Is it possible to analyze Java Code?

ookangzheng · October 6, 2020, 9:18am

ALM used (GitHub, private repo)
CI system used (Github Action)
Scanner command used when applicable (private details masked)
Languages of the repository: Java 1.6

Project tree

.
├── dist
│   └── binary.cap
├── init.sh
├── sonar-project.properties
└── src
        ├── Base32.java
         |── Base64.java

My plan is just to scan the .java source code under the src/ directory.

Our code will be built and deploy locally on a specific computer.
dist/binary.cap is the built binary for Java card.

Github Action yml

name: SonarCloud
on:
  push:
    branches:
      - ci/ds-4
jobs:
  Sonar-build:
    name: Analyze
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
        env:
          TOKEN: ${{ secrets.ACCESS_TOKEN }}

      - run: pwd && ls -lah

      - name: Set up JDK
        uses: actions/setup-java@v1.4.2
        with:
          java-version: "1.6"

      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        # with:
        #   projectBaseDir: ./dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

sonar-project.properties file

sonar.projectKey=xxx
sonar.organization=xxx
sonar.projectName=xxx
sonar.projectVersion=1.0
sonar.language=java
sonar.sources=./dist
sonar.sourceEncoding=UTF-8

Olivier_Schmitt · October 6, 2020, 11:41am

Hi,

Welcome to the community support!

The first post about GH action in this very forum was about Java code.

There is also a specific Github action we provide and which documents the requirements.

Best.

ookangzheng · October 13, 2020, 2:39am

I checked the link you mentioned, but my goal is to scan RAW .java code only without Maven or Gradle.

My point is it possible to scan java code inside the src folder without Maven, Gradle, .class, bytecode.

I tried sonar-scanner on my computer and somehow play with sonar-project.properties.

Seems like SonarCloud couldn’t analyze xxx.java source code. (Codacy can analyze .java source code)

Any way to get it to work?

Screenshot:

Olivier_Schmitt · October 13, 2020, 6:29am

Hi edoo,

You can definitely scan your code without Maven and Gradle but I will require more configuration work.

But, you can’t analyze Java code by using only .java files: the code has to be compiled to get the most value out of our Java code analyzer.

Best.

ookangzheng · October 13, 2020, 6:40am

Looks like there is no solution for my use case

What you mean “I will require more configuration work”

Thanks

Olivier_Schmitt · October 13, 2020, 6:54am

The SonarCloud/Gradle integration provides default settings which removes the pain to write settings by yourself.

Gradle “knows” your projects metadata because it builds the project. So, the SonarCloud plugin can leverage them and makes it easy to analyze your code.

For instance, by using Gradle you are not supposed to configure the sonar.java.libraries property in your sonar-project.properties file.

Best.

system · October 20, 2020, 6:55am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.