Sonaqube & Sonarlint issues

We’ve noticed some issues are already resolved and no longer flagged as issues by local sonarlint report but still show up in the sonarqube website. Can you please let us know what was the issue ?

Hi,

This is a little light on details.

Have you checked in the changes and re-analyzed?

What versions of SonarQube and SonarLint are we talking about?

 
Ann

Yes we have checked in the changes and reanalyzed. We are using Community Edition

  • v9.9.6 (build 92038) and sonarlint version 10.1.0

Please let me know for further details.

Hi,

What rules are we talking about? Also, what IDE are you using? (Sorry, I should have asked that initially.) If it’s IntelliJ, the current version of SonarLint for IntelliJ is 10.8.1.79205, so with 10.1.0 you would be behind by quite a bit and that could easily explain a divergence.

 
Ann

We are using STS version 4.20.1 and the rule we are talking about is java:S1166

HI @ganncamp Can you please help us on the above issue

Hi,

I see that STS is an Eclipse derivative. The current version of SonarLint for Eclipse is 10.6.0.82217.

Can you upgrade and see if this is still replicable?

 
Thx,
Ann

@ganncamp upgraded to the latest one(10.6.0.82217), however, still issue does not match sonarqube website. it looks like sonarlint can detect the fix of code change ,however, sonarqube cannot detect.

Sonarlint shows the change is applied and issue is eliminated while sonarqube still flag the issue.

Hi,

Could we have screenshots of the issue / non-issue on both sides, redacted as necessary, please?

 
Thx,
Ann

@ganncamp please find the below comments and screenshots

1 Like

Hi,

Thanks for the screenshots!

Are you running SonarLint in connected mode?

It’s possible that the rule got smarter between SonarQube 9.9 and now and that could explain the difference if you’re not in connected mode. In connected mode, you’ll run exactly the same implementation of the rule in both places.

 
Ann

Yes we are running Sonarlint connected mode but still we see the same issue

Hi,

Could you share your analysis log?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Thx,
Ann

sonarlog.txt (125.5 KB)
Please find the log as per the request.

Hi,

I was looking for your SonarQube analysis log. This appears to be from SonarLint.

 
Ann

Will share the same shortly.

sonarqubescannerlog.txt (16.0 KB)

Please find the attached log as per the request.

Hi,

Thanks for the log. Here’s what I’m seeing:

  1. You’re using a slightly dated version of SonarScanner CLI. The current version is 6.2.1
  2. You’re using SonarScanner CLI to analyze a Maven project. You should be using the SonarScanner for Maven
  3. You’re not providing the libraries to analysis (SS4Maven would handle that for you), which results in a less precise analysis & could explain this problem
    WARN: Dependencies/libraries were not provided for analysis of SOURCE files. The 'sonar.java.libraries' property is empty. Verify your configuration, as you might end up with less precise results.
    WARN: Unresolved imports/types have been detected during analysis. Enable DEBUG mode to see them.
    
  4. You appear to be initiating analysis from a strange directory

    INFO: Base dir: /u01/origin/sonarslave/workspace/NewSonarQubePipeline/24.11_REDELIVER2/B1/application/src/utilities

  5. Which leads to some strange settings

    -Dsonar.java.binaries=../../build/classes/java/main

Of these, I think #3 is probably the culprit. And by switching to the SonarScanner for Maven (#2) you can address most of these in one fell swoop.

 
HTH,
Ann

Just need some info that can you please help us how can we check sonar scanner version we are using ?. Do you recommend us to upgrade to the latest ?

Hi,

You can run sonar-scanner --version from the command line to get its version. Or, as I did, check what it emits to its logs.

Generally, yes. But in this case, as stated above, I recommend you switch to the SonarScanner for Maven.

 
Ann