How to scan only a few files with SonarQube


(Josh) #1

We want to be able to scan only a few files with SonarQube. Our goal is to scan a select few files whenever checking in code changes. Also, what would be the ideal way to do these tiny scans on each developers machine noting that we have our SonarQube server that scans every night? Will each developer have to have SonarQube installed? Will each developer need a SonarQube SQL database or can the results output to an ASCII text file, or perhaps the results can be scanned and uploaded to a remote SQL database where our server is running?

For reference, our scan commands on the server:

  1. C:\work\sonar\SonarScanner.MSBuild.exe begin /k:MyProject /d:sonar.host.url=http://salamander.com:9000 /d:sonar.login= /d:sonar.cfamily.build-wrapper-output=bw_output

  2. C:\work\sonarWrapper\build-wrapper-win-x86-64.exe --out-dir “bw_output”

  3. C:\work\sonar\SonarScanner.MSBuild.exe end /k:MyProject /d:sonar.login=


(Colin Mueller) #2

Josh,

Using file inclusion/exclusion patterns are a good bet, and those are best set through the Project Administration UI (they’re kind of hard to set in a sonar-project.properties file, since it’s a multi-line setting). Here’s a good article about Narrowing the Focus.

If you use a supported IDE, SonarLint is the best way for developers to get feedback on their code before it’s committed anywhere. That said, since you are using the CFamily plugin and are running on your own instance of SonarQube, I’m assuming you’re utilizing the Developer Edition or above, in which case you have access to Branch Analysis. That might also solve for developers checking their code before it’s merged into the main branch.

Colin


(Josh) #3

Colin,

Thanks for the response. I looked through that article, but I’m also not a command-line guy. Could you please provide an example of using the inclusion to scan two files at the command-line?


(Nicolas Bontoux) #4

Need to make sure there’s no misunderstanding here.

Is your intent to have SonarQube results updated with the results of these ‘tiny’ scans ? i.e. full scan of the project overnight , and then delta updates over day ?

(SonarQube is not designed to be used as such, but before I go in the explanations for that, I want to make sure that’s your intent)

Or is the use-case to have developers get quality feedback on their code while they’re implementing it ? If so SonarLint, branch analysis, Pull Request analysis are what you need to focus on indeed.

(ultimately @ColinHMueller mention of inclusion/exclusion patterns is indeed an answer to ‘scan only a few files’; however I feel like it doesn’t relate to your actual use-case here, which really needs to be clarified)