jqassistant-tooling / sonar-jqassistant-plugin Goto Github PK

View Code? Open in Web Editor NEW

12.0 8.0 2.0 10.08 MB

The SonarQube plugin for jQAssistant

Home Page: http://jqassistant.org/

License: GNU General Public License v3.0

Java 100.00%

jqassistant sonarqube plugin

sonar-jqassistant-plugin's Introduction

jQAssistant SonarQube Plugin

Table of Contents

Requirements
Installation
- SonarQube Marketplace
- Manual
Configuration
Execution
Example Setup
Feedback & Issues
From jQAssistant queries to SonarQube issues

This is the SonarQube plugin for jQAssistant integration

Requirements

SonarQube 9.9 or higher
Java project with jQAssistant setup

Installation

SonarQube Marketplace

Login into SonarQube as administrator and navigate to Administration/MarketPlace
Enter jQAssistant in the filter panel, click Install and restart the SonarQube server

Manual

Download the plugin JAR for your SonarQube release
Copy the plugin (i.e. JAR file) to the extensions/plugins folder of the SonarQube installation
(Re-)Start the SonarQube server

Configuration

The plugin provides two rules that need to be activated for the quality profile of your project(s).

Constraint Violation: Constraints that reported violations (default severity: Major).
Invalid Concept: Concepts that are defined but could not be applied successfully (default severity: Minor).

Therefore the following steps need to be performed in the SonarQube UI (as administrator):

Navigate to Quality Profiles
Select your desired quality profile
Activate the jQAssistant rules
- Open the view to manage the rules of the quality profile
- Search for inactive rules in the repository jQAssistant (by using the filters on the left side)
- Activate the desired rules
Add your project to the quality profile (if not already done)
- Navigate back to the overview screen of the selected quality profile
- Select Projects
- Add your project

Table 1. Supported properties

Property	Description	Default value
sonar.jqassistant.disabled	Disable the jQAssistant sensor.	false
sonar.jqassistant.reportPath	The path to the jQAssistant XML report file, either absolute or relative to the module directory	<projectRoot>/target/jqassistant/jqassistant-report.xml
sonar.jqassistant.issueType	Determines the type of created issues, available options are `CODE_SMELL`, `BUG`, `VULNERABILITY` or `SECURITY_HOTSPOT`	`CODE_SMELL`

Note	By specifying a relative `reportPath` the first jQAssistant XML report file will be used for a module in a multi-module structure which can be found by traversing the module hierarchy upwards until the project’s root directory is reached.

Execution

In case of a Maven project with a jQAssistant setup the following steps need to be executed:

mvn verify: Build the project including scan and analysis by jQAssistant. A file target/jqassistant/jqassistant-report.xml will be created containing an XML report.
mvn sonar:sonar: Run the SonarQube analysis. The sensor of the jQAssistant SonarQube plugin will evaluate the report and create issues for failed rules.

Example Setup

This section describes an example setup for a Maven project with the following structure:

Example Maven Project

project/
  pom.xml      (1)
  jqassistant/ (2)
    index.adoc
  src/
    main/
      java/

Maven build descriptor containing the jQAssistant setup.
The directory where jQAssistant searches for project specific rules (.adoc or .xml files)

For executing jQAssistant during the build the jQAssistant Maven plugin must be configured in the file pom.xml:

/pom.xml

<project>
...
  <build>
    <plugins>
      <plugin>
        <groupId>com.buschmais.jqassistant</groupId>
        <artifactId>jqassistant-maven-plugin</artifactId>
        <version>${jqassistant-maven-plugin.version}</version>
        <executions>
          <execution>
            <goals>
              <goal>scan</goal>
              <goal>analyze</goal>
            </goals>
          </execution>
        </executions>
        <configuration>
          <warnOnSeverity>MINOR</warnOnSeverity>
          <failOnSeverity>CRITICAL</failOnSeverity>
        </configuration>
      </plugin>
    </plugins>
  </build>
...
</project>

Project specific rules are loaded from the directory jqassistant.

The following example contains a group default which is automatically executed by jQAssistant. It includes the constraint model:JpaEntityLocation that is defined in the same document and verifies that all JPA entities are located in packages called model. Therefore the constraint relies on a pre-defined concept jpa2:Entity which adds a label Entity to all classes that are annotated with javax.persistence.Entity.

/jqassistant/index.adoc

:toc: left
= Project Rules

This document describes coding guide lines for the project.

