Hi - I am new to SonarQube and trying to get my project to fail when I introduce bugs or vulnerabilities. I am using SonarQube version 7.5.0.20543. I have created some errors in my java code -
int z = 0;
if (z==0) {
z = 1 / z; // Noncompliant, possible division by zero
}
And then I run the following …
mvn clean verify sonar:sonar -Dsonar.host.url=http://sonar.xxxxxxx
And the console output says [INFO] ANALYSIS SUCCESSFUL
My Quality gate - has just out of the box Sonar way conditions.
Also, in Quality Profiles I made FindBugs as child of Sonar Way.
Analysis will never fail your Maven build, regardless of your Quality Gate status. You can fail a Jenkins pipeline for a failing Quality Gate, however. More in the docs:
Whether or not an issue is raised, and what it’s type is are entirely different questions than “failing [the] build”.
First, such an issue won’t be raised as a Vulnerability because that rule’s type is “Bug”. Second, do you confirm that you analyzed with a profile that includes that rule? And also that you provided freshly compiled classes to the analysis?
Okay - I was just testing and it does not show up as a Bug either. The source screenshot I had attached earlier was from SonarQube. Doesn’t that mean it is been analyzed?
One would think. Are you sure the Divide by Zero rule is included in the (Java, right?) profile you used to analyze the project? You can double check from your project’s homepage. At the bottom right you’ll see the profiles used in the last analysis. You can click through there to get to the profile’s page and eventually to its list of rules.
Assuming your answer after checking that is “yes” then we’ll need to debug the analysis…
Your Java quality profile is named FindBugs. I’m guessing it only includes rules from FindBugs. That would be why you don’t see the Divide by Zero issue: that rule doesn’t come from FindBugs but from SonarJava.
Also my code has added some code to trigger from FindBugs like the following where RequestMapping method is marked private - it should have caught that as a vulnerability.
sonar.verbose=true
sonar.log.level=DEBUG
$ mvn clean verify sonar:sonar -Dsonar.host.url=http://sonar.clouddev.thermofisher.net
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for com.fishersci:analyze-recommendation-data:jar:0.0.1-SNAPSHOT
[WARNING] 'build.plugins.plugin.version' for org.apache.maven.plugins:maven-eclipse-plugin is missing. @ line 144, column 12
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[WARNING] The POM for org.eclipse.m2e:lifecycle-mapping:jar:1.0.0 is missing, no dependency information available
[WARNING] Failed to retrieve plugin descriptor for org.eclipse.m2e:lifecycle-mapping:1.0.0: Plugin org.eclipse.m2e:lifecycle-mapping:1.0.0 or one of its dependencies could not be reso lved: Failure to find org.eclipse.m2e:lifecycle-mapping:jar:1.0.0 in https://maven.oracle.com was cached in the local repository, resolution will not be reattempted until the update i nterval of maven.oracle.com has elapsed or updates are forced
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building analyze-recommendation-data 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-clean-plugin:3.1.0:clean (default-clean) @ analyze-recommendation-data ---
[INFO] Deleting D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\target
[INFO]
[INFO] --- maven-enforcer-plugin:1.4.1:enforce (enforce-versions) @ analyze-recommendation-data ---
[INFO]
[INFO] --- maven-resources-plugin:3.1.0:resources (default-resources) @ analyze-recommendation-data ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\src\main\resources
[INFO] skip non existing resourceDirectory D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\src\main\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.7.0:compile (default-compile) @ analyze-recommendation-data ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 6 source files to D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\target\classes
[INFO]
[INFO] --- maven-resources-plugin:3.1.0:testResources (default-testResources) @ analyze-recommendation-data ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.7.0:testCompile (default-testCompile) @ analyze-recommendation-data ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 1 source file to D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\target\test-classes
[INFO]
[INFO] --- maven-surefire-plugin:2.22.1:test (default-test) @ analyze-recommendation-data ---
[INFO]
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
[INFO] Running com.fishersci.AppTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.029 s - in com.fishersci.AppTest
