I found that some Java issues are detected by sonarlint but not SonarQube analysis. Here is an example:
S4488 is found by sonarlint in eclipse because the controller is using bad spring annotation but when I submit the project to SonarQube, the report said the annotation is OK.The project is being analysed by default (Java) Sonar way and i check that the rule are present and active. (As i m a new user i can only upload one pic so i group the screen to single picture)
Is someone also hitting the same problem? I am not sure this is caused by rules are ignored in sonarqube or the code cannot be detected properly due to text / pattern problem.
Version Used: SonarQube developer Version7.9.1.27448, SonarJava 5.14 (build 18788)installed
I have similar problems when I create a custom rule for profile or new profile, the new profile never is used by analysis even I selected the profile to be used by the project. My version is 7.9.1 and I upgraded it from 5. The last rules and profiles works perfectly but no the new ones.
can you please provide logs from the analysis? which scanner do you use to analyze the project? This could be the classpath issue, when the analysis for SonarQube doesn’t have the dependencies configured properly and thus annotation is not recognized.
@Shai_Ludwig, @anruvel I actually doubt that root issue is going to be same here, please post your issues as separate topics and provide logs for the analysis, so we can investigate.
Yes, definitely. See e.g the following line in your analysis log:
WARN: Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property.
Rule S4488 relies upon access to the Spring annotation classes. In SonarLint for Eclipse, the classpath is provided by the local project configuration from JDT, whereas the SonarQube scanner needs to be configured appropriately.
On a side note, I notice that this seems to be a Spring boot project. Why not use the Maven or Gradle scanner plugins? These rely upon the underlying project model to automatically configure a bunch of stuff - like sonar.java.(binaries|libraries) - that need to be manually configured in the standalone CLI scanner.
The annotation defect is detected after adding jar to “sonar.java.library”. Thanks for your help
The reason why no using maven or gradle is due to our CICD flow design. We would like to centralize and unify the code quality check process no matter the project is java, nodejs or dot net. So, we will not use maven and gradle for spring boot project.
My final question is what if the case is other language project? Should we provide the library for sonarqube? Let’s say nodejs and dot net project?
Hello, glad that you fixed this issue, and thanks for posting back!
Each language analyzer has its own set of analysis configuration properties. I suggest that you have a look at the documentation overview for languages and open new threads if you encounter issues
