I'm trying to ignore Lombok code (generated code) from Sonar analysis based on files which have a custom annotation, #ExcludeLombok.
I've tried this guide which did not work.
In fact, I've even tried excluding an entire directory from analysis and it still wouldn't work.
I've also tirelessly searched through StackOverflow looking for a solution, and I've seen this has been discussed a good bit on here, but I've seen that people have been suggesting to write a single test to get the coverage up, which is pointless since we should not test auto generated code.
The solution I'm looking for is to exclude files based on a custom annotation.
But so far, anything I attempt to exclude does not get excluded.
Any help would be greatly appreciated.
There is currently no easy way to exclude issues raised by the SonarQube rules from the SonarQube Java Analyzer, except from using approaches described in the "Narrowing the focus" documentation you quote.
Now, we introduced recently the concept of issue filters in the SonarQube Java Analyzer. This mechanism is at the moment only used internally to exclude issues raised by rules at analysis time, based on specific criteria.
We plan to extends this mechanism in order to allow users to implements their own custom issue filters, the same way custom rules can be implemented. This approach would cover your case and allow you to filter any rules on code annotated with your custom annotation. This new feature will be handled in the following JIRA ticket: SONARJAVA-1761
Another option you have is to run Sonar over delomboked source. There are various ways to delombok depending on your build system see:
Delombok Overview.
For maven there's an example of running analysis on delomboked code: Delombok test pom
In each case you would make sure you ran the checks over generated source.
Related
The current Babel plugin for decorators is based on the corresponding tc39 proposal. However, it only follows what is explicitly proposed, despite the fact that the above proposal also includes extensions that should be looked at, including:
Decorators on functions
Parameter decorators
let/const decorators
A few metadata plans that are no longer relevant
Is there a recommended plugin or another build system that allows the use of at least the first three points?
If not, I'd assume the only way would be to write a custom plugin, however considering it would be so similar to the earlier plugin, it would be easier to fork it. The problem is that it seems a lot more integrated into babel than other public transformers, so how would someone go about this?
I'm working for a client that wants SonarLint used on their projects. Their IDE of choice is Eclipse. They do not have SonarQube. What I am looking for is a way to clear out the SonarLint annotation for a particular instance of a rule violation, rather than disabling the rule altogether.
For example, the rule about removing commented out code is useful for finding code accidentally left behind after testing, but there are occasions where commented out code is left behind because the business is not yet clear on how they want a particular routine to function. It would be helpful to be able to clear that one instance of the rule violation annotation.
Is this even possible without SonarQube?
You should add on your code an annotation with the specific rule id, and add a comment to explain, e.g. :
#SuppressWarnings("squid:CommentedOutCodeLine") //code commented out because business is not yet clear
I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins.
The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala https://github.com/find-sec-bugs/find-sec-bugs
I have installed the plugin as the documentation says, and tried a few scans but nothing related to vulnerabilities in scala is coming up.
So, in order to figure out if the code was really good or there was a misconfiguration on my SonarQube settings, I went to http://find-sec-bugs.github.io/bugs.htm, I took one of the examples (Potential Path Traversal), inserted the example code and I ran the scanner again. It was not found.
The rule (Security - Potential Path Traversal (file read)) is activated in the Quality Profile, and despite it is a Java profile, it is assigned to the project, since the code in the mentioned example is Scala.
I noticed that all the rules coming from find-sec-bugs are java ones, so I'm wondering if they don't work on scala or there is something else I can do to make it work.
Thanks in advance, and let me know if you need any extra information, I'd be glad to provide you.
Looks like the main reason for that to happen is that Scala bug patterns are explicitly excluded for some reasons:
Their are plenty of limitation with the SonarQube architecture regarding the multi-language support.
It is closely tie to the sonar-source plugin design.
Language can't have the same extension (https://jira.sonarsource.com/browse/MMF-672)
Repository can't contains rule that apply to multiple languages. (If you would have Scala only code, the Java core rules would not be enable unless you have one Java file present)
Sensor are couple to the language definition (depends on the most popular plugin that declares it).
etc, etc..
