How to analyze all the xml files in a project?

sonarqube
(Pra Jal) #1

We are running SonarQube version 6.7.4 and using Sonar Scanner plugin (org.sonarsource.scanner.maven:sonar-maven-plugin:3.6.0.1398:sonar)

We are trying to scan a project which only has a bunch of xml files and a pom.xml file.
Every time we run the scan using the following properties, it only scans the pom.xml file and ignores all the xml files.

mvn -B -s $build_path/.m2/settings.xml
org.sonarsource.scanner.maven:sonar-maven-plugin:3.6.0.1398:sonar
-Dmaven.repo.local=.repository
-Dsonar.host.url="$SONAR_URL"
-Dsonar.language=xml
-Dsonar.projectKey=“crypto-config”
-Dsonar.projectName=“crypto-config”
-Dsonar.branch=“feature_sonar-xml”

Output:
image

Can you please help us understand what is going on ?

Thanks ,
Pra

(G Ann Campbell) #2

Hi Pra,

Your problem is that you’re the SonarQube Scanner for Maven to perform an essentially non-Maven analysis. One of the things the SQS4M does for you is automatically feed sonar.sources with the location you’ll find the .java files in in a Maven project: src/main/java/. I’m guessing that’s not where your .xml files are.

So either switch to the ‘vanilla’ scanner, SonarQube Scanner, or in addition to all your other parameters, explicitly pass sonar.sources.

And speaking of your parameter list, you should remove sonar.language. This property has been deprecated literally for years and is finally removed in 7.7. Additionally, since you are currently running a Maven analysis, you shouldn’t need to specify project name and key on the command line; they should be picked up automatically from your pom. If you do switch scanners tho, you’ll want to retain those parameters.

 
HTH,
Ann

(Pra Jal) #3

Hi Ann !
The xml files are flat in the repo not in any of the folders. There’s no src/ dir in that project.

I tried using vanilla SonarQube scanner but I was unable to use Quality gate with that.
So sticking to use SonarQube Scanner for maven.
I did remove sonar.language. That was just for my testing.
I had to add a condition to see if it only has xmls, then use sonar.sources= . or if it has src dir, then use sonar.sources=src/main,pom.xml
I was just looking to cover everything using one sonar.sources in our script but didn’t work.

Thanks,
PraJal

(G Ann Campbell) #4

Hi Pra,

This part of your response doesn’t make sense to me:

If you had said you weren’t able to run an analysis, that would be something we could work on, but the QG is a built-in feature that just works and is entirely independent of which scanner you’re using.

Yes, if your projects have source files in different locations, then sonar.sources will need to vary by project.

 
Ann

(Pra Jal) #5

What would be the command to run pure vanilla sonar source command ?
I tried giving the path to where the sonar scanner was installed in jenkins. It did finish the scan fine but it did not find the sonar results for the quality gate to analyze. I believe it could not see the ID that Quality Gate looks for. (This is all in jenkins)

And yea, it works with specifying sonar.sources for various projects we have.

(G Ann Campbell) #6

Hi,

I think I understand now. When you used the vanilla scanner, you had trouble reporting the QG results in Jenkins. Can you share your pipeline code? I suspect it lacks withSonarQubeEnv as demonstrated in the docs

 
Ann

(Pra Jal) #7

I went through the docs again and figured out how to use vanilla scanner and also report QG results.
But I guess I still have to vary sonar.sources according to the projects (xml only, java/scala)

I tried the vanilla scanner code (inside my jenkins pipeline script) on a java based project and it failed.

def sonarScanner = tool name: ‘Sonar’, type: ‘hudson.plugins.sonar.SonarRunnerInstallation’
sh""“echo “SONAR_BRANCH" {sonarScanner}/bin/sonar-scanner
-Dmaven.repo.local=.repository
-Dsonar.sources=.
-Dsonar.host.url=”$SONAR_URL”
-Dsonar.projectKey="$PROJECT"
-Dsonar.projectName="$PROJECT"
-Dsonar.branch="$SONAR_BRANCH"
“”"

The error is:
[Sonar] INFO: JavaClasspath initialization
[Sonar] INFO: ------------------------------------------------------------------------
[Sonar] INFO: EXECUTION FAILURE
[Sonar] INFO: ------------------------------------------------------------------------
[Sonar] INFO: Total time: 5.630s
[Sonar] INFO: Final Memory: 18M/374M
[Sonar] INFO: ------------------------------------------------------------------------
[Sonar] ERROR: Error during SonarQube Scanner execution
[Sonar] ERROR: Please provide compiled classes of your project with sonar.java.binaries property
[Sonar] ERROR:
[Sonar] ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.

(G Ann Campbell) #8

Hi,

If you’re dealing with a Java project you build with Maven, then by all means use the SonarQube Scanner for Maven. If you’re not, then use the vanilla scanner.

The error you got, “Please provide compiled classes of your project with sonar.java.binaries property” means just what it says: you need to provide the path to your class files. The SQS4Maven will do that for you.

 
Ann

1 Like
(Pra Jal) #9

Thank you ! We have continued using SQS4 Maven but adding conditions to xml files as needed since we use a common script for all projects.