We have a custom Ada plugin written in JAVA for SonarQube based able to import the analysis results from external tools stored into a database. A default profile for Ada language is available using this plugin.
One of the external analysis tools is generating a SARIF report that we aim to use with the scanner capability to import SARIF report directly. There is a way to have the mapping of the rules stored by SARIF report with the rules of the default profile ?
Our Plugin API includes a handy feature that allows you to define a rule and automatically apply its attributes to external rules. Here’s a quick example:
public class JavaRulesDefinition implements RulesDefinition {
public static final String REPOSITORY = "eslint_repo";
public static final String JAVASCRIPT_LANGUAGE = "js";
@Override
public void define(Context context) {
NewRepository repository = context.createExternalRepository(REPOSITORY, JAVASCRIPT_LANGUAGE)
.setName("My Custom Java Analyzer");
NewRule exampleRule = repository.createRule("eslint-example")
.setName("Example rule")
.setHtmlDescription("Example rule for importing external issues")
.setTags("style", "stupid")
.setSeverity(Severity.MINOR);
exampleRule.setDebtRemediationFunction(
exampleRule.debtRemediationFunctions().linearWithOffset("1h", "30min"));
repository.done();
}
}
I’ll be honest, I haven’t checked this code sample in a while to see if it still works. The important part here is createExternalRepository.
As long as the rule key (in this case, eslint_repo:eslint-example) matches what’s being uploaded to SonarQube as an external issues report, these attributes will be applied to the resulting issues.
However, you’ll still need to ensure your analysis process only runs those rules that are activated in your Quality Profile, if that’s what you’re looking for. If not, SonarQube will still import external rules not defined in this rule repository.
Is that what you’re looking for? Let me know if you have any questions!
Thanks for the pointer and your answer.
I have an additional question. In my custom plugin multiple analysis results are imported and these are coming from different analysis tools. Only fr one of these we dispose of a SARIF report file, the others are stored in an SQLite database and imported by our custom plugin.
Should all the rules of the default profile be created with createExternalRepository or can we have a mix between the rules (of the SARIF report) created with this and others related to other analyzers (imported through the database using the plugin) created with createRepository ?
Also, the rules are set into the default profile from an XML file. Can this XML loader be used still used when creating the external rules reporsitry ?
hello again
I have achieved something by using createExternalRepository. However, the rules in my case are defined through .xml file and it seems that the technical debt related information are still ignored.
Here is the .xml defining the rule of the external repository
<rule>
<key>array index check</key>
<name>array index check</name>
<description>index value could be outside the array bounds (CWE 120, 124-127, 129-131)</description>
<type>CODE_SMELL</type>
<tag>gnatsas</tag>
<tag>check</tag>
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
<remediationFunctionBaseEffort>20min</remediationFunctionBaseEffort>
</rule>
There are some updates on the rules definition format fields for the XML?
Could the severity be added in the rule definition XML instead of being gathered from the .SARIF which seems to ignore the “level” specified as indicated in the related documentation page (see the topic already created The "level" is not taken into account when importing a SARIF report - #6 by MonikaK) ?