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- maven-jar-plugin:3.1.0:jar (default-jar) @ analyze-recommendation-data ---
[INFO] Building jar: D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\target\analyze-recommendation-data-0.0.1-SNAPSHOT.jar
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building analyze-recommendation-data 0.0.1-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for org.eclipse.m2e:lifecycle-mapping:jar:1.0.0 is missing, no dependency information available
[WARNING] Failed to retrieve plugin descriptor for org.eclipse.m2e:lifecycle-mapping:1.0.0: Plugin org.eclipse.m2e:lifecycle-mapping:1.0.0 or one of its dependencies could not be reso lved: Failure to find org.eclipse.m2e:lifecycle-mapping:jar:1.0.0 in https://maven.oracle.com was cached in the local repository, resolution will not be reattempted until the update i nterval of maven.oracle.com has elapsed or updates are forced
[INFO]
[INFO] --- sonar-maven-plugin:3.5.0.1254:sonar (default-cli) @ analyze-recommendation-data ---
[INFO] User cache: C:\Users\p00rg\.sonar\cache
[INFO] SonarQube version: 7.5.0
[INFO] Default locale: "en_US", source code encoding: "UTF-8"
[INFO] Publish mode
[INFO] Load global settings
[INFO] Load global settings (done) | time=274ms
[INFO] Server id: EB437561-AWVdwTF_tyL0sBcCmN1c
[INFO] User cache: C:\Users\p00rg\.sonar\cache
[INFO] Load/download plugins
[INFO] Load plugins index
[INFO] Load plugins index (done) | time=137ms
[INFO] Load/download plugins (done) | time=161ms
[INFO] Loaded core extensions:
[INFO] Process project properties
[INFO] Execute project builders
[INFO] Execute project builders (done) | time=3ms
[INFO] Load project repositories
[INFO] Load project repositories (done) | time=83ms
[INFO] Load quality profiles
[INFO] Load quality profiles (done) | time=208ms
[INFO] Load active rules
[INFO] Load active rules (done) | time=2684ms
[INFO] Load metrics repository
[INFO] Load metrics repository (done) | time=43ms
[INFO] Project key: com.fishersci:analyze-recommendation-data
[INFO] Project base dir: D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated
[INFO] ------------- Scan analyze-recommendation-data
[INFO] Base dir: D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated
[INFO] Working dir: D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\target\sonar
[INFO] Source paths: pom.xml, src/main/java
[INFO] Test paths: src/test/java
[INFO] Source encoding: UTF-8, default locale: en_US
[INFO] Index files
[INFO] Excluded sources:
[INFO] **/build/**
[INFO] **/test**
[INFO] Excluded tests:
[INFO] **/build/**
[INFO] 8 files indexed
[INFO] 0 files ignored because of inclusion/exclusion patterns
[INFO] Quality profile for java: Sonar way
[INFO] Quality profile for xml: Sonar way
[INFO] Excluded sources for coverage:
[INFO] **/build/tmp/**
[INFO] build/test**
[INFO] **/build/reports/**
[INFO] **/build/libs/**
[INFO] **/build/test/**
[INFO] Sensor JavaSquidSensor [java]
[INFO] Configured Java source version (sonar.java.source): 8
[INFO] JavaClasspath initialization
[INFO] JavaClasspath initialization (done) | time=20ms
[INFO] JavaTestClasspath initialization
[INFO] JavaTestClasspath initialization (done) | time=17ms
[INFO] Java Main Files AST scan
[INFO] 6 source files to be analyzed
[INFO] 6/6 source files have been analyzed
[WARNING] Classes not found during the analysis : [scala.Predef$$less, scala.Predef$$less$colon, scala.collection.parallel.mutable.ParHashMapCombiner$table]
[INFO] Java Main Files AST scan (done) | time=1429ms
[INFO] Java Test Files AST scan
[INFO] 1 source files to be analyzed
[INFO] 1/1 source files have been analyzed
[INFO] Java Test Files AST scan (done) | time=29ms
[INFO] Sensor JavaSquidSensor [java] (done) | time=2033ms
[INFO] Sensor JaCoCo XML Report Importer [jacoco]
[INFO] Sensor JaCoCo XML Report Importer [jacoco] (done) | time=4ms
[INFO] Sensor SurefireSensor [java]
[INFO] parsing [D:\TF_GIT_CLONES\fs-analyze-recommendation-data-deprecated\target\surefire-reports]
[INFO] Sensor SurefireSensor [java] (done) | time=81ms
[INFO] Sensor JaCoCoSensor [java]
[INFO] JaCoCo report not found: 'target/jacoco.exec'
[INFO] JaCoCo report not found: 'target/jacoco-it.exec'
[INFO] Sensor JaCoCoSensor [java] (done) | time=1ms
[INFO] Sensor SonarJavaXmlFileSensor [java]
[INFO] 1 source files to be analyzed
[INFO] Sensor SonarJavaXmlFileSensor [java] (done) | time=357ms
[INFO] 1/1 source files have been analyzed
[INFO] Sensor XML Sensor [xml]
[WARNING] Metric 'comment_lines_data' is deprecated. Provided value is ignored.
