Whitelist scan rules - Ignore Issues on Multiple Criteria

Hi Team,

I am trying to ignore some rules in my SQ-scan. Followed the steps mentioned here Narrowing the Focus | SonarQube Docs Ignore Issues on Multiple Criteria . But still the rules are identified in our scan results. Kindly suggest how to achieve “Ignoring Rules” in our pipeline scan.
(Few rules which needs to be blocked or whitelisted in our SQ scan results “go:S3776, go:S1192, python:S1192…”)

Also , Is there a way to whitelist/block few SonarQube rules through a script/configuration file (Please share an example of this).

FYI, I’m using the latest version of Sonarqube.
Thanks.

Hi,

Welcome to the community!

Writing the configuration for this exclusion manually can be tricky. I suggest you set it via the UI. Have you tried that? Alternately, have you considered removing the rules from your Quality Profile?

 
Ann

Hi,

Thanks!

Yes, I set that via UI (SonarQube Dashboard), but still the rules are identified in our scan results.
And, Tried removing the rules from Quality profile (Deactivated the rules), but again the rules are identified.

I tried to “Ignore issues on Multiple Criteria” in 2 ways.
Here is the reference ,

sq - ignore issues12166×884 153 KB

sq - ignore issues22648×772 179 KB

And Here is our “Quality Profile” reference.,

sq - quality profile1882×658 67.2 KB

sq - rules720×630 31.9 KB

I removed the go rule (go:S3776) and checked the scan result., but still the rule identified in our scan results.

sq - rule deactivate2670×260 36.9 KB

Is there anything missing here., Kindly assist.

Thanks

Hi,

So first, your second screenshot shows the correct way to set the exclusion. But since you want to exclude the rule for **/*.go then removing it from the profile would be the better option.

In fact, you say you did that, and re-ran analysis(?) and still had an issue from the removed rule show up? Can you verify that the new analysis was made with the edited profile?

 
Ann

Hi ,
Thanks for your responses .

Could you please share how to “verify the new analysis was made with the edited profile?”
(Checked the new sonarqube scan logs, but not sure if the new scan result was made with the edited profile or not)

Thanks

Hi,

Check the “Project Information” pullout on the right:

Selection_0261165×774 80.2 KB

It shows the profiles used in the most recent analysis.

 
Ann

Hi,

Thanks for your responses.

I verified that the new analysis was made with the edited profile .
(My edited go Quality profile name is “Sonar way_one”)

Screenshot 2022-03-03 at 2.25.51 PM1752×266 29.7 KB

Do we need to update/modify anything else? or Am I missing something?

Kindly advise .

Thanks

Hi,

I’ve just realized that when you said this:

the screenshot you showed was of a rule search. Whether or not the rule is used in your analysis, it’s always going to show up in the rule search results.

Are you seeing issues raised by this rule in your profile?

 
Ann

Hi,

I’ve deactivated that rule (go:S3776) from my quality profile., and showing up in the rule search results is fine - no problem on that.
No, I don’t see issues from this in my profile.

And , My SonarQube Scan logs consists this particular rule and shows as critical. "rule": "go:S3776", "severity": "CRITICAL",
Is this always going to show up in the scan logs?

Thanks

And I’m running this scan on one of my cluster - and it’s pod., if the current pod got deleted and a new pod comes in, will all the sonarqube settings apply for the new pod? Or Do we need to modify again he sonarqube profile/project settings to avoid some particular rule?

Thanks

Hi,

Could you share the actual log lines, verbatim?

 
Ann

Hi,
Sure.

{
      "key": "XXXXXXXXXXXXXXXXXXXXXXXX",
      "rule": "go:S3776",
      "severity": "CRITICAL",
      "component": "project1:main/main.go",
      "project": "project1",
      "hash": "XXXXXXXXXXXXXXXXXXXXXXXX",
      "textRange": {
        "startLine": 185,
        "endLine": 185,
        "startOffset": 5,
        "endOffset": 13
      },
      "flows": [
        {
          "locations": [
            {
              "component": "project1:main/main.go",
              "textRange": {
                "startLine": 201,
                "endLine": 201,
                "startOffset": 1,
                "endOffset": 3
              },
              "msg": "+1"
            }
          ]
        },
        {
          "locations": [
            {
              "component": "project1:main/main.go",
              "textRange": {
                "startLine": 294,
                "endLine": 294,
                "startOffset": 1,
                "endOffset": 3
              },
              "msg": "+1"
            }
          ]
        }
      ],
      "resolution": "REMOVED",
      "status": "CLOSED",
      "message": "Refactor this method to reduce its Cognitive Complexity from 16 to the 15 allowed.",
      "effort": "6min",
      "debt": "6min",
      "author": "bharath@abc.com",
      "tags": [
        "brain-overload"
      ],
      "creationDate": "2022-02-22T04:07:27+0000",
      "updateDate": "2022-03-01T12:24:24+0000",
      "closeDate": "2022-03-01T12:24:24+0000",
      "type": "CODE_SMELL",
      "scope": "MAIN"
    },

Deactivated rules are showing the status as “CLOSED” in the scan logs.

Hi,

What you’ve shared aren’t analysis logs, but the results of a web service call. The Closed/Removed status & resolution indicate that the issue is no longer raised by analysis, but it used to be.

These closed issues should be taken care of by housekeeping in about a month.

This is all normal and expected and working as designed.

 
Ann

Hi,

Thanks for your responses.

And I’m running this scan on one of my cluster - and it’s pod., if the current pod got deleted and a new pod comes in, will all the sonarqube settings apply for the new pod? Or Do we need to modify again he sonarqube profile/project settings to avoid some particular rule?

Thanks

Hi,

All that stuff is stored in the database, so as long as you don’t wipe that out, you’re good.

 
HTH,
Ann

Thanks