[[default]]                                      (1)
[role=group,includesConstraints="model:JpaEntityLocation"]
== Continuous Integration Rules

The following rules are executed during a CI build:

* <<model:JpaEntityLocation>>

== JPA Model

[[model:JpaEntityLocation]]                      (2)
.All JPA entities must be located in a package with the name "model"
[source,cypher,role=concept,requiresConcepts="jpa2:Entity",primaryReportColumn="EntityInWrongPackage"]
----
MATCH
  (package:Package)-[:CONTAINS]->(entity:Entity:Class)
WHERE
  package.name <> "model"
RETURN
  package as Package, entity as EntityInWrongPackage
----

Defines the group default that includes the constraint
Defines the constraint model:JpaEntityLocation that relies on the concept jpa2:Entity

Note	The constraint defines a property called `primaryReportColumn`. It specifies the column of the result containing the elements (e.g. classes, packages) which shall be used to create issues in SonarQube. The property is optional, if omitted the first column is used by default (recommended).

Feedback & Issues

For any questions don’t hesitate to ask them on the jQAssistant Google Group or Stackoverflow.

Feature requests or bugs can be reported on the GitHub issue tracker.

From jQAssistant queries to SonarQube issues

In the following we’re describing some best practises of the usage of jQAssistant in combination with the SonarQube jQAssistant plugin.

The following example describes a method invocation from a class of the persistence layer to a class of the core layer.

MATCH
    (persistenceClass:Class:Persistence) -[:DECLARES]-> (persistenceMethod:Method)
        -[invocation:INVOKES]->
    (coreMethod:Method) <-[:DECLARES]- (coreClass:Class:Core)

We’re now comparing three different examples of possible return values and their jQA report results which are the base of processing new Sonar issues.

When you build you project with mvn clean verfiy jQA will execute all the rules you provided and generate the file jqassistant-report.xml. This report is evaluated by the Sonar jQAssistant plugin to generate Sonar issues. The plugin processes the report file. For each contained violation the value of the primary report column of the rule (i.e. or first if not specified) is used to generate an issue on the matching element (e.g. class, method, field, etc.) in SonarQube. The values of the other columns are used to provide additional information.

In the following you three example of possible primary return values are provided:

1.) RETURN persistenceClass.name

    <result>
        <columns count="3">
            <column primary="true">persistenceClass.name</column>
        </columns>
        <rows count="1">
            <row>
                <column name="persistenceClass.name">
                    <value>AnyPersistenceClass</value>
                </column>
            </row>
        </rows>
    </result>

2.) RETURN coreclass

<result>
    <columns count="1">
        <column primary="true">coreClass</column>
    </columns>
    <rows count="1">
        <row>
            <column name="coreClass">
                <element language="Java">Type</element>
                <source name="org/jqassistant/example/core/AnyCoreClass.class"></source>
                <value>org/jqassistant/example/core/InvokedCoreMethod</value>
            </column>
        </row>
    </rows>
</result>

3.) RETURN i

    <result>
        <columns count="1">
            <column primary="true">invocation</column>
        </columns>
        <rows count="1">
            <row>
              <column name="invocation">
                <element language="Java">MethodInvocation</element>
                <source name="/org/jqassistant/example/persistence/AnyPersistenceClass.class" line="64"></source>
                <value>org/jqassistant/example/persistence/AnyPersistenceClass#java.util.List coreMethodInvocation(java.lang.Long), line 64</value>
              </column>
            </row>
        </rows>
    </result>

It can bee seen third variant is the one providing most detailed information. In this case the return value is the whole relationship between the persistence and core class.

sonar-jqassistant-plugin's People

Contributors

Stargazers

Watchers

Forkers

uhnju r3labs-tech

sonar-jqassistant-plugin's Issues

Log4j remote code execution vulnerability (CVE-2021-44228)?

Is our Sonar plugin version affected by Log4j remote code execution vulnerability (CVE-2021-44228)?

Sonar v8.9.2
Plugin v.1.10.0

Kind regards,
Marlon

Possibility to create SonarQube Bugs instead of Code Smells

I am looking for a possibility to create SonarQube Bugs instead of Code Smells.

SonarQube has no possibility to fail a Quality-Gate by a single rule. Our architecture violations get lost between the other Code Smells and nobody cares.

