We upgraded from Sonarqube 9.4 to 9.9 LTS.
Earlier, the issues for code lines marked with //NOSONAR used to not show up in the report but now they do.
I could not see anything in the release notes about any change in behavior. What could be the reason for this?
Hey there.
What language(s) are affected here?
Java mainly.
Nothing should have changed there.
Can you provide a screenshot or a reproducer where an issue is raised despite NOSONAR?
Thanks.
It looks like that issue is being raised by GitHub - spotbugs/sonar-findbugs: SpotBugs plugin for SonarQube. Is this plugin installed on your SonarQube instance, or are you importing third-party issues?
Yes we do have the findbugs plugin
Thanks.
In my tests, I can use NOSONAR to suppress issues raised by this plugin.
I would suggest raising an issue with the maintainer of the plugin if you experience different behavior.
Hello @Colin
Sorry to unearth an old thread but this was jus brought to my attention from here: NOSONAR not ignored · Issue #1034 · spotbugs/sonar-findbugs · GitHub
As far as I know there’s no feature for the findbugs plugin to silence issues with NOSONAR, since it analyses the compiled .class files (not the .java source files) I don’t see how the plugin could process these comments.
My best guess is that Sonarqube was silencing issues raised by plugins with NOSONAR, maybe this has changed at some point?
Hey @gtoison
After reading your comment, I dug into this a bit more.
//NOSONAR is peculiar in that it doesn’t have to be implemented by the plugin that is raising issues. It’s just supposed to work (there are some exceptions).
If a user can provide a project where they can reproduce the issue with an issue raised by sonar-findbugs, that would be great (for both of us, whoever’s problem it ends up being). Today, I can still suppress issues raised by sonar-findbugs using //NOSONAR on SonarQube v10.6 with the latest version of the Findbugs plugin installed.
Before:
After:
Thank you very much for confirmining @Colin, I have asked if the issue reporter could provide a project reproducing the problem
Hi @Colin
I just saw your message, the dev team that had this issue is using kotlin, here’s a few lines of code that include NOSONAR, and still raise an issue in Sonar 10.6 :
private fun addSecurityHeader(soapMessage: SoapMessage) {
val usernametoken = WSSecUsernameToken(soapMessage.document) //NOSONAR (false positive hard coded pwd)
usernametoken.setPasswordType(WSConstants.PASSWORD_TEXT)
usernametoken.setUserInfo(serviceAccountProperties.username, serviceAccountProperties.password)
usernametoken.securityHeader.insertSecurityHeader()
usernametoken.build()
}
Can you reproduce it on your side ?
Thanks
I’m not getting any issue raised at all with your code sample. What rule is getting triggered specifically? Is it possible for you to include a complete, compilable project to reproduce the issue?