Java Symbolic Execution

Hello all,
I’m facing issues with the plugin obtained from java-symbolic-execution . In a previous post, I inquired about a way to avoid NullPointerException. Consequently, I’m attempting to achieve this using Method Behaviors. I’ve created a JSON file and added it to the BehavioCache, but I’m encountering several problems and uncertainties.

  1. In order to create a plugin from java-symbolic-execution and enable SonarQube to interpret my new behavior, should I proceed as with java-custom-rules? In other words, do I need to use “mvn clean install” in the pom.xml of java-symbolic-execution, and then place it in the /extensions/plugins directory without configuring docker-compose?
  2. While using mvn install, I’m encountering test failures. To mitigate this, I’m employing the following command: mvn install -Dmaven.test.skip=true. However, I’m unsure if this is affecting the resulting plugin.
  3. This issue might be linked to the second point. The generated plugin has an almost empty MANIFEST.MF file, which is causing some problems. Upon placing the plugin in my local SonarQube instance and attempting to run it, I’m encountering errors like “missing plugin key.” I’ve manually entered some data, but I’m then encountering further errors.

Thank you, Rafael

Hello Rafael,

First and foremost, let me highlight that we do not support customizing our included analyzers. If you want to go down that path, it is possible but you are on your own.

That being said, I can provide you with some pointers for the questions you have brought up.

  1. In principle, a mvn clean install is exactly what you want to do to build the analyzer. The resulting build artifact can be found in sonar-java-plugin/target/. Note that since sonar-java is a built-in component of SonarQube, you will need to replace the corresponding jar file in lib/extensions/ instead of extensions/plugins. Again, this is outside of the scope of the support we provide.
  2. Obviously it is better if tests pass. You may want to look into which tests are failing and why to make a decision on whether this is likely going to pose a problem.
  3. Not sure about this one, try to go ahead with the instructions I gave in step 1, the resulting artifact should contain all required data.

Note that any upgrade to your SonarQube instance will result in a new sonar-java analyzer to be deployed. This means that your custom version of the Java analyzer will be overwritten. You will need to maintain and update a fork of sonar-java to be able to keep your changes in future SonarQube versions.

If you believe that the method behaviors could benefit many other people as well, you can also consider asking for these to be added to the official Java analyzer’s data set, which would avoid the need to maintain a fork of sonar-java. We can then evaluate whether it makes sense to add them.

Thanks for the previous answer! I have done everything that you said, and now SonarQube doesn’t throw any errors, but I don’t see the change. So now I have new questions that need to be answered, please.
Is there any way to test it without analyzing the project?
Does the change appear as a rule? And if that’s the case, does the rule suppose to appear in the quality profile in Java, like it happens with custom_rules_101? (picture below → Testing Custom Rule) Or inside SonarWay BUILT-IN? Can I search for it? Because in the JSON there’s no name.