The most flexible way would be to decide what type of Issue should be created per rule (or Severity?). An easier to achieve approach could be to create two new Rules with the type Bug in the SonarQube-Repo. Everybody could choose in SonarQube to use the Code Smell rule or the Bug rule.

daily build fails

badge on github README page is showing build failed

Suppress value of primaryColumn if input component could be matched

The rendered message can be simplified a bit by not including the value of the primary column if this already has been used successfully to identify the matching input component (source location). In this case SonarQube will attach the message directly to this component.

Low Performance after Version Update

We updated our SonarQube version from 8.4 to 9.9 and JQAssistant from 1.9 to 1.12. After that the time of our SonarQube analysis increased from 20 to 33 Minutes. After disabling the JQAssistant scanner in SonarQube time dropped to 10 Minute.

We have a multi-module build with 188 projects and one JQAssistant analysis for the complete reactor. After the update the size of the report file increases from 180 to 240 MB. The analysis time from the SonarQube Plugin increased from 4000ms to 8000ms for each module. The 8000ms for every 188 Projects leads to 25 minutes in total.

I tried to change the behavior of the plugin by only reading the report once and store in a static variable. That works fine for our build.
At the moment I don´t handle different configuration, like one report for each module.

Would it be possible to cache the Report?

Feature request: Filter Issues on Type

I am working in a big project (millions of lines of code) in the public sector. We are currently using JQA+SonarQube to check some architecture constraints and we plan to extend many rules. For the time of the transition to the new rules we will have a very high number of JQA constraint violations(=issues in SonarQube). To handle such a big number of issues we need a way to filter on the types.

But currently all JQA constraint violations are displayed under the same "SonarQube Rule": "jQAssistant Constraint Violation".
I could not find any way to filter on the different types of JQA constraint violations in SonarQube.

Example: It is not possible to filter on issues that are violating "constraint1":
<jqa:jqassistant-rules>
<constraint id="constraint1" severity="major"> ...</>
<constraint id="constraint2" severity="major"> ...</>
</jqa:jqassistant-rules>

Suggestion 1: I guess any SonarQubePlugin needs to provide the list of "Rules" it is working with at load time. But the sonar-jqassistant-plugin does know the names of constraint-violations only when parsing the jqassistant-report.xml.
I guess this is why every violation is considered belonging to the same Rule "jQAssistant Constraint Violation" (correct?).
You might provide a way to configure constraint violation names ("constraint1", "constraint2") in a configuration that is known at load time.
When parsing jqassistant-report.xml the violations can that be assigned to the corresponding rule.
(...or to the generic "jQAssistant Constraint Violation", if there is no matching Rule name. This way nobody needs to provide this configuration, the plugin would still work as before).
Suggestion 2: As a "workaround" it would also be possible to tag any issue with the name of the constraint violation while parsing jqassistant-report.xml. Than you can filter on the tag.

We are using:
SonarQube Version 7.9.2 (build 30863)
QJA 1.6.0
sonar-jqassistant-plugin 1.8.2

Please let us know what you think about the suggestions.
Please also let us know if you have any other idea or suggestion on how to filter on the type of violation.

Thanks a lot you for your help.
Best regards,
Florian Haesters

Execution of jQA sensor fails on Java 11

If the sensor is executed on Java 11 the following error is reported:

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default-cli) on project piggymetrics: Cannot create JAXB context for com.buschmais.jqassistant.core.report.schema.v1.JqassistantReport: Implementation of JAXB-API has not been found on module path or classpath. com.sun.xml.bind.v2.ContextFactory -> [Help 1]

Make "sonar-jqassistant-plugin" compatible with SonarQube 10.4 "DownloadOnlyWhenRequired" feature

Hello,

I'm Alex, Product Manager at Sonar.

SonarQube 10.4 will come with a feature to only download Sonar analyzers and 3rd-party plugins when they are really required by the Scanner. To make this feature work, each analyzer or 3rd-party plugin should declare the list of languages on which they expect to raise issues through a new MANIFEST property called Plugin-RequiredForLanguages.

See https://community.sonarsource.com/t/the-sonarscanners-download-only-required-3rd-party-plugins/108156 for more details.

