What I expect per the documentation is that I should be able to set a property via a plugin that can be overridden at a project specific level or via command line. It seems like the property set at the plugin level is never used. In this plugin I’m setting properties for pmd, findbugs, etc without issue.
Per documentation:
How I’m setting the properties at the plugin level:
open class JavaAnalysisPlugin : Plugin<Project> {
companion object {
private val logger: Logger = Logging.getLogger(JavaAnalysisPlugin::class.java)
const val PLUGIN_NAME: String = "custom.java-analysis"
const val TASK_EXTRACT_STATIC_ANALYSIS_CONF_NAME = "extractStaticAnalysisConf"
}
private val pluginJarPath = calculatePluginJarPath()
override fun apply(project: Project) {
logger.info("Java Analysis Plugin")
val extractConfTask = createTasks(project)
configureJava(project)
configureSonar(project)
}
/**
* Apply the sonarqube plugin to report all results
*/
private fun configureSonar(project: Project) {
project.plugins.apply("org.sonarqube")
val sonarExt: SonarQubeExtension = project.extensions.getByName("sonarqube") as SonarQubeExtension
sonarExt.properties( Action <SonarQubeProperties>{
SonarQubeProperties(mapOf(
"sonar.dependencyCheck.reportPath" to "buildDir/reports/dependency-check/dependency-check-report.xml"
))
})
}
}
What I expect is that the property being added is used by projects that apply the plugin.
Right, so the purpose of the plugin is to set configuration that is used globally across many projects. Any of our projects can use the plugin to apply common tooling and configuration by just including the plugin. At the most basic level, we apply a plugin with project.plugins.apply(“pmd”) then add any additional config, like the common ignore files.
Each of the java project that apply this project are multi-build style projects and most are in the format of
example-project
example-project/example-project-web
example-project/example-project-api
with the owasp report that I’m after stored in example-project/example-project-web/build/reports/dependency-check/dependency-check-report.xml and example-project/example-project-api/build/reports/dependency-check/dependency-check-report.xml
As a work around, running globally with extra command line params may work: ./gradlew build test dependencyCheckAnalyze sonarqube -Dsonar.dependencyCheck.reportPath=build/reports/dependency-check/dependency-check-report.xml -Dsonar.dependencyCheck.htmlReportPath=build/reports/dependency-check/dependency-check-report.html
Although this may work it is not preferred.
Also interestingly when trying the above command line params, I’m able to see the html report in sonar in more-> dependency-check with vulnerabilities, but the vulnerabilities don’t show up in the projects vulnerability count.
edit: just noticed this in the logs when executing using command line params as above: ‘skipping dependency ‘example-project-web.jar’ as no inputFile could established.’ Thinking this is why htmlReportPath works and reportPath does not.
Seems like this may be different, I’m able to compile the plugin code and run the plugin during other projects gradle builds, but the property just seems to not be getting picked up. Current code looks like this (to reflect changes that were working on the command line):
private fun configureSonar(project: Project) {
project.plugins.apply("org.sonarqube")
val sonarExt: SonarQubeExtension = project.extensions.getByName("sonarqube") as SonarQubeExtension
sonarExt.properties( Action <SonarQubeProperties>{
SonarQubeProperties(mapOf(
//"sonar.dependencyCheck.reportPath" to "buildDir/reports/dependency-check/dependency-check-report.xml"
"sonar.dependencyCheck.reportPath" to "build/reports/dependency-check/dependency-check-report.xml",
"sonar.dependencyCheck.htmlReportPath" to "build/reports/dependency-check/dependency-check-report.html",
"sonar.sources" to "build/reports/dependency-check"
))
})
}
I think it is the same issue. The problem isn’t in running the plugin @cammyjoe, but the fact that sonar’s plugin defers to the allprojects block. I didn’t update my post with a working solution, because I’m not looking for a working solution (I have a working solution, it’s just messy), I wanted to ask if sonar could change the design of their plugin to avoid the workaround. Like you, I also had solutions that seemed to do nothing.
For reference, here is the working solution (in kotlin)
Note that I have to defer the property setup using the project.allprojects { block, because you are forced to wait until after sonar has configured the allprojects block before you can set the properties.
Do you know by chance if this is a regression of recent version of the plugin? Can you test versions older than 2.7 since some refactoring was made in 2.7, like:
sonarExt.properties( Action <SonarQubeProperties>{
SonarQubeProperties(mapOf(
//"sonar.dependencyCheck.reportPath" to "buildDir/reports/dependency-check/dependency-check-report.xml"
"sonar.dependencyCheck.reportPath" to "build/reports/dependency-check/dependency-check-report.xml",
"sonar.dependencyCheck.htmlReportPath" to "build/reports/dependency-check/dependency-check-report.html",
"sonar.sources" to "build/reports/dependency-check"
))
})
The Action <SonarQubeProperties> is passed in a SonarQubeProperties instance (implicit it), we should put desired properties to this instance. You’re trying to creating a whole new SonarQubeProperties, which might be the problem. Please try adding properties to the passed in instance:
sonarExt.properties( Action <SonarQubeProperties>{
properties(mapOf(
//"sonar.dependencyCheck.reportPath" to "buildDir/reports/dependency-check/dependency-check-report.xml"
"sonar.dependencyCheck.reportPath" to "build/reports/dependency-check/dependency-check-report.xml",
"sonar.dependencyCheck.htmlReportPath" to "build/reports/dependency-check/dependency-check-report.html",
"sonar.sources" to "build/reports/dependency-check"
))
})