I just clone the project from https://github.com/SonarSource/sonar-java.git and change nothing.
Then I try to run ‘mvn clean install’ in terminal, but got error:
Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.22.2:test (default-test) on project java-frontend: There are test failures.
[ERROR] Please refer to D:\sonar-java\sonar-java\java-frontend\target\surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn -rf :java-frontend
no problem here building with a JDK11 (AdoptOpenJDK build 11.0.6+10) on MacOS. Did you use Java 11 as well?
This github project holds the implementation and tests of the Java code analyzer (used with SonarQube, SonarCloud and SonarLint). Your suggestions of code changes there are of course most welcome; some (very) good Java and Maven know-how is needed.
I bulid sonar-java with a JDK (AdoptOpenJDK build 11.0.7) on Windows10 but still got the same problem.
Here is the full buliding logs:
error logs.txt (154.4 KB)
Maybe I need to install something else beforn bulid this project? Or miss some dependency?
I just start to learn the SonarQube…
Do you intend to learn about using SonarQube or do you intend to propose your own changes to SonarQube code?
I intend to custom the original java-plugin to make it just check the Bugs and Vulnerability but skip the Code smell and Security Hotsopt, but I didn`t find some tutorials about that.
By the way, I have solved the problem with just buliding in Linux…and it work.
I never found Windows to be a developer friendly OS, it is always difficult to understand all of what is happening there. Going to Linux was a good idea.
Although I am a bit sad that you did not find much value in code smells and Security Hotspots and I believe that in the long run you may regret your choice:
- code smells are raising maintainability issues. Each issue represents a small detail individually, but if you don’t tackle them as they come, over time your code will accumulate them and any evolution or maintenance there will be a real pain.
- hotspots represent security sensible pieces of code, having a look at each of them is our recommendation but of course your choice.
And of course having tight quality profiles and quality gates is neither difficult nor too time consuming for teams that adopt the Clean As You Code approach. If you’d like to know more about it, I would recommend for you to read:
If I failed to convince you about those rules, let me add here that you do not need to modify the analyzer implementation to disable rules from your analysis.
You just need your own quality profile that would not embed those rules.
Of course I know SonarQube UI quite well, but it took me less than 5mn to create a Quality Profile with Java rules for vulnerabilities and bugs rules only.
In order to do so, you may:
- Read the quality profiles documentation page
- Start a new quality Profile from scratch, if you copy or extend the Sonar Way one you will have all of its rules.
- Use the compare functionality to realign your Quality Profile with the Sonar Way on Vulnerability and Bug rules if you want to
- Once you have your Quality Profile ready, you can set it as default for all of your projects.
Of cause I know the value in code smell and security hotspots. They are useful and important.
But now I just got a demand to custom the plugins to skip the code smell and security hotspots. The keypoint of this demand is the final output should be a *.jar package ( a project which can build up a *.jar package) and put it into extensions folder, but not create a Quality Profile.
So it is possible to do that? I tried to simply change some logic in sonar-java source project (https://github.com/SonarSource/sonar-java), but it finally builded fail in test session.
Could you give me some suggestion about my demand ? Yeah of course I will learn more about the quality profiles and try your steps.
Thank you very much.
I fail to understand how generating your own plugin for the Java language analyzer could possibly be a better solution than a specific quality profile for the purpose of disabling some rules for the analysis of SonarQube projects, especially since you would be able to backup this Quality Gate and share it as an XML file.
The only reason I could think of would be to abuse SonarQube governance on quality profiles, making projects appear in better shapes than they really are on a SonarQube instance. But surely that cannot be your intend here.
As for the modification of the code plugin itself, I cannot really help you with that as I do not know my way enough in this particular code. But Maven and Java development expertises are both strong prerequisites for such task for sure, if you are not both you are probably at the beginning of a very long journey.