Template for a good new topic, formatted with Markdown:
ALM used: GitHub
CI system used: Github Actions
Languages of the repository: Go
Error observed:
We have Github action to run golangci-linter for code like this: golangci-lint run --new-from-rev=${{ github.event.pull_request.base.sha }} --whole-files --out-format checkstyle > report.out
This report then is passed to Sonarcloud in properties file:
#Path with golangci-lint discovered issues
sonar.go.golangci-lint.reportPaths=cloudwaste.report.out
In golangci-linter configuration file we have separated some linters to produce severity=āerrorā, and some severity=āinfoā only:
<?xml version="1.0" encoding="UTF-8"?>
<checkstyle version="5.0">
<file name="path/to/folder/aws.go">
<error column="2" line="78" message="`awsSecurityGroupSubtype` is unused" severity="info" source="deadcode">
</error>
>
</file>
<file name="path/to/interaction_resultprocessor.go">
<error column="3" line="61" message="Error return value is not checked" severity="error" source="errcheck">
</error>
<error column="0" line="8" message="File is not `gci`-ed with -local github.com/organisation/project" severity="info" source="gci">
</error>
</file>
</checkstyle>
However nor errors with severity=āerrorā neither with severity=āinfoā are not shown Sonarcloud on PR analysis
Only one Smell as Minor issue is discovered on this error: <error column="0" line="2" message="line is 248 characters" severity="info" source="lll">
Can you please explain how to properly setup Sonarcloud and golangci-linter so they can work together and produce proper report which can be helpful for developers?
To give you more details, in the case of GolangCILint (and all Checkstyle format), issues with severity=error will have type bug, and code smell otherwise, and issues with severity=info will have severity minor and major otherwise.
Is not works as expected:
In my report I have 30 severity=āinfoā and only one shown on sonarcloud (mentioned in my post before) and one severity=āerrorā not present on report at allā¦
Hi @vbortkevic
Iām not very familiar with golangci-lint but I understand the --whole-files parameter as causing the tool to report issues that are outside the scope of the PR (new and changed lines). From there (many) issues in the report will not get imported by SonarCloud as it focuses precisely on the PR scope.
Can you make sure you are not in this case and let me know?
And indeed, the golangci linter report parser applies a mapping logic to the found issues. As the reports lack information for a perfect fit in SonarCloud, the mapping cannot be perfect.
Many linters natively support the SonarSource Generic Issue format, maybe you can promote it with the golangci linter team.
Thank you Sylvain for response. The flag --whole-files is to scan whole file where the changes were made by developer (not only lines of code he writes recently) therefore this is not the case.
It is however unclear to me how should I declare linters so they will be displayed on Sonarcloud report as bugs?
Currently on the PR my linter discovers and passes to sonarcloud 3 errors (severity=āerrorā) and 33 info (severity=āinfoā). But on sonarcloud dashboard I can see only 3 infoās and none error:
That was my point. Many issues in your report may not be imported by SonarCloud because they are not part of the PR (since you used the --whole-files parameter).
if you analyze a PR, SonarCloud will not import any issue outside of the PR scope, highlighted in yellow in SonarCloud UI:
But previously when we had not separated severity into ERROR and INFO and all golangci linters reported with severity=āerrorā it worked just fine: same flag --whole-files didnāt cause any issues.
Each issue was market as a bug.
But then we changed behavior to do not misleading developers and introduced two levels: Error and Info.
Now it behaves randomly: on Sonarcloud I can see only few infoās as Code smell and no bugs at allā¦
Hi @vbortkevic
can you share a screenshot showing some New Code with no issue imported, and the snippet from the golangci-linter listing at least one issue in this code area?
Hi @Sylvain_Combe,
Iām not sure what you mean by this:
screenshot showing some New Code with no issue imported, and the snippet from the golangci-linter listing at least one issue in this code area
Are weāre looking for New Code in the file, which produce no issues. But after linting with golangci-linter there are some issues?
If so, then it sounds like a nonsense, because clean code will not produce issues on linting.
What Iām looking for is: since file is modified (even new code is clean) and --whole-files present, then show all discovered issues imported from golangci-linter grouped by severityā¦
Hi @vbortkevic
as I mentioned above, no issue will ever get imported outside of the New Code area (highlighted in yellow) for a PR analysis . Even if the external report has dozens of issues, if those issues are not attached to this new code area, they will not be imported by SonarQube.
When you analyze a PR, it does not make sense to import issues outside of the changed code area, does it?
If you need a report on all areas of your code, you must run a branch analysis.
However my question is still open: Can we somehow have option to use this --whole-files flag and import golangci-linter issues to be shown on PR even those isses are not related to new code?
However my question is still open: Can we somehow have option to use this --whole-files flag and import golangci-linter issues to be shown on PR even those isses are not related to new code?
No it is not possible. And we believe it would be wrong to allow this as it might break the whole Clean As You Code idea.
In your particular case, I believe the underlying idea is to slightly enlarge the New Code period to include all touched files, forcing developers to address some or all the legacy debt in those files.
Can you confirm?
If thatās the case, I would advise against it. You can expect developers to understand how it works (and how to sidestep it) very rapidly, and application design would suffer.
Hi @Sylvain_Combe ,
our intention was to use āboyscout ruleā: ā Always leave the code better than you found it forcing developers to make code better and cleaner over the timeā¦
Hi @Sylvain_Combe,
Happy New Year!
It looks like Sonarcloud imports issues in some strange order.
Below is example, where I have two info issues:
::info file=path/to/file/recommendation.go,line=253::File is not `gofumpt`-ed (gofumpt)
::info file=path/to/file/recommendation.go,line=264,col=3::return statements should not be cuddled if block has more than two lines (wsl)
and then first issue was imported as code smell, where second one (wsl) was imported as bug.
Can you please explain why it happens so?
Thank you!
Hi @vbortkevic
and happy new year as well.
That is quite strange (and not in line with the import implementation), would you be able to share a reproducer?
Have been treated as Code smell.
I have attached two pictures showing the same PR where the same issues like mnd:Magic number, return statements should not be cuddled if block has more than two lines, only one cuddle assignment allowed before if statement are shown on sonarcloud report as Bug, others as Code Smell.
Is this expected behavior?
Hi @vbortkevic
I think I caught something.
After the project main branch has been analyzed with some issues categorized as bugs, they stay categorized as such whatever the changes applied to branch (or PR?) analysis, and even after the branch has been ācleanedā with a new analysis.
I need to discuss this internally and will come back to you.
Hi @vbortkevic
the language team has looked into this. The mapping logic applied to golancici-lint reports sets an issue type only once per source (the linter name with those reports) and will then stick to it with subsequent analysis (and across branches in some cases). This report source is the identifier mapped to the SonarQube rule key.
This leads to all issues from the same āsourceā, i.e. linter to be assigned the same issue type, with cross branch and PR mechanisms making changes difficult to predict (and follow).
So if you really need to distinguish different issues from the same linters into code smells and bugs, at this stage a work around could be to append the intended severity to the linter name in the reports.
We may help with an improvement at some point, but we donāt have any ETA. Iāll update you when I have news.
The information we have in this report is indeed limited, but we should be able to do something to improve this inconsistency. Ticket created: SONARSLANG-548.