Regards

``sonar.jqassistant.reportPath`` for maven multi module configuration

Hi,

we got a maven multi-module project, were the jqa rules of module1 have nothing to do with the jqa rules of module2 nor those of the aggregator project.

the maven-jqassistant-plugin works, imho, as expected. it uses by default ${project.build.directory}/xxx which is module aware. for instance:

[INFO] --- jqassistant-maven-plugin:1.7.0:scan (scanAndAnalyse) @ module1 ---
[INFO] Loaded jQAssistant plugins [CDI, Common, Core Analysis, Core Report, EJB3, GraphML, JAX-RS, JPA 2, JSON, JUnit, Java, Java 8, Java EE 6, Maven 2 Repository, Maven 3, OSGi, RDBMS, Spring, TestNG, Tycho, XML, YAML].
[INFO] Connecting to store at 'file:/K:/repos/git/test/target/jqassistant/store/'
[INFO] Initializing embedded Neo4j server 3.x
[INFO] Resetting store.
[INFO] Reset finished (removed 0 nodes, 0 relations).
[INFO] Entering K:/repos/git/test/module1/target/classes
[INFO] Leaving K:/repos/git/test/module1/target/classes (382 entries, 1351 ms)
[INFO] Entering K:/repos/git/test/module1/target/test-classes
[INFO] Leaving K:/repos/git/test/module1/target/test-classes (230 entries, 590 ms)
[INFO] Entering K:/repos/git/test/module1/target/surefire-reports
[INFO] Leaving K:/repos/git/test/module1/target/surefire-reports (104 entries, 548 ms)

but sonar-jqassistant-plugin uses a hardcoded path(target/jqassistant/jqassistant-report.xml) in the property sonar.jqassistant.reportPath, and reads for every module the same report from the aggregator project:

[INFO] ------------- Run sensors on module Test Module1 develop
...
[INFO] Sensor JQA [jqassistant]
[INFO] Using project path 'K:\repos\git\test'.
[INFO] Found jQAssistant report at 'K:\repos\git\test\target\jqassistant\jqassistant-report.xml'.
...
[INFO] ------------- Run sensors on module Test Parent develop
[INFO] Sensor JQA [jqassistant]
[INFO] Using project path 'K:\repos\git\test'.
[INFO] Found jQAssistant report at 'K:\repos\git\test\target\jqassistant\jqassistant-report.xml'.
[INFO] Sensor JQA [jqassistant] (done) | time=7ms
...

if i set the property sonar.jqassistant.reportPath to use module aware paths, like ${project.build.directory}/jqassistant/jqassistant-report.xml, in the sonar server configuration page, then the Maven variable does not get evaluated:

[INFO] No report found at 'K:\repos\git\test\${project.build.directory}\jqassistant\jqassistant-report.xml', skipping.

if i set the property sonar.jqassistant.reportPath to use module aware paths, like ${project.build.directory}/jqassistant/jqassistant-report.xml, now in the pom.xml-files then i guess it will work in linux, but in Windows the path it wrongly recognized as a relative path, and everything gets messed up:

[INFO] ------------- Run sensors on module AuV develop
[INFO] Sensor JQA [jqassistant]
[INFO] Using project path 'K:\repos\git\test'.
[INFO] No report found at 'K:\repos\git\test\K:\repos\git\test\target\jqassistant\jqassistant-report.xml', skipping.

any help greatly appreciated.

Michael

Support for LTS 7.9

The Plugin is not compatible with the new LTS version of SonarQube anymore. Is support planed?

Release Plugin

The ops team in our company is not willing to deploy sonar plugins without releases. It would be great if there exists a release which can be installed by the sonar plugin manager. A release JAR which could be downloaded at github would be accepted by the ops team as well.

Improved support for Maven multi module projects

Currently the linking of issues to source code elements (e.g. classes) is not or only working in a limited way for Maven multi module projects.
The reason behind this is that jQA creates a global XML report of the analysis in the root module of a project. The SonarQube plugin evaluates the report in the context of this module but does not have access to the sources in sub-modules.

Reduce size of JAR file

The current plugin is about more than 40MB as it contains Asciidoctor, JRuby, etc. coming from jQA core. These libs are actually not needed and should be excluded.

jQAssistant Rules Repository not visible

Hi,

here a possible very minor bug.

i got sonar8 and the jQAssistant-Plugin installed.

On the marketplace i see the plugin is installed.

i also see the configuration options for the jQAssistant-Plugin

but the in rule search page, i do not see the jQAssistant Repository.

only if i search for jQAssistant the rules and repository appear.

so, everything seems to work, just the rule repository is somehow hidden by default.

regards,
Michael