Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) Version 10.6
- how is SonarQube deployed: zip, Docker, Helm ZIP
- what are you trying to achieve A usable environment to scan some java code
- what have you tried so far to achieve this Lots of stuff, and I think it’s working
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
Hello again,
After some very helpful advice by @ganncamp (and delays on my end acting on it) I was able to get my hands on what I think I need to actually successfully use SonarQube to analyze my project code.
For background, I’m not a developer (Sys Admin), but I’ve been put in charge of scanning the team’s code, specifically with SonarQube - something I’ve never used before so I have a lot to learn.
Today I got a copy of a compiled ANT based Java project which seems to be properly scanning, but I want to check with more experienced members here to make sure I’m not getting my hopes up.
I took the files in question, put them in a folder on the desktop of my scanning server, and ran this command in the directory the files live in:
sonar-scanner.bat -D"sonar.projectKey=CompiledTest01" -D"sonar.sources=." -D"sonar.host.url=http://localhost:9000" -D"sonar.token=<key the web frontend generated>" -D"sonar.java.binaries=."
It then cranked on for about 15 minutes before terminating with these words:
12:17:17.577 INFO CPD Executor CPD calculation finished (done) | time=1206ms
12:17:18.530 INFO Analysis report generated in 828ms, dir size=26.7 MB
12:17:20.267 INFO Analysis report compressed in 1752ms, zip size=5.1 MB
12:17:20.455 INFO Analysis report uploaded in 188ms
12:17:20.455 INFO ANALYSIS SUCCESSFUL, you can find the results at: http://localhost:9000/dashboard?id=CompiledTest01
12:17:20.455 INFO Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
12:17:20.455 INFO More about the report processing at http://localhost:9000/api/ce/task?id=3dcdfab7-77a3-421e-992f-c35a43ce246a
12:17:20.923 INFO Analysis total time: 14:38.444 s
12:17:20.923 INFO SonarScanner Engine completed successfully
12:17:21.472 INFO EXECUTION SUCCESS
12:17:21.487 INFO Total time: 14:41.692s
That definitely says Execution Success, but really? That seemed too simple. I had run it without the sonar.java.binaries line once earlier today just to see it fail (which was expected) but I was surprised to see that making it just . actually worked - an idea I got from the sources line.
The web console does pull in data, giving me a list of lots of issues, and explicitly linking them to specific java files. I guess that’s what I should be seeing?
Questions:
So…did it work?
I did notice that “Security” under “Software Quality” was 0, and greyed out - is scanning for Security type issues a paywalled feature for the Enterprise one, or does the free engine actually do that and my project’s code somehow has 0 security findings? “Responsibility” has the same, under “Clean Code”.
Is exporting all this data, into say some kind of report we can pass around at standups, just an Enterprise licensed feature?
Considering the cmd output was an absolute deluge of stuff, is there a keyword to look for to see if some files just didn’t actually get scanned? Basically, how can I be sure what I fed in got worked on completely?
Also I noticed these in the cmd output:
12:17:17.296 WARN Too many duplication references on file <a project .java file> for block at line 1263. Keep only the first 100 references.
12:17:17.296 WARN Too many duplication references on file <a project .java file> for block at line 1317. Keep only the first 100 references.
12:17:17.561 WARN Too many duplication groups on file <a project .java file> Keep only the first 100 groups.
12:17:17.561 WARN Too many duplication references on file <a project .java file> for block at line 22111. Keep only the first 100 references.
12:17:17.561 WARN Too many duplication references on file <a project .java file> for block at line 21661. Keep only the first 100 references.
12:17:17.561 WARN Too many duplication references on file <a project .java file> for block at line 21664. Keep only the first 100 references.
Is this something wrong with my inputs, or is that just something the Sonar scanner has detected with the code itself, and is probably somewhere in the report I see on the web front end?
Thanks to the community here for helping me get my bearings and, evidently now, my feet wet!