Hello, dear SonarCloud team
In our company we developed a set of custom Checkstyle rules, with a custom Maven Checkstyle configuration. They appear in the report as a normal error, but by some reason in SonarCloud analysis I don’t see it. Is there anything that I can do to make it possible to display a custom error?
Thank you for your reply in advance.
Best,
Dmitrii
Hey there.
Are you explicitly setting sonar.java.checkstyle.reportPaths to the report containing the issue?
Hello, Colin
Yes, sure, and the issues in the report are appearing in sonar, all of them except my custom one. The custom one is also in checkstyle.xml report, but not in SonarCloud report
Hi Dmitrii, I think the issue might have something to do with the format of the file’s portion generated by your rule. If not confidential, could you share the report file that is causing you this issue? It would be great to have a file that has at least 1 issue reported correctly by Sonarcloud and at least 1 issue that instead is missing, to check the differences
Leonardo
Hi
I think I’m hitting the same issue so I wonder if there has ever been some progress on this outside of this discussion.
I’ve written a custom Checkstyle check that is listed both in checkstyle-result.xml and also site/checkstyle.html. To verify that checkstyle is actually picked up by Sonar, I’ve also added an empty catch block and ran another scan. The empty catch block is reported in SonarCloud but the custom checks are missing.
Following is a snippet of checkstyle-results.xml. SonarCloud reports on the first and the last finding but not the custom ones in between.
<file name="/Users/frieder/projects/cloud/aem-website/core/src/main/java/com/***/aem/core/common/http/***HttpClientBuilder.java">
<error line="60" column="1" severity="warning" message="Missing a Javadoc comment." source="com.puppycrawl.tools.checkstyle.checks.javadoc.MissingJavadocTypeCheck"/>
<error line="177" column="37" severity="warning" message="Avoid creating HttpClient directly, use ***HttpClientBuilder instead." source="stg.checkstyle.ClassMethodCheck"/>
<error line="178" column="33" severity="warning" message="Avoid creating HttpClient directly, use ***HttpClientBuilder instead." source="stg.checkstyle.ClassMethodCheck"/>
<error line="179" column="39" severity="warning" message="Avoid creating HttpClient directly, use ***HttpClientBuilder instead." source="stg.checkstyle.ClassMethodCheck"/>
<error line="180" column="37" severity="warning" message="Avoid creating HttpClient directly, use ***HttpClientBuilder instead." source="stg.checkstyle.ClassMethodCheck"/>
<error line="181" column="33" severity="warning" message="Avoid creating HttpClient directly, use ***HttpClientBuilder instead." source="stg.checkstyle.ClassMethodCheck"/>
<error line="182" column="42" severity="warning" message="Empty catch block." source="com.puppycrawl.tools.checkstyle.checks.blocks.EmptyCatchBlockCheck"/>
</file>
In parent pom I’m also defining the location of the XML file so it should pick the file from the correct file and not some other file I don’t know of.
<sonar.java.checkstyle.reportPaths>${project.build.directory}/checkstyle-result.xml</sonar.java.checkstyle.reportPaths>
Here is a screenshot of the findings in SonarCloud. In none of the lines 177-181 does it report about my custom check.
I’m using Maven 3.9.6, OpenJDK 17.0.10 (Temurin) and sonar-maven-plugin 3.10.0.2594 in case this is relevant.
Does anybody have some idea how to proceed in this regard. Any help is greatly appreciated.
Hello @karmann-dm, @fkh,
Thanks for raising the issue.
I think we don’t support custom rules for external linters in Java. If you need to implement custom rules, we encourage you to look into creating custom rules with Sonar. You can find the example and documentation here: GitHub - SonarSource/sonar-custom-rules-examples: Shows how to bootstrap a project to write custom rules for PHP, Python, Cobol, RPG
Another potential solution could be to have a “catch-all” mechanism, so you will see the issue on the right location and with the right error message. I’ve created a ticket for it:
Hi Margarita
Thx for the feedback.
Correct me if I’m wrong but i thought SonarCloud doesn’t support custom rules/plugins. That’s at least the feedback I got from SonarSource back in 2018. I cannot find any information on this, has this changed meanwhile?
In the past we used self-written Sonar plugins back when we hosted SonarQube ourselves so this would also have been my first choice if it would be available. But since neither custom plugins nor rule templates (e.g. something like track use of disallowed [classes|constructors|methods]) are available in the cloud offering, I thought I make use of other tools like Checkstyle and let the Sonar scanner import those findings.
It’s a shame that this isn’t supported as it leaves me a bit lost at the moment. I appreciate that you opened a ticket for this internally but seeing that it has a low priority I don’t expect this feature to become available any time soon. Of course I can enforce custom rules locally by breaking the build to get the dev’s attention but I’d prefer to have a uniform approach which - for us at least - is to rely on SonarCloud and whether the quality gate is met.
Anyways thank you for your help and I’ll keep an eye on the ticket to track the progress.
Have a nice day.
Thanks for your feedback, indeed you’re right that in SonarCloud you can’t use it at the moment, I missed you’re using SC. I bumped the priority of the ticket and I will share your feedback with our Product managers, we’ll see what we can do for such cases.
Best,
Margarita
I think you can actually use this format:
Technically you will need to generate a report with your custom rules in this format and pass it to the property. Then Sonar will be able to pick the rules and report.
Let me know if that helps.
Best,
Margarita
Thanks for the link, I didn’t know about the generic import format. I had a brief look at custom Checkstyle reports to get a compliant format but I believe it’s unnecessarily complex to get this done within Checkstyle and I don’t want to set up tasks outside the build system.
Meanwhile I found New checkstyle rules doesn't show on Sonar issues list which also addresses this issue. The post suggests to use the Checkstyle package name as prefix to work around the filter condition. I just gave it a try and it works so I’ll take this route until SONARJAVA-4916 fixes the general issue.
Thank you for your help.
