Maven multi-modules with SonarQube

ndywicki · February 1, 2021, 5:46pm

Hello teams,

We have migrated from version v6.7 to a recent version of SonarQube v8.6.1.

However on a multi-module project configuration I noticed some strange behavior, on the source paths, JaCoCo and finally the way to declare ignore rules globally.

I have created a sample project if that helps: GitHub - ndywicki/sonar-multimodule-maven

This is a Maven multi-modules with a Spring Boot 2 backend an Angular frontend.

With this configuration I’ve noted a strange behavior since the concept of module have removed in the release 7.6 (ie MMF-365)

The sonar-project.properties is defined globally in the root of the project, and loaded with the Maven properties-maven-plugin.
The Angular frontend module is Mavenized with the frontend-maven-plugin.

Versions

SonarQube version: 8.6.1
SonarQube Maven plugging version: 3.8.0.2131

Issues

Source paths frontend module

During the frontend module indexing the source paths is pom.xml instead of the global configuration sonar.sources=src/:

[INFO]   Base dir: /sonar-multimodule-maven/frontend
[INFO]   Source paths: pom.xml
[INFO]   Excluded sources: src/main/webapp/content/**/*.*, src/main/webapp/i18n/*.js, target/classes/static/**/*.*

=> Only the pom.xml file as source path ?

Workaround

Override the source paths for the frontend module in the pom properties or in a sonar-project.properties:

<properties>
<node.version>v12.16.1</node.version>
<npm.version>6.14.5</npm.version>
<!-- Uncomment to override global sonar configuration to handle this module source... -->
<sonar.sources>src/</sonar.sources>
</properties>

JaCoCo is run for all child modules

Even if JaCoCo is not applicable for the frontend and parent modules, the sensor JaCoCo XML Report is running.

Especially for frontends we use the lcov report (via sonar.typescript.lcov.reportPaths)

[WARNING] No coverage report can be found with sonar.coverage.jacoco.xmlReportPaths='target/jacoco/test/jacoco.xml,target/jacoco/integrationTest/jacoco.xml'. Using default locations: target/site/jacoco/jacoco.x
ml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml

=> How to skip the JaCoCo sensor for some modules?

Define global ignore issue

For large projects or in the corporate world, a simple way to control what can
and cannot be ignored by project teams in reports is to use rules in a “super pom” or just in the parent pom.

Example to ignore globally the S3437 rule with the resourceKey rc/main/java/**/*:

# Rule https://rules.sonarsource.com/java/RSPEC-3437 is ignored, as a JPA-managed field cannot be transient
sonar.issue.ignore.multicriteria.S3437.resourceKey=src/main/java/**/*
sonar.issue.ignore.multicriteria.S3437.ruleKey=squid:S3437

However, this raises warnings because it is necessary to specify all the relative paths:

[WARNING] Specifying module-relative paths at project level in property 'sonar.issue.ignore.multicriteria' is deprecated. To continue matching files like 'backend/src/main/java/com/example/myapp/backend/Backend
Application.java', update this property so that patterns refer to project-relative paths.

I have noted the SONAR-11587 recommendations,
but in the context of a global “super pom” company configuration this is not applicable.
Do you have a solution ?

Thanks you for your help,

Regards,
Nicolas

Margarita_Nedzelska · February 23, 2021, 2:05pm

Hi @ndywicki,

Thank you for your message. Actually when you run analysis via maven scanner analysis is performed for each module separately, that’s why when analysing frontend module the base dir is sonar-multimodule-maven/frontend.

If I understood you correctly, you want to exclude frontend module from analysis? You can do it by setting <sonar.skip>true</sonar.skip> in the pom.xml of the frontend module as described here

If no, could you please clarify the result you want to achieve?

Regards,
Margarita

ndywicki · March 3, 2021, 9:42am

Hi @Margarita_Nedzelska ,

Thanks for your reply.
It’s the opposite, I want to include the frontend.
To sum up, in this case the source code of the frontend is ignored, it take sonar.sources = pom.xml
instead of /src.
I am forced to indicate the sonar.sources in the frontend module while it is not useful for the backend module.

Regards,
Nicolas

Julien_HENRY · March 22, 2021, 5:06pm

Hi,

ndywicki:

Example to ignore globally the S3437 rule with the resourceKey rc/main/java/**/* :

# Rule https://rules.sonarsource.com/java/RSPEC-3437 is ignored, as a JPA-managed field cannot be transient
sonar.issue.ignore.multicriteria.S3437.resourceKey=src/main/java/**/*
sonar.issue.ignore.multicriteria.S3437.ruleKey=squid:S3437

However, this raises warnings because it is necessary to specify all the relative paths:

[WARNING] Specifying module-relative paths at project level in property 'sonar.issue.ignore.multicriteria' is deprecated. To continue matching files like 'backend/src/main/java/com/example/myapp/backend/Backend
Application.java', update this property so that patterns refer to project-relative paths.

First question is why not simply disabling the rule in your quality profile. Multicriteria exclusion is intended to exclude a specific rules on specific (subset of) files, while here it seems to me you want to exclude on all files.
Also you can try:

sonar.issue.ignore.multicriteria.S3437.resourceKey=**/src/main/java/**/*

so that the path pattern will match project relative paths.

I think this is because the properties-maven-plugin only loads properties for the root module. They are not inherited. You should maybe declare those properties directly in the root pom?

If you want to investigate how the Scanner for Maven “see” properties, you can run:
mvn sonar:sonar -Dsonar.scanner.dumpToFile=out.properties and you will see in the file the properties for each modules.