squid:S1905 - Local installation not detecting

Nowhere · May 5, 2020, 6:12pm

Hi all,

I’m writing, if someone could help me to understand.
I installed SonarQube community edition on my local machine and I see it is not catching issues that my company sonar installation alert for.
For example, squid:S1905 (that on my version is reported as java:S1905) is not catched by the scan I perform locally with:

mvn sonar:sonar -Dsonar.projectKey=aaa -Dsonar.host.url=http://localhost:9000 -Dsonar.login=***

Can you explain why?Thanks!

Quentin · May 7, 2020, 3:46pm

Hello @Nowhere, welcome to the community!

I don’t have an exact answer, but here are a few clues that could explain differences:

You are not using the same edition of SonarQube.
Developer edition has additional rules related to security for example.
You are not using the same version of SonarQube or version of the java analyzer
We regularly update our product, two different versions could lead to different issues (false positive removed, new issues, …).
You are not executing the same set of rules.
Some rules are not enabled by default.
You are not correctly configuring your project.
A misconfiguration could lead to less precise results, hence potentially fewer issues. If it is the case, logs should warn you about it.

For the example of S1905, this rule is part of the community edition and enabled by default, I would therefore bet on the second or last point.

I hope this leads to your research.

Best,
Quentin

Nowhere · May 12, 2020, 12:20pm

Hi Quentin, thanks!

I’m using community edition in both cases, but different versions.
The rule I’m analyzing is present and active in both versions.
So i was investigating some misconfiguration , but no success.

One more question, please: do I need do set dependency jars in sonar.libraries parameter? My dependencies are managed by maven.
Thanks
Rosa

Quentin · May 12, 2020, 12:37pm

The scanner for maven should take care of setting everything correctly (including sonar.libraries).

different versions.

This will definitely introduce differences, many changes occurs between two versions!

Nowhere · May 12, 2020, 12:45pm

Your reply was really fast!

I just installed sonarqube v7.9.3 and the issue is dedected.
Version 8.2 still not seeing it.

I can’t explain this behaviour, but I’m partially happy with this finding.

Thanks for your support.

Quentin · May 12, 2020, 2:38pm

Note that between 7.9.3 and 8.2, we reworked the whole front-end and many rules of the Java analyzer, if newer versions are not reporting it, I would expect the issue to be a false positive, or at least a corner case.

Still, if you are confident the issue should be detected, that we introduced a regression since 7.9.3, feel free to create another topic with a simple reproducer!

Best,
Quentin

Nowhere · May 20, 2020, 2:07pm

It was definitely a false positive.
Thanks!
Rosa

system · May 27, 2020, 2:07pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.