The import 3rd party issues to sonarqube that is very good feature for us to do more integration without changing tool in same report. But here is a limitaion, I need to do fully scan with sonar-scanner for my code and add param -Dsonar.branch.name=‘xxx’ to attach 3rd party issues. This is very inefficient and not good experience because I just want to attach it not fully scan where I have executed.
So is it doable for a new param add that I can just upload or attach 3rd report only to sonarqube not scan again, I think that would be great for all developers, thx a lot.
It’s not possible to enrich an analysis with data after the fact. In the context of a CI/CD pipeline (not manual scans), I’m not sure why you would want to in this case. How do you guarantee the third-party issue report was generated for the same commit as you analyzed with SonarQube?
Colin many thx for your quick response,
In our pipeline, the flow is like this, for each master release code, we use sonar-scanner to scan our code first, submit to dashboard with master branch. In the same time, we use some 3rd party tool like woke to scan the same repo code and then we also want to send the report to sonarqube with woke branch. So in this step, we only want to do uploading report without scaner, that’s what we want to do, thx a lot.
So I guess my next question is: why not just run your third-party tool before the sonar scanner, so the information is available to the scanner?
Colin Yes, I have tried it, but here is a limitation. You know when I used woke to get some result, such as woke_result.json which included 50 files. But when I tried to import them to use sonar scanner by adding param -Dsonar.externalIssuesReportPaths=woke_result.json, the problem is the sonar-scanner would exclude some files which I have already set in sonar.exclusions like test/css, but the result of 3rd still need scan these files, so the final report is missing this part, that’s why I want this new feature
It sounds like you want to upload analysis results for files that haven’t been scanned by SonarQube (files which you’ve excluded). Unfortunately, it doesn’t work like that – files must be analyzed by SonarQube to have third-party issues attached.
If those files aren’t analyzed by SonarQube – how would the results of the third-party scan be able to be tied to anything SonarQube side?
Yes, but problem is when sonarqube to scan these files, it will still trigger like java/css/script default rules to scan again which I don’t want to. In short, I just only want to upload 3rd report without any scan action again.Anyway, I can use txt report instead reporting in sonarqube for my 3rd tool, so this is nice to have for sonar team, If this new feature can be implemented in sonarqube, that would be great for my case. thank you all the time