47am

Hi Ruud,

We don’t often accept PRs on SonarQube itself, and certainly not without a ticket in the backlog. However, if you open a new thread with this, you might convince one of the devs to create that ticket…

Ann