Need help with focused Sonar / Findbugs Analysis

(Florent Dartora) #1

Good morning,

I have some troubles when focusing the Sonar Analysis on some modules (rather than on the whole project) conbined with the use of findbugs.
Here are the informations concerning my work environnement and the configuration I tried until now :

Language analyzed is java. Our sonar analysis is launched by the following maven command, applyed on the super pom (at the root of our project) :
MAVEN_COMMAND="${MAVEN_EXEC} -s ${MAVEN_SETTINGS} -gs ${MAVEN_SETTINGS} -B -U sonar:sonar -Dmaven.repo.local=${MAVEN_REPO_LOCAL} -f pom.xml -Dsonar.analysis.mode=issues -Dsonar.skipPackageDesign=true*****/sonar

In order to focus the analysis on modified projects only, I added some properties to the command,such as :
-Dsonar.sources, with the absolute path to the modified classes in the analyzed review
-Dsonar.exclusions=/src/test/java//.java,/tests//.java’, with the absolute path of the “target/classes” directories (compiled code) of all modified modules, separated by commas, with the absolute path of the internal and external libraries of our application (jars)

If this configuration works in the way that it performs the Sonar Analysis and detects the rules activated in the quality profile, the problem is the following :
For each analysis, we spend a lot of time generating findbugs output reports (from 2 to 5 minutes per report) . When the review modifies only 1 module (1 java class), it exports 5 findbugs reports, taking 10 minutes in total. However, when the review modifies 10 modules (1 java class from 10 different modules), the analysis exports 18 findbugs reports, which takes 1 hour !


  1. Why the findbugs output report is so time-consuming, and why does the analysis exports more reports than the number of modified modules (eg 5 reports for 1 modified class) in my review ?

  2. Is there a way to deactivate the findbugs output report generation ? (I tried to use a quality profile without findbugs rules activated, and to add the properties -Dfindbugs.enable=false -Dfindbugs.findbugsXmlOutput=false -Dfindbugs.xmlOutput=false to the maven command but it didn’t work)

  3. If I pass only the sonar.sources property and the property filed with the jars directory, sonar analysis fails saying it can’t find compilated classes. Why am I forced to pass the “target/classes” directories for the analysis, rather than the jars directory ?

Many thanks for your time and your help. Tell me if you need additionnal informations or more precised explanations.

Versions used:
SonarQube: 6.5
sonar-findbugs-plugin: 3.6.0

Best Regards

(Tibor Blenessy) #2


I don’t think sonar-findbugs maintainers are monitoring this forum, you can try to ask on their project page on how to improve findbugs performance.

Another option you could consider is to use only SonarJava plugin for the analysis. We believe that we match findbugs in capabilities. If you have a concrete reason to use findbugs, please share it here.

That being said, the way you are trying to analyze your projects is not going to work well in the long term. The properties of the analysis are not supposed to be changed between different runs, because you are going to lose history and metrics will be skewed (lines of code changing randomly, etc). The whole project should be analyzed every time.

Also, note that sonar.analysis.mode is deprecated and should not be used anymore.

(Florent Dartora) #3

Good morning,

Many thanks for your reply.
I will add an issues on the findbugs plugin project page.

Are you sure SonarJava plugin and Findbugs have the same capabilities ? In our case, we use both Findbugs plugin and SonarJava plugin, but some of our activated rules are only located in findbugs repository…

In fact, we perform a sonar analysis on the whole project each nights during our nightly build. However, during working hours, developers are pushing reviews which are generaly very small (few java classes). In this case, we do not want to run the analysis on the whole project in order to save time. What is the best way to do this if sonar.analysis.mode=issue is now deprecated ?

Again, many thanks for your help and time.

Best Regards,

(Tibor Blenessy) #4

Yes, I do think so. Which Findbugs rules not available in SonarJava do you use?

What we do internally is that we run full analysis on every pull request and performance is good enough (few minutes). For immediate feedback in the IDE consider using SonarLint

(Florent Dartora) #5


In fact I can’t find even one rule which is both in Findbugs repository and in SonarAnalyzer repository.
On the enclosed screenshot, you can see some of the rules I have in Finbugs repo. When I take one rule and search in the SonarAnalyzer repo, I can’t find a similar rules (let’s take the first one for example : “Abstract class defines covariant compareTo() method”).
But maybe that’s not the good way to proceed ?

Many thanks for your reply,
Best Regards,

(Colin Mueller) #6


This report might shed some light on findbugs/sonarjava parity.