How can we have the maven sonar:sonar target ignore false positives?


(Nicholas DiPiazza) #1
  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Version 6.7.5 (build 38563)
  • what are you trying to achieve
    Trying to ignore particular false positives, while not excluding the entire rule or the entire source file from sonar.
  • what have you tried so far to achieve this
    I have run sonarqube with the following:

mvn sonar:sonar

And I often get false positives, like this one:

'PASSWORD' detected in this expression, review this potentially hard-coded credential

Where I am clearly not having an issue:

private final static String GENERATE_PASSWORD_PATTERN = "^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\S+$).{8,}$";

There are many other examples, such as it complaining about unused methods that are actually used only via reflection.

Is there a way to mark a specific the exact false positive and ignore it via configuration? I envision some way to add those exclusions to a file checked into Git that is reviewed by a manager/lead to verify it is a valid false positive and ok to ignore.


(G Ann Campbell) #2

Hi,

Your best option here is to mark them False Positive via the UI.

Alternately, if for example you notice that all of the issues raised by S007 in a certain package are false positives, you can set a multi-criteria issue exclusion to selectively turn the rule off for that subset of code.

 
Ann


(Nicholas DiPiazza) #3

Hi @ganncamp thanks for the info. Can you expand a bit on the “mark them false positive via the UI”
that’s basically what i was looking for but cannot find how to do.

I can mark it false positive for my own build project, but the next developer who runs it will they see the same failure? because i cannot have it doing that.


(G Ann Campbell) #4

Hi,

An issue marked FP will stay marked FP (and so not included for instance in your Open issue counts) as long as the issue tracking mechanism finds that they’re still present in the code. For details, see the ‘Understanding which issues are “New”’ topic in the docs.

As for how to mark them FP, if you have the Administer Issues permission on the project, that option should be available to you in the interface:

 
Ann


(G Ann Campbell) #5

Note that if your issues were raised by an external analyzer, such as this one, you won’t have the ability to mark them FP:

Instead, you’ll need to modify the configuration of that external analyzer.

 
Ann


(Nicholas DiPiazza) #6

great thanks. this is the info i needed.