Sonarqube detecting code smell (deprecation) of java language 9 or greater on jdk8 code [reopen]

uliss3s · July 5, 2023, 5:51pm

This post refers to another issue whose post I mistakenly marked as resolved: previous post

The problem remains: the scanner report shows deprecations of java language 9+ on jdk 8 compiled code. “sonar.java.source” isn’t working.

Another setting not making any effect is “sonar.exclusions”. I have set sonar.exclusions=**/*.js,**/*.mjs,**/*.css but the scanner still scan and report problems in some .js files

Scanner Context: ***** [Project Analysis]
...
Global server settings:
  - sonar.auth.gitlab.enabled=true
  - sonar.auth.gitlab.groupsSync=true
  - sonar.auth.gitlab.url=http://*****/
  - sonar.core.id=C7D770A6-AYXk46ass5cFg0kHZUdy
  - sonar.core.serverBaseURL=http://*****:9000/
  - sonar.core.startTime=2023-05-22T09:32:05-0400
  - sonar.dbcleaner.daysBeforeDeletingClosedIssues=15
  - sonar.dbcleaner.daysBeforeDeletingInactiveBranchesAndPRs=10
  - sonar.forceAuthentication=true
  - sonar.lf.enableGravatar=true
  - sonar.plugins.risk.consent=ACCEPTED
  - sonar.projectCreation.mainBranchName=master
Project server settings:
  - sonar.cpd.exclusions=**/*.jsp,**/*.css,**/*.js,**/*.mjs
  - sonar.exclusions=**/*.js,**/*.mjs,**/*.css
Project scanner properties:
  - sonar.cpd.exclusions=['**/*.jsp', '**/*.css', '**/*.js', '**/*.mjs']
  - sonar.exclusions=['**/*.js', '**/*.mjs', '**/*.css']
  - sonar.host.url=http://*****:9000
  - sonar.java.binaries=target
  - sonar.java.libraries=target/lib/*.jar
  - sonar.java.source=1.8
  - sonar.login=******
  - sonar.projectBaseDir=/src
  - sonar.projectKey=*****
  - sonar.qualitygate.wait=true
  - sonar.scanner.app=ScannerCLI
  - sonar.scanner.appVersion=4.8.0.2856
  - sonar.sourceEncoding=ISO-8859-1
  - sonar.sources=src
  - sonar.working.directory=/src/.scannerwork

SonarQube ID information
Version: 9.9.1.69595
Date: 2023-07-05

Colin · July 6, 2023, 9:12am

Hey there.

Can you outline how you execute your scan? Basically – your Gitlab CI YAML (I’m assuming you use Gitlab CI)

uliss3s · July 6, 2023, 12:00pm

Yes, i do use Gitlab: CE 14.3.6 (self-managed)

compile-job:
  image: localregistry/maven:3.8-amazoncorretto-8
  stage: test
  tags:
    - docker
  rules:
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
  variables:
    MAVEN_OPTS: -Dmaven.repo.local=/cache/maven_repository/
  script:
    - mvn clean compile -DskipTests -gs $ARTIFACTORY_SETTINGS_XML --batch-mode
    - mvn dependency:copy-dependencies -DoutputDirectory=target/lib -gs $ARTIFACTORY_SETTINGS_XML --batch-mode
  artifacts:
    paths:
      - target/classes
      - target/lib
    expire_in: 1 hour

scan-job:
  image:
    name: localregistry/sonarsource/sonar-scanner-cli
    entrypoint: [""]
  needs:
    - compile-job
  stage: test
  allow_failure: true
  tags:
    - docker
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
    SONAR_SCANNER_OPTS: "-Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_PROJECT_ANALYSIS_TOKEN -Dsonar.projectKey=$SONAR_PROJECT_KEY -Dsonar.qualitygate.wait=true"
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  rules:
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
  script:
    - sonar-scanner -Dsonar.java.source=1.8 -Dsonar.sources=src -Dsonar.java.binaries=target -Dsonar.java.libraries=target/lib/*.jar -Dsonar.sourceEncoding=ISO-8859-1 -Dsonar.exclusions=**/*.js,**/*.mjs,**/*.css -Dsonar.branch.name=$CI_DEFAULT_BRANCH

Colin · July 6, 2023, 12:38pm

Thanks.

