My organization uses a gradle build framework with groovy and we are trying to use sonarQube for SAST tooling with groovy. Additionally we are using a spotbugs gradle plugin for security bugs: Gradle - Plugin: com.github.spotbugs.
I have the reports being generated with the spotbugs plugin. Note that my project in gradle is multi module. but they are not being published to sonarqube.
I found this resource but it only talks about Maven and I am wondering if there is a way to do this with gradle other than a custom task to publish. Use SpotBugs Plugin on SonarQube — spotbugs 4.2.2 documentation
Hi,
Welcome to the community!
Are you passing in the report using the sonar.java.spotbugs.reportPaths property?
Ann
Hi Anna,
I am using the property now, but I get an additional error at this point, which states that its not finding reports at /target/surefire-reports. Is there any additional property that I need to specify in order for the spotbugs reports to be published via ./gradlew sonarqube?
I also get an error with Spotbugs path -
Failed to import external issues report: **/build/reports/spotbugs/main.html
java.io.IOException: Unexpected document root ‘html’ instead of ‘BugCollection’.
Hi,
I assume that the surefire-reports complaint is just a warning & not blocking your analysis? For SpotBugs, it depends on how you want to handle it. You can add the FindBugs/SpotBugs plugin to your SonarQube instance and activate its rules in your profile. Then you’ll get SpotBugs results as an automatic part of your analysis.
Or you can run SpotBugs before analysis and import the result with the parameter I mentioned above.
Ann
hi Ann,
I tried to go the route to run the Spotbugs report before analysis and importing the result with the parameter. However, i have a multi module gradle project. I see that the spot bugs reports are generated in my project under build/reports/spotbugs/main.html (since I have html reports enabled).
However, my sonarqube instance isn’t picking it up and isn’t displaying any results. I also tried configuring the path under “External Analyzers” in my settings. But that doesn’t seem to work either.
Thanks,
Shreya
hi Ann,
Some progress here I would say ----
I got a new stacktrace, it may be the way I am sending the configuration due to this being a multi module project but can you verify that for me? I don’t see a lot of documentation on this so I figured its best to ask here
Failed to import external issues report: /Workflow/BaseExporter/build/reports/spotbugs/main.html java.io.IOException: Unexpected document root 'html' instead of 'BugCollection'. at org.sonar.java.externalreport.SpotBugsXmlReportReader.read(SpotBugsXmlReportReader.java:82) at org.sonar.java.externalreport.SpotBugsXmlReportReader.read(SpotBugsXmlReportReader.java:71) at org.sonar.java.externalreport.SpotBugsSensor.importReport(SpotBugsSensor.java:91) at org.sonar.java.externalreport.ExternalIssueUtils.importIfExist(ExternalIssueUtils.java:45) at org.sonar.java.externalreport.SpotBugsSensor.lambda$execute$1(SpotBugsSensor.java:81) at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) at org.sonar.java.externalreport.SpotBugsSensor.execute(SpotBugsSensor.java:81) at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:48) at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:85) at org.sonar.scanner.sensor.ModuleSensorsExecutor.lambda$execute$1(ModuleSensorsExecutor.java:59) at org.sonar.scanner.sensor.ModuleSensorsExecutor.withModuleStrategy(ModuleSensorsExecutor.java:77) at org.sonar.scanner.sensor.ModuleSensorsExecutor.execute(ModuleSensorsExecutor.java:59) at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:82) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123) at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:393) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:389) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:386) at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:386) at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:358) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123) at org.sonar.scanner.bootstrap.GlobalContainer.doAfterStart(GlobalContainer.java:144) at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:137) at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:123) at org.sonar.batch.bootstrapper.Batch.doExecute(Batch.java:72) at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:66) at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:564) at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60) at com.sun.proxy.$Proxy305.execute(Unknown Source) at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:189) at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:138) at org.sonarqube.gradle.SonarQubeTask.run(SonarQubeTask.java:101) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:564) at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:104) at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:49) at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:42) at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:28) at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:727) at org.gradle.api.internal.AbstractTask$TaskActionWrapper.execute(AbstractTask.java:694) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$3.run(ExecuteActionsTaskExecuter.java:568) at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:402) at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:394) at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165) at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250) at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158) at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:92) at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeAction(ExecuteActionsTaskExecuter.java:553) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeActions(ExecuteActionsTaskExecuter.java:536) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.access$300(ExecuteActionsTaskExecuter.java:109) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$TaskExecution.executeWithPreviousOutputFiles(ExecuteActionsTaskExecuter.java:276) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$TaskExecution.execute(ExecuteActionsTaskExecuter.java:265) at org.gradle.internal.execution.steps.ExecuteStep.lambda$execute$1(ExecuteStep.java:33) at java.base/java.util.Optional.orElseGet(Optional.java:362) at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:33) at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:26) at org.gradle.internal.execution.steps.CleanupOutputsStep.execute(CleanupOutputsStep.java:67) at org.gradle.internal.execution.steps.CleanupOutputsStep.execute(CleanupOutputsStep.java:36) at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:49) at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:34) at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:43) at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:73) at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:54) at