Scanning platformio c++ embeded projects

Andreas_Mandel · November 30, 2020, 9:22am

Hello,

I try to scan our project with build-wrapper-linux-x86-64 around the platformio ci build. The result looks good and I get feedback to the findings.
Unfortunately the findings are not mapped back to original source file in GIT but to a copy of the sources in the temporary bin path created by platformio. Is there a trick to tell the SonarScanner to prefer original sources over the copies?

The build uses github actions and can be found here: https://github.com/Friends-of-OpenBikeSensor/OpenBikeSensorFirmware/blob/master/.github/workflows/ci.yml. The SonarCloud project is at https://sonarcloud.io/code?id=Friends-of-OpenBikeSensor_OpenBikeSensorFirmware - as you see there is source listed in “src” and “bin/src” directory. Only the “src” directory is a real source directory.

Is there a setting I miss, or a trick to “fix” this via sed in the created “build-wrapper-dump.json”.

Might be my setup is completely wrong?

Kind regards,
Andreas.

mpaladin · November 30, 2020, 8:31am

Hi @Andreas_Mandel,

this is a known issue with arduino cli which copies files during build (ie see report1 report2).

You are getting a copy of the source files in ./bin/src because of --build-dir. You could try the following:

if possible, replace bin/src with src in the sonarqube-out/build-wrapper-dump.json file and set sonar.sources to src

Andreas_Mandel · November 30, 2020, 4:15pm

Hi Massimo,
thanks for helping. Not sure why I did not find this myself - I thought it is related to platformio, so my search query might have been bad.
I’ll try with the links you gave me and report back.

Andreas_Mandel · November 30, 2020, 5:35pm

The following lines did the trick for our setup:

sed -i 's|OpenBikeSensorFirmware/bin|OpenBikeSensorFirmware|' \
    sonarqube-out/build-wrapper-dump.json
sed -i 's|.pio/build|bin/.pio/build|' \
    sonarqube-out/build-wrapper-dump.json

The bin directory is used as working directory, so I pull this up to the project directory with the 1st call to sed. And then correct the relative paths to .pio/build/... again by adding bin/ in front with the 2nd sed.

The full file is at https://github.com/Friends-of-OpenBikeSensor/OpenBikeSensorFirmware/blob/master/.github/workflows/ci.yml.

mpaladin · December 1, 2020, 8:39am

Hi @Andreas_Mandel,

great, thank you for the update, not sure I understood what the second sed is for.

Andreas_Mandel · December 1, 2020, 6:31pm

Most of the directories in build-wrapper-dump.json are absolute, but some point to supplement files that relative like the object files e.g. .pio/build/esp32dev/src/VoltageMeter.cpp.o. To make them valid again the 2nd sed adds the bin/ again that was removed by changing the working directory. I don’t know if the files are actually used.

mpaladin · December 2, 2020, 8:10am

Hi @Andreas_Mandel,

I believe they are not used, the second sed call may actually not change things, the important one is the first sed call, we are interested about source files only (.cpp, .c, .h, …), not object files.