Request to add Licensecheck Plugin to SonarQube marketplace

At Porsche Informatik we have created a SonarQube plugin to check for license violations. We are using this plugin since 2016 in production. In the last 2 years many additional users got involved in the project. Now, we want to add it to the marketplace to make install/update for our users easier.

Would be great to see this included!

Thx,
Christian

3 Likes

Hi,

You’re in line, but no promises on when I’ll be able to look at this.

 
Ann

Hi,

First, congratulations on your plugin. I should have started with that last time. :slight_smile:

I’ve been able to start looking at this. The bureaucratic requirements mostly* look okay.

 
I’ve made some comments on your PR. In addition to what I noted in GH, the initial PR for Marketplace inclusion needs to include registering the plugin key in the sonar-update-center-properties file.

Beyond that, I see that your Quality Gate is failing on SonarCloud. If it was passing when you did the release, maybe you can point me to evidence of that?

 
*In my testing I see that you’re raising issues at project level. The requirements state that you need to be able to tie your findings back to source code. What are the chances of raising these issues on the pom file (or gradle file, or…) instead of at project level? Ideally, of course, you’d raise them on the dependency listing in the pom, but I’m not going to hold out for that. Just attaching them to the file will satisfy me.

Also, I had a bit of trouble getting results out of the plugin. I analyzed 3 different projects & scratched my head over an empty License Check page before it occurred to me to see if there were rules. Your documentation says

  • Within the general settings the plugin can be manually enabled or disabled. By default it is enabled.

But I don’t see that toggle in the General Settings and the plugin didn’t ‘turn on’ until I enabled its rules. Could you update your docs to make it clearer how to get results, please?

 
Minor points

  • Looking at the License Check page the Licenses table has a ‘Status’ column. The only value I see in that column is “false” which seems like an odd status. I’m guessing this is about whether or not the license is allowed? (Maybe rename the heading?)
  • I have to ask about the ‘SonarQube License Check Plugin’ configuration, particularly when your docs say “please do not use” it.
  • I went to your docs initially looking for a description of the licensecheck.projectlicense setting. (And didn’t find it.) Your users will probably appreciate having a minimal explanation either in-app or in the docs for each field.
  • In the License Check configuration page, the licenses are presented in what Google helps me name as lexicographic order. I.e. all the init-upper case words and then all the init-lower case words. A case-insensitive sort would be nice.

 
Ann

Thanks for your review and feedback!

I have addresses the issues in the PR - hope now that is fine.

Beyond that, I see that your Quality Gate is failing on SonarCloud. If it was passing when you did the release, maybe you can point me to evidence of that?

It fails because we “only” have 70.5% code coverage (the quality gate requires 80).

requirements state that you need to be able to tie your findings back to source code. What are the chances of raising these issues on the pom file (or gradle file, or…) instead of at project level?

I have tried but the SonarQube model for languages does not make it possible. The major issue here ist that Java Maven dependencies are defined in XML files and NPM dependencies in JSON files. I have tried to register “xml” and “json” as a language but this conflicts with other plugins. I cannot just register “pom.xml” or “package.json”. And finally, when the XML or JSON plugins are not installed, the files wont’ get included in the analysis.

Also, I had a bit of trouble getting results out of the plugin. I analyzed 3 different projects & scratched my head over an empty License Check page before it occurred to me to see if there were rules.
But I don’t see that toggle in the General Settings and the plugin didn’t ‘turn on’ until I enabled its rules. Could you update your docs to make it clearer how to get results, please?

This is another issue with SonarQube - plugins won’t get executed when no rules of that plugin are active in the current Quality Profile. That’s why we mention that explicitly in the “Installation” section of our Readme.

The toggle in the General Settings is there - here is a screenshot:

image

  • Looking at the License Check page the Licenses table has a ‘Status’ column. The only value I see in that column is “false” which seems like an odd status. I’m guessing this is about whether or not the license is allowed? (Maybe rename the heading?)

Created an issue for that: Status in license report should be "Allowed" and "Disallowed" not true/false · Issue #262 · porscheinformatik/sonarqube-licensecheck · GitHub

  • I have to ask about the ‘SonarQube License Check Plugin’ configuration, particularly when your docs say “please do not use” it.

We have addressed that in 5.0 - you can then use SonarQube config as well.

I went to your docs initially looking for a description of the licensecheck.projectlicense

The settings is there but as said it is way easier to use our own settings dialogs.


5.0 will address most of your issues (except the need to activate rules and project-level issues) and it will be released in the next weeks. Maybe we wait until then to put in the marketplace. Do you see any other blockers why 5.0 cannot be added?

Chris

Hi Chris,

I’ll start with the TL;DR then follow up with the details.

Here’s what I see as the must-address list:

  • Passing Quality Gate
  • Consolidation of global settings
  • In addition to what I noted in GH, the initial PR for Marketplace inclusion needs to include registering the plugin key in the sonar-update-center-properties file.

The make-it-a-slam-dunk list:

  • Raising issues on files. Please take a look at the resources I’ve provided. I suspect they’ll take the task from “impossible” to “not so bad”. I won’t say right now that this is a deal-breaker (because I honestly haven’t made up my mind yet) but it is a strong consideration.

All the other points are nice-to-haves.


Quality gate

Uhm… it’s still failing. :woman_shrugging:
Since you’re talking about 5.0, I’ll point out that the default Quality Gate looks at coverage on New Code. I guess 80% would be achievable on the changes you make for 5.0?

 
Raising issues on files

Actually this is possible. I didn’t mention it at first because I wasn’t sure whether you were already aware of it. Java analysis, which only declares .java, does have rules for pom files and other XML files. The commons project should help. (Example of its use)

 
Activating rules

I see that now. I read too quickly (3 times! :joy:) Maybe throw in a paragraph break? I confess that I skimmed Installation because I know how to install a plugin. I was expecting this kind of detail under Configuration…

 
Global settings

Whoa! You add 3 listings in Global Admin!

I was willing to go with one under General Settings and a separate License Check entry directly under Configuration, but this is starting to get messy. I think I need to ask you to clean this up.

 
Field documentation

That field is actually what I was looking for docs to understand…


Note that it’s possible to add an in-UI name & description, e.g.
Selection_999(541)

 
And finally
What I failed to say earlier is that this is a solid offering and will be a nice addition to the ecosystem. :smiley:

When you come back to this with 5.0 please update this thread rather than creating a new one (so I don’t have to remember that there’s context & re-find it).

 
Ann