At Porsche Informatik we have created a SonarQube plugin to check for license violations. We are using this plugin since 2016 in production. In the last 2 years many additional users got involved in the project. Now, we want to add it to the marketplace to make install/update for our users easier.
Plugin description: SonarQube Licensecheck ensures that projects use dependencies with compliant licenses. All dependencies and licenses can be viewed per projects and exported to CSV. This enables a simple governance of dependencies and licenses for the whole organization.
First, congratulations on your plugin. I should have started with that last time.
Iāve been able to start looking at this. The bureaucratic requirements mostly* look okay.
Iāve made some comments on your PR. In addition to what I noted in GH, the initial PR for Marketplace inclusion needs to include registering the plugin key in the sonar-update-center-properties file.
Beyond that, I see that your Quality Gate is failing on SonarCloud. If it was passing when you did the release, maybe you can point me to evidence of that?
*In my testing I see that youāre raising issues at project level. The requirements state that you need to be able to tie your findings back to source code. What are the chances of raising these issues on the pom file (or gradle file, orā¦) instead of at project level? Ideally, of course, youād raise them on the dependency listing in the pom, but Iām not going to hold out for that. Just attaching them to the file will satisfy me.
Also, I had a bit of trouble getting results out of the plugin. I analyzed 3 different projects & scratched my head over an empty License Check page before it occurred to me to see if there were rules. Your documentation says
Within the general settings the plugin can be manually enabled or disabled. By default it is enabled.
But I donāt see that toggle in the General Settings and the plugin didnāt āturn onā until I enabled its rules. Could you update your docs to make it clearer how to get results, please?
Minor points
Looking at the License Check page the Licenses table has a āStatusā column. The only value I see in that column is āfalseā which seems like an odd status. Iām guessing this is about whether or not the license is allowed? (Maybe rename the heading?)
I have to ask about the āSonarQube License Check Pluginā configuration, particularly when your docs say āplease do not useā it.
I went to your docs initially looking for a description of the licensecheck.projectlicense setting. (And didnāt find it.) Your users will probably appreciate having a minimal explanation either in-app or in the docs for each field.
In the License Check configuration page, the licenses are presented in what Google helps me name as lexicographic order. I.e. all the init-upper case words and then all the init-lower case words. A case-insensitive sort would be nice.
I have addresses the issues in the PR - hope now that is fine.
Beyond that, I see that your Quality Gate is failing on SonarCloud. If it was passing when you did the release, maybe you can point me to evidence of that?
It fails because we āonlyā have 70.5% code coverage (the quality gate requires 80).
requirements state that you need to be able to tie your findings back to source code. What are the chances of raising these issues on the pom file (or gradle file, orā¦) instead of at project level?
I have tried but the SonarQube model for languages does not make it possible. The major issue here ist that Java Maven dependencies are defined in XML files and NPM dependencies in JSON files. I have tried to register āxmlā and ājsonā as a language but this conflicts with other plugins. I cannot just register āpom.xmlā or āpackage.jsonā. And finally, when the XML or JSON plugins are not installed, the files wontā get included in the analysis.
Also, I had a bit of trouble getting results out of the plugin. I analyzed 3 different projects & scratched my head over an empty License Check page before it occurred to me to see if there were rules.
But I donāt see that toggle in the General Settings and the plugin didnāt āturn onā until I enabled its rules. Could you update your docs to make it clearer how to get results, please?
This is another issue with SonarQube - plugins wonāt get executed when no rules of that plugin are active in the current Quality Profile. Thatās why we mention that explicitly in the āInstallationā section of our Readme.
The toggle in the General Settings is there - here is a screenshot:
Looking at the License Check page the Licenses table has a āStatusā column. The only value I see in that column is āfalseā which seems like an odd status. Iām guessing this is about whether or not the license is allowed? (Maybe rename the heading?)
5.0 will address most of your issues (except the need to activate rules and project-level issues) and it will be released in the next weeks. Maybe we wait until then to put in the marketplace. Do you see any other blockers why 5.0 cannot be added?
Iāll start with the TL;DR then follow up with the details.
Hereās what I see as the must-address list:
Passing Quality Gate
Consolidation of global settings
In addition to what I noted in GH, the initial PR for Marketplace inclusion needs to include registering the plugin key in the sonar-update-center-properties file.
The make-it-a-slam-dunk list:
Raising issues on files. Please take a look at the resources Iāve provided. I suspect theyāll take the task from āimpossibleā to ānot so badā. I wonāt say right now that this is a deal-breaker (because I honestly havenāt made up my mind yet) but it is a strong consideration.
All the other points are nice-to-haves.
Quality gate
Uhmā¦ itās still failing.
Since youāre talking about 5.0, Iāll point out that the default Quality Gate looks at coverage on New Code. I guess 80% would be achievable on the changes you make for 5.0?
Raising issues on files
Actually this is possible. I didnāt mention it at first because I wasnāt sure whether you were already aware of it. Java analysis, which only declares .java, does have rules for pom files and other XML files. The commons project should help. (Example of its use)
Activating rules
I see that now. I read too quickly (3 times! ) Maybe throw in a paragraph break? I confess that I skimmed Installation because I know how to install a plugin. I was expecting this kind of detail under Configurationā¦
I was willing to go with one under General Settings and a separate License Check entry directly under Configuration, but this is starting to get messy. I think I need to ask you to clean this up.
Field documentation
That field is actually what I was looking for docs to understandā¦
Note that itās possible to add an in-UI name & description, e.g.
And finally
What I failed to say earlier is that this is a solid offering and will be a nice addition to the ecosystem.
When you come back to this with 5.0 please update this thread rather than creating a new one (so I donāt have to remember that thereās context & re-find it).
) Maybe throw in a paragraph break? I confess that I skimmed Installation because I know how to install a plugin. I was expecting this kind of detail under Configurationā¦
