I’m using Windows 10 and accessing the analysis results through a browser.
I’d like to output the filtered list of issues to a csv or pdf or some other output format.
Hi,
Welcome to the community!
There is no export from the UI. You’ll need to craft your own reports using the Web APIs. You’ll find a docs link in the page footer.
The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You may also find this guide helpful.
HTH,
Ann
Here is a script you can use.
Hi @SRenick
Welcome to the community!
Thanks for reaching out. May I ask why you need this export of filtered issues? What are you trying to achieve with it? Could you elaborate please?
Thanks,
Alexander
I also want to export issues from SonarQube. What I could do with such an export is best expressed by describing what I currently do with an issue list exported from Cppcheck:
I run Cppcheck and save the issue list as XML. I then import the XML into an Excel workbook. I wrote a VBA macro in Excel which I execute with a hot key I assign: the macro reads the current row in the Workbook, and from that row obtains the source file path and line number (originally provided by Cppcheck), then opens my text editor with that source file open, on the line where the issue occurred. Using this macro I can quickly navigate to the issues I am trying to deal with. What’s more, I can filter the issues using Excel, and deal with all of the issues of a particular kind one after the other.
The approach to resolving issues which I have outlined, above, works better for me that using SonarLint in the IDE. SonarLint results may not correspond exactly with my last SonarQube scan. Also, I have to open each source file within my C++ project in Visual Studio 2022 in order for SonarLint to detect the issue. By using output from Cppcheck (and eventually an issue export for SonarQube), I can quickly navigate to a subset of issues without having to force SonarLint to scan each file again.
Ultimately I’d like to export issues from SonarQube, then configure an “external tool” from the Visual Studio 2022 Tools menu that would read the exported list of issues and echo it to the console, which would appear in the Visual Studio “Output” window. So long as you format each line the way a typical compiler warning is formatted, the resulting lines in the output window are navigable; i.e. you can double click a particular warning (a SonarQube exported issue) in the Visual Studio output pane and it will open that source file on that line. I believe the “warnings” will also appear in the Error pane, which means you can press F8 / Shift+F8 to navigate from one issue to the next. It would be great if the SonarLint IDE plugin (in connected mode) had the ability to handle this task for me, but an issue export + a script will do for now.
I have some other advanced things I could do with an issue export from SonarQube. I intend to look into talha2k’s GitHub project (a Python script to export SonarQube issues via the REST API).
Hi @MikeOnline,
What version of SonarQube are you using? The latest versions have an ‘Open in IDE’ button on every issue. So you can do your filtering in the SonarQube Issues UI, and open them sequentially for fixing.
Does that satisfy the need?
Ann
Ann,
I’m currently running SonarQube Enterprise Edition Version 9.9.2 (build 77730). My company’s IT team is probably planning to upgrade it.
The Open in IDE button sounds like a nice feature. But there are still scenarios where issue export would be extremely helpful. I’ll give you an example.
I have about 90 C++ projects scanned in SonarQube. Many of these are Windows MFC applications, which include UI dialogs and event methods such as OnButtonClick(). SonarQube flags nearly all of these event methods and says they should be made “const”. But if you make these methods “const”, then the MFC “MESSAGE MAP” macro generates a compiler error. You have to leave these methods non-const to satisfy the limitaions of MFC.
I could turn off the rule which suggests making methods const, But it is a useful rule that applies to many methods. Yet I have to ignore those issues associated with MFC dialog event methods that are part of an MFC Message Map.
By exporting the issues to a list, I can extract all the “Make this method const” issues, then filter out the ones that are MFC events, leaving those that truly need fixing. Exactly how I would do this filtering is another topic; let’s just say it involves scripting, RegEx and examining the corresponding header files. Anyway, I can then resolve all the issues that need fixing. When I am done, any remaining open issues for “Make this method const” are MFC event methods - I can then close all of these as “Won’t Fix” in bulk, with a corresponding comment.
I do not know any way to do this using the SonarQube web UI or SonarLint in the IDE. This is just one of many scenarios. I am trying to tackle as many Sonar issues as I can so the other developers on my team can focus on new code. So I find myself trying to take on all the issues for a particular Rule across all of my projects. It is faster than taking on all of the various issues/rules for a given source file or project. And sometimes I can leverage the ability to close issues as False Positive or Won’t Fix in bulk. But to do this without issue export has been difficult. That’s why I’m interested in this feature and considering the Python script mentioned earlier.
Hi,
Thanks for sharing your scenario.
Would you consider creating a Report False-positive / False-negative... post for this, please?
I understand it’s not a short-term solution for your use case, but we really would like to get this fixed.
Thx,
Ann
Edit / P.S. I checked with the team, & this scenario seems to fall under
CPP-3634 - S5817: FP when functions cannot be made const because it must comply with a signature
Ann,
I think you’re right to associate this with CPP-3634. There are many kinds of restrictions imposed by various frameworks, SDKs and libraries, so that particular issue may never be fully resolved. But you can make progress on it.
As for the Sonar issues I’ve encountered with Microsoft Foundation Classes (MFC), I’ll see if I can free up some time next week summarize them and add them as comments to CPP-3634. I’ll put them in this thread, too. But it would be easy enough for your team to prepare a few sample MFC applications and discover them.
There are issues with Microsoft Active Template Library (ATL) classes, too. For example, some classes you write must conform the the ATL worker thread archetype. But Sonar flags several of the method signatures in this archetype.
Another example is libCURL, which requires you to create a callback function with a specific signature (see CURLOPT_WRITEFUNCTION). Sonar warns about the parameters of that function.
Another thing Sonar warns about is when you override a method in a base class where the method in the base class is not a virtual method. You often have to do this with MFC user interface classes for dialogs and controls. Sonar suggests altering the base class (you cannot because it is part of MFC) or renaming the method (which would NOT override the base class method which is what we’re trying to do). That’s a different category than CPP-3634 but in the same general area of Sonar not making exceptions for commonly-used frameworks, SDKs and libraries.
Hi,
Thanks! That would be amazing!
Unfortunately, you won’t be able to comment in the Jira ticket (Jira Cloud licensing makes giving you an account to do so untenable) but we can certainly get them from here to there.
Ann
Thank for that script!
We regularly have the problem, that a .NET upgrade (e.g. von .NET8 to .NET9) or SonarQube server changes analyzers.
Now, doing an export before and after the update allows us to better track the changes.