[INFO] Sensor XML Sensor [xml] (done) | time=109ms
[INFO] Sensor Zero Coverage Sensor
[INFO] Sensor Zero Coverage Sensor (done) | time=19ms
[INFO] Sensor Java CPD Block Indexer
[INFO] Sensor Java CPD Block Indexer (done) | time=31ms
[INFO] SCM provider for this project is: git
[INFO] 1 files to be analyzed
[INFO] 0/1 files analyzed
[WARNING] Missing blame information for the following files:
[WARNING] * src/main/java/com/fishersci/recommendations/controller/TestController.java
[WARNING] This may lead to missing/broken features in SonarQube
[INFO] 1 file had no CPD blocks
[INFO] Calculating CPD for 5 files
[INFO] CPD calculation finished
[INFO] Analysis report generated in 121ms, dir size=114 KB
[INFO] Analysis reports compressed in 42ms, zip size=36 KB
[INFO] Analysis report uploaded in 228ms
[INFO] ANALYSIS SUCCESSFUL, you can browse http://sonar.clouddev.thermofisher.net/dashboard?id=com.fishersci%3Aanalyze-recommendation-data
[INFO] Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO] More about the report processing at http://sonar.clouddev.thermofisher.net/api/ce/task?id=AWg0XRHCAAZQbCWAzgme
[INFO] Task total time: 8.529 s
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 19.291 s
[INFO] Finished at: 2019-01-09T15:45:53-05:00
[INFO] Final Memory: 88M/1360M
[INFO] ------------------------------------------------------------------------
Has MySQL got to have anything to do with this? Also, how can I troubleshoot and find out why this is not working? Is there any logging I can turn on from sonarqube server side? Why would Coverage and Duplication work but Bug and Vulnerability not work?
From your analysis log, we can see that SonarJava is triggered, and rules are theoretically executed:
[INFO] Sensor JavaSquidSensor [java]
[INFO] Configured Java source version (sonar.java.source): 8
[INFO] JavaClasspath initialization
[INFO] JavaClasspath initialization (done) | time=20ms
[INFO] JavaTestClasspath initialization
[INFO] JavaTestClasspath initialization (done) | time=17ms
[INFO] Java Main Files AST scan
[INFO] 6 source files to be analyzed
[INFO] 6/6 source files have been analyzed
[WARNING] Classes not found during the analysis : [scala.Predef$$less, scala.Predef$$less$colon, scala.collection.parallel.mutable.ParHashMapCombiner$table]
[INFO] Java Main Files AST scan (done) | time=1429ms
[INFO] Java Test Files AST scan
[INFO] 1 source files to be analyzed
[INFO] 1/1 source files have been analyzed
[INFO] Java Test Files AST scan (done) | time=29ms
[INFO] Sensor JavaSquidSensor [java] (done) | time=2033ms
The SonarQube UI screenshot you are showing is however not displaying any issue at all… for all the files. So it’s quite strange to me. When testing it on a tiny project containing only your sample code, the rule is correctly triggered:
I have no idea why your code is now not triggering any issue for rule squid:S3518. Your Quality Profile obviously inherit from SonarWay, so I would expect to have the rule enabled by default. Can you please verify that the rule is enabled in your profile?
Could you also try to setup a simple quality profile with only one rule enabled, S3518, run your analysis, and check that the issue is raised?
Please make sure to also associate your Quality Profile to the project.
Hi Michael - I tried that too and it still does not trigger… Here are the screenshots and logs. I created a new Quality Profile TestSquidS3518 and associated my project to that profile
Okay, thanks for trying. Unfortunately, this is not helping much.
Most of the java rules requires bytecode to be executed. If bytecode is not provided, then rules simply won’t be executed. Now, if you are using maven, by default everything should work pretty well, without requiring any extra configuration.
I however have the feeling that the issue could come from a problem of analysis configuration.
Could you provide the sources of your small test project and most importantly, the steps you are executing in order to trigger the analysis? I have the feeling that there is something missing in the process.
I see this in the log
[INFO] 0 files ignored because of inclusion/exclusion patterns
[INFO] Quality profile for java: TestSquidS3518
[INFO] Quality profile for xml: Sonar way
[INFO] Excluded sources for coverage:
[INFO] /build/tmp/
[INFO] build/test**
[INFO] /build/reports/
[INFO] /build/libs/
[INFO] /build/test/
[INFO] Sensor JavaSquidSensor [java]
The source is pretty simple…
public String getUserConsent() {
String response = "Hello";
Object status = "200";
int z = 0;
if (z==0) {
z = 1 / z; // Noncompliant, possible division by zero
}
z =+1;
return response;
}
