We want to be able to scan only a few files with SonarQube. Our goal is to scan a select few files whenever checking in code changes. Also, what would be the ideal way to do these tiny scans on each developers machine noting that we have our SonarQube server that scans every night? Will each developer have to have SonarQube installed? Will each developer need a SonarQube SQL database or can the results output to an ASCII text file, or perhaps the results can be scanned and uploaded to a remote SQL database where our server is running?
For reference, our scan commands on the server:
C:\work\sonar\SonarScanner.MSBuild.exe begin /k:MyProject /d:sonar.host.url=http://salamander.com:9000 /d:sonar.login= /d:sonar.cfamily.build-wrapper-output=bw_output
Using file inclusion/exclusion patterns are a good bet, and those are best set through the Project Administration UI (theyāre kind of hard to set in a sonar-project.properties file, since itās a multi-line setting). Hereās a good article about Narrowing the Focus.
If you use a supported IDE, SonarLint is the best way for developers to get feedback on their code before itās committed anywhere. That said, since you are using the CFamily plugin and are running on your own instance of SonarQube, Iām assuming youāre utilizing the Developer Edition or above, in which case you have access to Branch Analysis. That might also solve for developers checking their code before itās merged into the main branch.
Thanks for the response. I looked through that article, but Iām also not a command-line guy. Could you please provide an example of using the inclusion to scan two files at the command-line?
Need to make sure thereās no misunderstanding here.
Is your intent to have SonarQube results updated with the results of these ātinyā scans ? i.e. full scan of the project overnight , and then delta updates over day ?
(SonarQube is not designed to be used as such, but before I go in the explanations for that, I want to make sure thatās your intent)
Or is the use-case to have developers get quality feedback on their code while theyāre implementing it ? If so SonarLint, branch analysis, Pull Request analysis are what you need to focus on indeed.
(ultimately @Colin mention of inclusion/exclusion patterns is indeed an answer to āscan only a few filesā; however I feel like it doesnāt relate to your actual use-case here, which really needs to be clarified)
~1.5 years later: This capability is of significant interest to us, and IDE extensions helps but does not fully resolve our issues in CI/CD pipelines.
We want the extra capabilities sonar scanning provides, but we already know what files changed between our builds. We want a mechanism to inform the Sonar analysis of these file changes rather than the scanner taking time to do full scans to duplicate the information weāre already trying to convey. This is especially useful for providing the quality gates at each incremental build in the shortest amount of time.
What can we do to synchronize what we know about what files changed to avoid having to re-scan unchanged files for analysis that does not need re-scanning (Note: There is an obvious exception for things like code duplication)?
In other words, how much control can you give us for a revised āincrementalā or āmakefile-inspiredā change-set? Note: We look at all these files as a ācodebaseā with a lot of shared files, which of course has a dependency.