Hello Sonar Community,
I am a newbie to sonar and using a java plugin(GitHub - I8C/sonar-flow-plugin: A sonarqube plugin to analyse webmethods flow code) to scan the potential bugs in a flow language. I was able to achieve 90% of the use-cases except for one.
Usecase: I have two sources for scan. one for flow scan using the java plugin. Second one is having an xml configs. Intention here is, first scan the flow for a condition and if its true, then scan the second source should be checked(The xml config files).
I have tried this approach so far, but havent reached goal completely.
Inside the java plugin, was able to scan flow and check for the first condition. However, after first condition is true, then the scan should happen on another source path having xml config file. What’s the ideal approach here?
Note; I saw that my second condition can be achieved using Xpath check extension, but this should be triggered from a java plugin. So desperately looking for a guidance here
- Check one rule from java plugin on one source path.
- If first rule is true, then scan another source path having xml configs.
Thanks in advance.
Thank you for reaching out and bringing up such an interesting question! It’s definitely a good way to start your journey in the Sonar Community, so welcome!
Before I dig more into this issue I need you to give me some more details and clarify a few things:
- What do you mean by “two sources for scan”? What do you mean by source? Could you share the project or a simplified version of it to clarify what you have?
- What is the condition that you want to verify on the first source?
- Why would you scan the two sources conditionally? What would be the problem in scanning both of them?
- How did you scan for your first condition inside the Java plugin?
- Can you point me to the Xpath check extension? And, what is the second condition?
Looking forward to your inputs.
Hello , Thank you and below are the answers for more clarity.
- Two sources scan meaning, one source folder has code related to flow language. Another folder will have xml configurations. Souces= Scanner commandline we pass sonar.sources parameter.
- Condition on first source with flow is, we have something called triggers, if its a serial trigger then only goto second source and check xml config that optimization parameter is set.
- I think above point 2 explains it.
- Inside java plugin, I have written checks/condition using visitors. Here the flow language is a proprietary webmethods code which is also an xml in the end.
- First condition is mentioned in point 2. Second condition will be on xml configuration file which has optimization parameter of BPMN 2.0. XPath would be /businessProcessConfig/qualityOfService/optimizeLocally.
Hope my points are clear here. Desperately looking for a way to achieve this combination of rules.
Hello @niteesh22, there are still a few things not clear to me.
Could you explain, eventually with examples and a screenshot, what you have done so far?
How are you using the sonar-java plugin? And what do you mean when you say condition?
The more information you provide, the better I can reproduce your situation and help.
I’ll be on holiday next week, so if I can’t help you, I’ll ask someone else to help.
Sure, below are screenshots of code/file which are under scan.
But only one rule which requires combination I couldnt implement yet.
Scan command: sonar-scanner.bat -D"sonar.projectKey=WM" -D"sonar.sources=." -D"sonar.host.url=http://localhost:9000" -D"sonar.token=sqp_5a15ca9969425bc28e1eb9ed2d2e4f85bac498cf"
Here plugin is java extenstion(jar) which we will place in sonarqube sonarqube-10.1.0.73491\extensions\plugins folder and start server, rules will appear then.
Condition is: First check using above java plugin, if true, then scan on another source folder with xml’s.
Thank you @niteesh22 for clarifying; I didn’t understand that you were trying to write your own rule. I would recommend you to have a look at the Writing Custom Java Rules 101 guide, in case you haven’t done it yet.
Regarding your request, this is what I was able to find out:
The EndOfAnalysis interface and EndOfAnalysisVisitor class, allow you to perform checks at the end of a module analysis after all files have been scanned. Be careful though in managing the state between files!
In sonar-java only
.java files are scanned, and thus available for the analysis
Unfortunately, I can’t help you more than this. You may consider changing the scope of your rule or making valid assumptions that won’t require access to
Yes sure, main thing here is that feasibility of combining multiple rules of different types(If its possible or not). I have already written a rule inside the plugin for one condition. However second rule must be triggered only after first rule says true. That’s the point in short(Combination of rules).
Hi @niteesh22, generally speaking, each rule should be independent of the others; one reason for this is that there is no guarantee about the order in which rules are executed. So, you should not create a dependency between rules, any way you can implement a more specialized rule that reuses the logic from another rule.
In your case, I would separate the 2 rules. You can see the second rule as a special case of the first rule, which covers the subset of use cases determined by your conditions.
Have a look at the BrainMethodCheck, which first visits all the files in the module, collects the state information required and finally in the
endOfAnalysis reports the issues in case some conditions are met.
I hope this will help you achieve the desired behavior.
Hello @angelo.buono , yes thank you for inputs. I understood about the point of modularity of rules to avoid dependency. However, since in our codebase we have two sources, one for the integration logic and other for business process logic. Since the logics are dependent on each other, my thoughts are first raising a violation from one and based on that, was checking if another rule on sonarqube server can be triggered. . Anyways, this maybe unusual than normal, was trying to see if there is a way to create a dependencies out of the box.
Unfortunately, it is not really possible to depend on a violation raised by another rule, anyway, you can reuse the logic from that rule. Implementation-wise it should not be too much overhead and even result more explicit and clear.