Writing rules for external analyzer


I’m trying to import issues from an external analyzer using the parameter “sonar.externalIssuesReportPaths” of the cmdline tool sonar-scanner (https://docs.sonarqube.org/7.4/analysis/generic-issue/). I had successfully imported the external report to sonar dashboard, but when I try to display details about the imported issues I got the following message “This is external rule test:X2115. No details are available.”.

Is there a way to write a specific rules for the issues generated by my external analyzer ? My aim is to only get detailed information about the issue (risk, detailed description, sample compliant code, etc).

Sonar version 7.4
External Analyzer : Bandit

Thanks for your help,


Not without writing a plugin. If you do decide to to that route, then it might help to look at where SonarJava and SonarJS do that.

Another option if you’re going to write a plugin is to write a full-fledged analyzer plugin that provides ‘native’ rules. For that a look at PMD or one of the others might help.


Ran into this without even looking for it! MMF-1533

Feel free to vote/watch.

1 Like

Thanks for your reply.

I’m actually working on the first path (i.e. writing a plugin to generate rules for external issues), and I found out that external issues suffer from [two important limitations]((https://docs.sonarqube.org/7.4/analysis/generic-issue/) :

  • they cannot be managed within SonarQube; for instance, there is no ability to mark them False Positive.
  • the activation of the rules that raise these issues cannot be managed within SonarQube. In fact, external rules are not visible in the Rules page or reflected in any Quality Profile.

And also :

External issues and the rules that raise them must be managed in the configuration of your linter.

Is there any current work (or planned) to cover these limitations ?

Also, between the two options, what is the most recommended one ?

Thanks you again.

Thank you ! I will take a look at this issue.


There’s this ticket, but I can’t give you a timeline on it:

SONAR-11176 - Allow external issues to be confirmed or dismissed

If you’re going to create a plugin, Id say go all the way and do an analyzer. Then those two limitations don’t matter.


1 Like