I want to add some special functionality in a scanner. For this I would need to access the rule api directly from the scanner. I’ve seen, that there is in the context a possibility to access the activated rules, but I would need to download the rule keys of ALL rules for a certain tag.
The idea is to check for new compiler warnings, when running on “latest” compiler version, where the rules might not yet be in. For that I would need to know, if the warning is already known in the rules available in sonar and if not create a “Unknown” violation, with info about the new warning. The Unknown rule already exists in the plugin (so I don’t want to create a new rule on the fly, I just want to collect all unknown exceptions/warnings and put them in the Unknown rule container to be viewed in sonar… and eventually to create new rules for new warnings once evaluated).
I now how to do the rest query and I get the correct results when executing with postman. But I don’t know how to do it with the scanner framework without introducing a rest stack.
Any help would be appreciated.
What language is this for?
This is very meta, and I believe that’s going to make it hard to do. My understanding is that each rule runs all by itself, without knowledge of or interaction with other rules.
I think what you’re going to have to do is load all the ‘known’ rules into your “Unknown violation” rule and go from there.
And it’s not clear to me how you’re going to get to the compiler warnings from inside your rule. You might need to look at processing the compilation log as a ‘report’.
the idea is to use the GitHub - SonarOpenCommunity/sonar-cxx: SonarQube C++ Community plugin (cxx plugin): This plugin adds C++ support to SonarQube with the focus on integration of existing C++ tools. plugin to handle compiler warnings of the gcc compiler. The plugin itself knows already how to handle most compiler warnings. However as part of new strategy we want to run all our code against the latest version of gcc (and maybe vc) compiler and collect the NEW compiler warnings.
So the idea is:
0.) Create in SONAR a custom rule “UNKNOWN” for each affected tag
In the scanner:
1.) Download key ids (which are equal to the compiler warning text) for all rules for a certain tag
2.) Parse the compiler log file and extract the warning, line, file and message
3.) Check, if the parsed key id is in the downloaded list → if yes, create rule as it is now, if no: create a rule with id UNKNOWN (which was created in sonar in step 0 once) with some additional info
4.) Continue as it is now
So basically I know how to do all of the steps, but step 1… how can I access the rules api from inside the scanner. It is already down for the ACITVE rules, but I need to do it for ALL rules. I only want to create an UNKNOWN entry for rules that are not in SONAR and not for the ones not activated.
As I said, I think you’re going to need to pre-load your
unknown rule with the keys. Keep in mind that your rule is probably going to run multiple times during analysis, so that makes the most sense anyway.
thanks for the reply. The problem is, I get from the compiler a new warning: -Wnew-warning … this warning is new and hence unknown. But I don’t know that yet (somebody could already have added it in a previous release or config change of the plugin). I need to compare all existing rule keys, if -Wnew-warning is a known warning or not. So all I need is:
-SonarQube please give me all rules (possibly only the rule key field for speed) for tag=compiler-gcc and tool “CXX”
—>I would like to get the result of: https://myserver:9001/api/rules/search?languages=cxx&tags=compiler-gcc&f=internalKey
Currently I get via the context only the activated rules, but NOT all rules. So the question is, how can I access the rules api (the query above) from the scanner plugin e.g. via the org.sonar.api.batch.sensor.SensorContext or any other Scanner API conform way…
After I have this List, I can continue extending the plugin as needed.
Since we don’t support writing rules for C-Family languages and since you’re basing this on Cxx, I’m going to have to refer you to the Cxx folks at this point.
the request to do a rules api call has nothing to do with C-Family, but I understand where you are coming from. Would your answer be different, if I requested to do
from the scanner?
Probably. Because the team behind Java analysis supports writing Java rules & thus is open to helping folks who are trying to do that.