org.gradle.internal.execution.steps.CatchExceptionStep.execute(CatchExceptionStep.java:34) at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:44) at org.gradle.internal.execution.steps.SnapshotOutputsStep.execute(SnapshotOutputsStep.java:54) at org.gradle.internal.execution.steps.SnapshotOutputsStep.execute(SnapshotOutputsStep.java:38) at org.gradle.internal.execution.steps.BroadcastChangingOutputsStep.execute(BroadcastChangingOutputsStep.java:49) at org.gradle.internal.execution.steps.CacheStep.executeWithoutCache(CacheStep.java:159) at org.gradle.internal.execution.steps.CacheStep.execute(CacheStep.java:72) at org.gradle.internal.execution.steps.CacheStep.execute(CacheStep.java:43) at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:44) at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:33) at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:38) at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:24) at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:92) at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$0(SkipUpToDateStep.java:85) at java.base/java.util.Optional.map(Optional.java:258) at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:55) at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:39) at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:76) at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:37) at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:36) at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:26) at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:94) at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:49) at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:79) at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:53) at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:74) at org.gradle.internal.execution.steps.SkipEmptyWorkStep.lambda$execute$2(SkipEmptyWorkStep.java:78) at java.base/java.util.Optional.orElseGet(Optional.java:362) at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:78) at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:34) at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:39) at org.gradle.internal.execution.steps.LoadExecutionStateStep.execute(LoadExecutionStateStep.java:40) at org.gradle.internal.execution.steps.LoadExecutionStateStep.execute(LoadExecutionStateStep.java:28) at org.gradle.internal.execution.impl.DefaultWorkExecutor.execute(DefaultWorkExecutor.java:33) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:192) at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:184) at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:114) at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46) at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:62) at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57) at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:56) at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36) at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77) at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55) at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52) at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:416) at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:406) at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165) at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250) at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158) at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:102) at org.gradle.internal.operations.DelegatingBuildOperationExecutor.call(DelegatingBuildOperationExecutor.java:36) at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52) at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:41) at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:372) at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:359) at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:352) at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:338) at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.lambda$run$0(DefaultPlanExecutor.java:127) at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:191) at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.executeNextNode(DefaultPlanExecutor.java:182) at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:124) at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64) at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56) at java.base/java.lang.Thread.run(Thread.java:832)
The reports definitely exist, I have the configuration snapshot attached to this
Also attaching whats configured on my sonarqube instance to help with this…
I understand that the reportPaths property is a list of filePaths so does the configuration need to change in my build.gradle file for sonarqube to understand?
FYI the workflow looks as follows:
I run the command ./gradlew check (this generates the spotbugs reports for me for all modules)
Then I run the following command:
./gradlew sonarqube -Dsonar.verbose=true -Dsonar.java.spotbugs.reportPaths=build/reports/spotbugs/main.html
Hi,
I believe the error indicates that the report is being found (for future reference, it would have been helpful to have a line or two before the error). I believe this is about the paths in your report not matching the paths to your files as SonarQube understands them. Can you double-check the report contents & see if that seems plausible in this context?
Ann
Hi Ann, It seems like the sonarQube instance takes in an xml file path only? HTML files don’t have the BugCollection tag whereas the xml files do.
When I generate xml reports, I am able to run the following command with no issues: ./gradlew sonarqube -Dsonar.verbose=true -Dsonar.java.spotbugs.reportPaths="build/reports/spotbugs/main.xml" However, I don’t see any reports in my sonarQube instance. Where would the reports appear? Can you help me with Quality Profiles configuration? Currently I have Sonar Way builtin enabled for Groovy and FindBugs Built in enabled for Java as below:
Is that the right configuration? Am I missing something? I just want to be able to view the reports on the sonarQube instance.
Hi,
You’re not going to see “SpotBugs Reports” as such. You’ll simply see issues reported by SpotBugs integrated smoothly into the issues list.
To be clear, this is an entirely different topic/path from importing reports. You either do one or the other. Looking at your profile list, you don’t seem to have the FindBugs plugin installed. If you want to go this route, that’s your first step.
Ann
Thanks Ann, I see some issues tagged as SPOTBUGS so I think I am all set!
I think the quality gates are fine I am just going to run the spotbugs task locally with gradle and import the reports. Thanks so much for your time and help on this!
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.