Why do you decide to try and configure the sonar-scanner-cli rather than run mvn sonar:sonar?

uliss3s · July 6, 2023, 5:05pm

Using the maven plugin on some java 8 projects, it gives errors like this:

[ERROR] /src/myclass1.java:[23,30] package org.omg.CORBA.portable does not exist
[ERROR] /src/myclass1.java:[400,163] cannot find symbol
  symbol:   class ApplicationException
  location: class myclass1
[ERROR] /src/myclass2.java:[5,24] package javax.annotation does not exist
[ERROR] /src/myclass2.java:[51,21] cannot find symbol
  symbol:   class Resource
  location: class myclass2

Running with the maven plugin on other projects where it works still results in deprecated java code from versions above 8.
But the exclusions seen to work.

Code smell

... new Integer(rs.getInt("someVariable")) ...
Remove this use of "Integer"; it is deprecated.

Gitlab job:

scan-job2:
  image: localregistry/maven:3.8-amazoncorretto-11
  stage: test
  tags:
    - docker
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  rules:
    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
  script:
    - mvn clean verify sonar:sonar -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_PROJECT_ANALYSIS_TOKEN -Dsonar.projectKey=$SONAR_PROJECT_KEY -Dsonar.qualitygate.wait=true -Dsonar.java.source=1.8 -Dsonar.sourceEncoding=ISO-8859-1 -Dsonar.exclusions=**/*.js,**/*.mjs,**/*.css -Dsonar.branch.name=$CI_DEFAULT_BRANCH -DskipTests -gs $ARTIFACTORY_SETTINGS_XML --batch-mode

Michael · July 7, 2023, 8:40am

Hello @uliss3s ,

In theory, sonar.java.source should do the trick, and tell the analyzer what version you are using. Some rules are then going to adjust based on this value. Unfortunately, the rule java:S1874 is not one of these rules, and it relies solely on what information is read in your byte code.

Now, if your project is using Java 8, and the analyzer reads from bytecode (of the JDK) that the constructor of Integer() is deprecated, it means that the analyzer is reading the bytecode of the wrong JDK (probably your analysis runtime JDK).

This discrepancy is supposed to be handled auto-magically by the gradle or maven scanner (are you using the latest versions?). However, you can set manually the JDK that is used for your project by setting the following property: sonar.java.jdkHome. In your context, you then want to set to this property the "Path to jdk directory used by the project under analysis.". You might want to have a look at this documentation page to know more about the parameter.

Hope this helps,
Michael

uliss3s · July 7, 2023, 1:24pm

Hi, thanks for the detailed response.

The sonar maven plugin runs only on Java 11 and above, right?
So, if i have a java 8 project (which i cannot change) that uses modules/libraries removed in java 11, like javax.annotation, i can’t use the maven plugin, right?

Michael · July 7, 2023, 3:08pm

Hey,

I feel you can, but in 2 passes

run the maven build with your JDK 8 (required due to the nature of your project)
run the sonar:sonar maven job with JDK 11.

About 1., I believe however that you can still build a java 8 project with JDK 11, as long as you set sources version and release versions in the maven compiler as being java 8, so you should be able to do it in one go.

Cheers,
Michael

uliss3s · July 7, 2023, 4:17pm

I got it working doing in two passes as you sugested:

maven build with the jdk 8
sonar:sonar with -Dsonar.java.source=1.8 and -Dsonar.java.jdkHome=/path/to/jdk8

In projects that do not use modules/libraries removed from JDK 11, i can do in one pass.

Thank you very much for the help.

system · July 14, 2023, 4:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.