Source: https://github.com/spotbugs/sonar-findbugs/issues/108#issuecomment-305909652
All the exclusions can be seen here: https://github.com/spotbugs/sonar-findbugs/commit/526ca6b29fae2684f86b1deba074a4be8a05b67e
Particularly, for Scala:
static exclusions = ['CUSTOM_INJECTION',
'SCALA_SENSITIVE_DATA_EXPOSURE',
'SCALA_PLAY_SSRF',
'SCALA_XSS_TWIRL',
'SCALA_XSS_MVC_API',
'SCALA_PATH_TRAVERSAL_IN',
'SCALA_COMMAND_INJECTION',
"SCALA_SQL_INJECTION_SLICK",
"SCALA_SQL_INJECTION_ANORM",
"PREDICTABLE_RANDOM_SCALA"]
In a Java project I'm working (alongside a team of 8 devs), we have a large backlog of features that lack automated tests. We are covering this backlog and we need to keep track of who wrote a JUnit test and when, plus we have to measure how many test we wrote as a team in a week/month/semester (as you may have figured out already, this information is for management purposes). We figured we'd do this by marking the tests with the information we need (author, creation date) and let Eclipse do the processing work, showing us tests we wrote, who wrote'em and how far we were from reaching our goals. How would you smart people go about this? What plugins would you use?
I tried to use Eclipse Custom Tags for this, but it's not the purpose of the feature, and the results I got were kind of brittle. I created a TEST tag that was supposed to mark a test method. It looks like this: (date is mm-dd-yyyy)
//TEST my.name 08-06-2011
Since Eclipse processes tag description by substringing (contains/doesn't contain), it's, as I said, very brittle. I can timestamp the tag, but it's just a string. Eclipse can't process it as a date, compare dates, filter by date interval, stuff like that.
I searched for plugins, but no dice.
My B-plan is to create an Annotation with the information we need and process our test packages using Eclipse Annotation Processing Tool. I haven't tried anything on this front yet, though, just an idea. Anyone knows a good plugin for this kind of Annotation processing? Or any starter tips for dealing with Eclipse APT.
Thanks a bunch, folks
I would not use Eclipse for this.
Your team should be checking the tests into a version control system such as Subversion, Git, Team Foundation Server, etc. From there it should a fairly straightforward matter to determine the owner and check-in time. You can and should do this sort of metrics calculation during every build. Better yet, be sure that your build script actually runs your tests and uses a tool like EMMA to instrument the code and determine the actual coverage.
As a fallback for measuring coverage, if you choose a naming convention then you may even be able to correlate the test classes by file name back to the feature under test.
Many modern build systems, such as CruiseControl, have integration for doing these sorts of things quite nicely.
These are the options we have out of the box:
I would like a more fine grained sorting when it comes to methods. I would like to:
Have all methods with a name which does not start with get, is or set first.
Then have the accessor methods (with names starting with get, is or set).
Individually the methods in [1] and [2] above could be sorted in alphabetical order. Apart from my devision of normal methods into two parts I like the existing sort order.
I find this order (with the accessor methods last) better as I'm more likely to find the non-accessor methods interesting when I'm maintaining a class and I need to fix a bug etc.
Is there a plugin I could use? If there is none, would it be hard to create this kind of plugin myself? (I have never created a Eclipse plugin.)
I hope it's not to late for my answer.
As far as I know, there is no such plugin (I looked at eclipse plugin central right now).
If you want to write such plugin, it shouldn't be too hard to write the refactoring (the Java Editor is based on an AST, that can be reached via extension points) itself, but for building a working plugin it might need more study.
Some resources that might help:
Plugin development resources from stackoverflow: question 592391 (sorry, but cannot post two hyperlinks)
An open source refactoring plugin: http://code.google.com/p/tane/ (it currently contains a single refactoring plus the related gui elements, it might be a good example for you)
In 2011, an academic exercise resulted in an Eclipse plugin implementing methods sorting based on ideas in Robert C. Martin's book "Clean Code". I am still trying to work out if I like it or not.
There is an open bug report to enhance sort member functionality in Eclise: Sort Members doesn't provide a means to group getter/setter pairs. It was opened in 2004 and still has no plans to be implemented.