PL/SQL files are not scanned

Hi,

We are using SonarQube version 8.6 and PL/SQL plugin installed to scan SQL files. When we are scanning the project which include DB files with file extension .sql none of those are scanned by SonarQube. Below are the steps I have so far tried/verified
- I have verified the PL/SQL settings , It does contain sql as file extension.
- I have specified sonar language as “plsql” while triggering the scan.
- Tried using options sonar.plsql.file.suffixes & sonar.lang.patterns.plsql while triggering the scan.

Please let me know where I am going wrong or if I missed any other settings.

Thanks,
Bindu Madhavi

Hello Bindu
welcome to the SonarSource community!
Can you clarify what you meant with your “I have PL/SQL plugin installed”?
Are you using the Community Edition with a third party plugin, or on a DE/EE or DCE SonarQube with PL/SQL SonarSource embedded language analyzer?

Best regards
Sylvain

Hi Sylvain,

I am using Sonarqube 8.6 Enterprise Edition with PL/SQL SonarSource embedded language analyzer

Thanks,
Bindu Madhavi

Hi @bindumadhavi.kura
thanks for your quick reply.
Here are a few hints about your issue at hand:

  • setting the language for analysis is not necessary (sonar.language has been dropped some time ago and is ignored)
  • the main settings for your code analysis are:
    • the analysis scope as explained with the Narrowing the Focus documentation page. You should make sure that the .sql files are targeted by analysis.
    • the language patterns that are set at global or project level from SonarQube UI. Make sure that you have the sql pattern set for PL/SQL language for your project, as follows:
  • If you have configured these parameters from the UI (the easiest way), you should remove all your analysis scope and language parameters from the scanner command line and sonar-project.properties files.

If you are not able to sort this out with the above inputs, please share your analysis logs (with verbose mode enabled), or at least the lines where the scanner handles the sql files. When all is ok, they are as follows:

.
11:30:51.289 DEBUG: 'src/sql/ddl.sql' indexed with language 'plsql'
11:30:51.289 DEBUG: 'src/sql/ut_report.pkb' indexed with language 'plsql'
.
.
.
11:30:55.426 INFO: Sensor PL/SQL Sensor [plsql]
11:30:55.463 WARN: The Data Dictionary is not configured for PLSQL analyzer which prevents rule(s) S3641, S3921, S3618, S3651 to raise issues. See https://edited/documentation/analysis/languages/plsql/
11:30:55.472 INFO: 2 source files to be analyzed
11:30:55.474 DEBUG: 'src/sql/ddl.sql' generated metadata with charset 'UTF-8'
11:30:55.498 DEBUG: Not enough content in 'src/sql/ddl.sql' to have CPD blocks, it will not be part of the duplication detection
11:30:55.507 DEBUG: 'src/sql/ut_report.pkb' generated metadata with charset 'UTF-8'
11:30:55.599 INFO: 2/2 source files have been analyzed
11:30:55.599 INFO: Sensor PL/SQL Sensor [plsql] (done) | time=173ms

Your scanner context (Project Settings → Background Tasks then Show Scanner Context on the right analysis line) may also help.
Let me know.

Best regards
Sylvain

Hi Sylvain,

Thanks for the steps provided but still the issues remains the same
The directory structure of our project:
image

Below is the log I found where it is saying no sql files found

Note: We are running TC Metarunner for running sonarqube using the below command
-Dsonar.host.url=sonar_url-X -Dsonar.inclusions=%sonar.inclusions% -Dsonar.exclusions=%sonar.excluededFiles% -Dsonar.skippedModules=%sonar.skippedModules% %target-branch% %scan-branch% -Dsonar.coverage.exclusions=%sonar.coverage.excludedFiles% -Dsonar.coverage.jacoco.xmlReportPaths=%teamcity.build.checkoutDir%/jacocoReport.xml -P!hibernate-instrumentation -Pci"

Please let me know what am i missing in order to scan the files and whether the formed sonar command is correct.

Thanks,
Bindu Madhavi

Hello
thanks for these inputs.
To me it really looks like something is wrong with this analysis scope, but I can’t tell what without the explicit values from all your build variables.
You will be able to see them in the scanner context I mentioned in my previous comment (please share it if you can). Note that it is usually not advisable to us both sonar.exclusions and sonar.inclusions for the same project analysis, it makes things very complex to follow.
And a side question: did TeamCity metarunner run the maven scanner, or the scanner command?

Best regard
Sylvain

Hi Sylvain,

Thanks for the input, We have made “sonar.sources” changes in the pom.xml file and now we are able to scan the .SQL files but we are seeing 0 as values for Bugs/Vulnerabilities/Codesmells etc . Can you please let us know whether to pass Database details while scanning if so let us know what all db related details should be passed to the sonar command.

Note: We are using IBM DB2 database could be really helpful if you are able to provide some suitable parameters to sonar command.

Thanks,
Bindu Madhavi.

Hi Bindu
That is good news!
Now about the bug/vulnerabilities and code smells. You may need to

  • check the rules that apply to this project for PL/SLQ, i.e. your quality profile.
  • see if you can activate the four dictionary related rules. These dictionary rules require the sonarqube scanner to connect to a DB instance set with the project’s schema. And I’m not sure if a JDBC connection to a DB2 instance can work; try it if you can and let me know.

Best regards
Sylvain