Is it possible to integrate 3rd party code analysis into SonarQube?

Maxwell · May 15, 2019, 1:09pm

I want to integrate SonarQube into our continuous integration pipeline. Our current pipeline already runs tools to generate reports for each code branch that include compiler warnings, static analyzer warnings, code coverage, test failures, etc.

The only missing pieces are that

These reports aren’t integrated with our source code; we view them separately. I know that SonarQube can integrate with our git host (BitBucket) to show issues inline
We can’t easily see the delta of issues, only the full list. I know that SonarQube can show you only newly introduced issues

The problem is the only documentation I can find for extending SonarQube functionality is at the source code level. I.e. adding a new language analyzer or extending an existing analyzer. But I don’t need SonarQube to scan anything since the analysis is already done! I just want to add the existing reports into SonarQube.

Is that possible? Is it documented somewhere?

Colin · May 15, 2019, 1:17pm

SonarQube plays well with others!

Depending on the language, SonarQube can easily facilitate the import of 3rd party code analysers alongside the results of 1st-party (SonarSource) analysers. Here are some examples.
– Java: Importing SpotBugs, FindSecBugs, PMD, Checkstyle Issues Reports
– C#: Importing Issues from Third-Party Roslyn Analyzers (C#, VB.NET)
Where there’s not a built in integration, there’s Generic Issue Data if you’re ready to massage your reports into a format SonarQube can ingest
Finally, some community-supported analyzers can facilitate the execution / importing of external analyzers, checkout our Plugin Library > External Analyzers

Hope this helps!

Colin

Maxwell · May 16, 2019, 2:11pm

I converted my code coverage to SonarQube’s format and tried to run sonar-scanner

INFO: Sensor Generic Coverage Report
INFO: Parsing /Users/me/proj/myapp/coverage.xml
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 59.381s
INFO: Final Memory: 31M/2414M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
ERROR: Error during parsing of the generic coverage report '/Users/me/proj/myapp/coverage.xml'. Look at SonarQube documentation to know the expected XML format.
ERROR: Caused by: Line 2 of report refers to a file with an unknown language: /Users/me/proj/myapp/ActivationFramework/Aggregator.co

According to someone on stack overflow, I can’t import code coverage unless I have a code analyzer for the source code.

Is that the case? Because, again, all of the analysis is already done. I just want to import it into SonarQube. Or do I still need to set up a proper plugin so that all of my source files count as analyzed?