Intellij 2023.3.6 (Ultimate Edition)
SonarLint extension 10.4.1.77998
SonarLint extension 10.4.2.78113 (Updated on 3 April 2024)
I have installed the SonarLint plugin and seems like it is working fine since it is showing me issue that I have in current opened file. I used the sonar rule "Unused local variables should be removed" to test if it is working but once I activated the connected mode through SonarQube, it seems that this issue is no longer shown by Sonar.
This is just a simple example to give context.
My current situation is that there is an issue reported in SonarQube and it is also shown to me by Sonar before I activated the connected mode. But once I activated the connected mode. The issue is no longer shown by Sonar. My understanding is that this should not be the case and the issue found on SonarQube should still be shown.
Do let me know if there are any logs, or related information that is required to resolve this issue. Unfortunately, I would not be able to provide the project, or anything related to that since it is not a public project.
Hi @Devan_Pedrik, thank you for the details you provided. Could you please include the version of your SonarQube?
I think there can be multiple explanations:
- The rule might not be enabled on your SonarQube in the Quality Profile
- The issue could be resolved (marked as wonāt fix/false positive, for example)
- There is an actual problem; in this case, you can enable Analysis logs and Verbose output and check the logs to see if there are any errors. You can also search for the rule key (java:S1234, for example) in the logs and see if you notice anything.
Could you please check the previous statements? Thank you!
Hi @nicolas.quinquenel thank you for the response. The SonarQube version used is Version 9.9.2 (build 77730)
I have checked in my Quality Profile and the rule "Unused local variables should be removed" is disabled which is now clear to me as to why it is not shown by Sonar. But Sonar still does not show the actual issue reported by SonarQube.
I have no way of checking if the issue is marked as wonāt fix/false positive. But if the issue is marked as such, wouldnāt that mean that SonarQube would not report it as well.
I have enabled the Analysis logs and Verbose output. In the log I can see that the file containing the issue is being indexed and identified as JAVA which then proceed to execute JavaSensor but showing No workDir in SonarLint afterwards.
Afterwards it, proceeds to run all sort of sensors which at the end reports there are 0 issues.
Hi @Devan_Pedrik,
You donāt see this issue because:
- SonarLint only displays locally detected issues
- In connected mode, SonarLint relies on the rules configured on your projectās Quality Profile
- This rule is not enabled in the SonarQube QP
The fact that there is an issue for this rule in SonarQube seems to indicate that the rule was enabled at some point in a previous analysis, an issue was found for this rule, and the rule then got disabled in the QP. This is not a very common scenario, and it explains the discrepancy between SonarQube and SonarLint.
The question I would ask is: why was this rule disabled? Itās a well accepted rule, and itās a pretty common practice to remove such occurrences from the code.
I donāt think there is a bug here, and I would recommend to fix the issue even if itās not detected by SonarLint
Hi @Damien_Urruty, I am back with more informations and questions for the teams.
First, to clarify. The rule is enabled on SonarQube QP, otherwise SonarQube shouldnāt report the issue when I committed new changes right?
I am now using, latest version of SonarLint plugin, 9.9.4 LTS for SonarQube, and latest version of IntelliJ.
Do let me know if there are more information required. Thanks!
Hi, I am back again to update my findings regarding this issue.
SonarQube 9.9.4 LTS and latest version of IntelliJ SonarLint plugin.
I have tried:
Using local SonarQube Community Edition instance with both plugins (custom java rules plugin and jDepends) and through connected mode IntelliJ is able to show issues found. Whereby rules from the custom plugin are applied.
Using Enterprise Edition SonarQube instance with both plugins installed, IntelliJ stopped showing issues found. Then, I have tried as well using the same Enterprise Edition SonarQube without the custom plugin and now IntelliJ is showing the issue again. Which seems like our custom plugin is causing the issue. But to argue with this, why does community edition are able to apply our custom plugin?
The main difference that I am aware of between these editions are the repositories provided. In our Enterprise Edition SonarQube, we use some of the rules from Security SonarAnalyzer Java repository where this repository is not available in the community edition.
In the logs the main difference that can be seen between these two editions is bolded with italic. Where this is only seen in the community edition and not in the enterprise edition of SonarQube.
Language of file ā<file:///JAVA FILE PATH>ā is detected to be āJAVAā
Language of file ā<file:///JAVA FILE PATH>ā is detected to be āJAVAā
Language of file ā<file:///XML FILE PATH>ā is detected to be āXMLā
206 files indexed
Execute Sensor: JavaSensor
No workDir in SonarLint
> Initializing metadata of file <file:///JAVA FILE PATH>
> Evaluate issue exclusions for ā<file:///JAVA FILE PATH>ā
> ā¦
> Initializing metadata of file <file:///JAVA FILE PATH>
> Evaluate issue exclusions for ā<file:///JAVA FILE PATH>ā
āPython Sensorā skipped because there is no related files in the current project
Hi, I found an old thread that is quite similar to what I am facing Canāt analysis for Java code with the sonarlint plugin (intellij) linked to sonarqube - Clean Code / Report False-positive / False-negativeā¦ - Sonar Community (sonarsource.com) but with the addition where the Quality Profile Iām using includes, SonarQube Java, Security SonarAnalyzer Java, a custom Java plugin, jDepends.
Jean-Baptiste Lievremont mentioned
It looks to me that those issues are reported by the Findbugs plugin for SonarQube, which wonāt be executed by SonarLint even in connected mode - SonarLint only executes analyzers from SonarSource and custom rule plugins based on those.
How do I create custom rule plugins based on āthoseā, is there a documentation for this? Does those here referes to existing rules from SonarSource?
Hi Devan,
Could you confirm the rule you discuss here is java:S1481? I just want to make sure the rule you have problems with corresponds to one of our rules
Hi @Damien_Urruty,
I did use that rule as an example. But actually, all Java issues are not shown by SonarLint in IntelliJ when Iām in connected mode to an Enterprise SonarQube instances with my custom java plugin installed. But issues are shown when Iām in connected mode to a Community SonarQube instances with my custom java plugin installed. Like what is discussed in Canāt analysis for Java code with the sonarlint plugin (intellij) linked to sonarqube - Clean Code / Report False-positive / False-negativeā¦ - Sonar Community (sonarsource.com) which I included as well in previous reply. The rules used in my quality profile are from SonarQube Java, Security SonarAnalyzer Java, a custom Java plugin, jDepends plugin. Where in the link included, the user was using only using rules from the findbugs plugin.
The rule that is shown on SonarQube was Java static code analysis (sonarsource.com) but it is not shown by SonarLint in IntelliJ when in connected mode on Enterprise SonarQube Instance. But this issue is shown when in connected mode on Community SonarQube Instance. Both instance with the custom Java and jDepends plugins installed.
I hope this make it clear enough.
Hi,
I am updating my progress in this. We have the dependency org.sonarsource.java | java-frontend in our pom.xml and seems like IntelliJ is now able to show issues found on SonarQube after removing this dependency from our pom.xml
1 Like
That is interesting, are you writing a custom SonarQube plugin? Would you be able to send us a minimal reproducer project that demonstrates the problem?