Sonar limitations

Hi,

Sonar, generally scans for 1 language and rules and the gate is set for that language. Having multiple language rule and gate is limitation of Sonar. Please suggest a solution for this.

Thanks & Regards,
Gokila Balakrishnan.

Hi @GokilaBalakrishnan,

I saw your other thread on using SonarQube 7.7. That version should handle “multi” language support automatically. Does it not work like that?

In any case, 7.7 is very old and you should try the latest version 8.6. Download here.

Joe

Thanks for your feedback. Please confirm how to configure the quality gates in jenkins while doing multi language scanning.

Gokila

Hi Gokila,

SIngle or multilanguage for a project is independent of a quality gate, i.e. quality gates are not dependent on number of languages. You can configure the quality gate in Jenkins using the Web API (documentation link in footer of any page in SonarQube or click on the :question: icon next to the search field in the top right-hand corner and click on “Web API”):

POST api/qualitygates/select

This web API endpoint is not specific to Jenkins so you can create a Script task/step in your pipeline to execute a curl command hitting that endpoint (with the appropriate query parameters) to adjust the quality gate as needed.

EDIT: On 2nd thought, the SonarQube recommended way is to provision and configure projects ahead of time before running Sonar scanner analysis. See Project Existence for more info. The idea is to set up your projects including quality gate, quality profile, etc. without setting it from within the build. You should configure the project before running your first analysis. Please try this method before using the web API method I mentioned above.

Joe

Hi Joe,

Please confirm if the above response is for Sonarqube open source or Sonarqube enterprise edition.
Our requirement is that we are using open source version 7.7. We want to scan a single project having file extensions .xml, .sh and .json. Currently, it only scans .xml and it ignores other file extensions. Awaiting for a clear response.

Thanks & Regards,
Gokila Balakrishnan.

Hi.

SonarQube does not support .sh for scanning. For .json files you can try to analyze them with the JavaScript Scanner. Go to Administration > Languages > select the language “JavaScript/TypeScript” and add .json to “JavaScript File Suffixes”.

Hi ,

Please confirm if it is possible to scan a single project having extensions .xml, .sh and .json in Sonarqube open source.

Thanks & Regards,
Gokila Balakrishnan.

Hi @GokilaBalakrishnan,

My previous response was referring to open source (Community Edition) SonarQube. You should use our latest version to make sure you have the latest support, rules, bug fixes, and vulnerability patches, which is SonarQube 8.7.

Please see our list of supported languages here: https://www.sonarqube.org/features/multi-languages/

.xml: Yes, we have 1st class support with an exclusive scanner for XML (see Plugin Version Matrix)
.sh: No, we don’t have 1st class support, but there is a 3rd party extension called “ShellCheck Analyzer” that is popular, there are other plugins that can do .sh analyzer also
.json: No, we don’t have 1st class support and I don’t know of a popular plugin you can use. You will have to google search for this if you want .json file specific analysis. You can try what @felipebz suggested, but that’s not the same as pure JSON analysis. You could try writing your own grammar, parser, and sensor to support JSON analysis also.

Regards,
Joe