Skip to first unread message
Michel Pawlak
Sep 30, 2015, 5:37:23 AM9/30/15
to SonarQube
Hi,
My profile still uses a few Findbugs rules that are not provided sonar-java. I wanted to know if you plan to rewrite them or not (and if "not" then "why" as the answer my be good enough to simply remove these rules from the profile and simply get rid of Findbugs which will lead to decrease analysis time.) None of these rules are marked as deprecated (so I don't know if they have been replaced.)
I prefer putting everything in a single thread in order to have a global picture.
Here are the rules:
- findbugs:BC_IMPOSSIBLE_CAST - blocker rule that looks interesting to me
- findbugs:BC_IMPOSSIBLE_DOWNCAST - blocker rule, similar to the previous one
- findbugs:BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY - blocker rule, similar to the previous one (note that by default the rule is blocker, but as it raises false positives critical may be a better priority)
- findbugs:XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER - critical rule, not perfect as false negatives are possible, but "some check" is better than "no check"
- findbugs:XSS_REQUEST_PARAMETER_TO_JSP_WRITER - critical rule, same as above "some check" is better than "no check"
- findbugs:XSS_REQUEST_PARAMETER_TO_SEND_ERROR - critical rule, same as above "some check" is better than "no check"
- findbugs:HRS_REQUEST_PARAMETER_TO_HTTP_HEADER - major rule, same as above "some check" is better than "no check"
- findbugs:HRS_REQUEST_PARAMETER_TO_COOKIE - major rule, same as above "some check" is better than "no check"
- findbugs:EQ_ALWAYS_FALSE - blocker rule, is it equivalent to squid:S2162 ?
- findbugs:EQ_ALWAYS_TRUE - blocker rule, is it equivalent to squid:S2162 ?
- findbugs:DM_NUMBER_CTOR - critical rule, I don't know what optimisations (what) compilers (in which version for which JDK version) do, however the Javadoc for JDK 6,7,8 state that value [-128,127] are cached and valueOf should be preferred
Thanks in advance for your answer / opinion !
Michel
Nicolas Peru
Sep 30, 2015, 5:45:43 AM9/30/15
to Michel Pawlak, SonarQube
Hi Michel,
I guess that the answer to your question is available here : http://dist.sonarsource.com/reports/coverage/findbugs.html
This reports provide the mapping between findbugs rule and sonarqube java rules.
Note that this is still an ongoing effort so if things are listed as pending this means that we are still discussing where/how and if we should reimplement them.
I guess that @Ann can provide more highlight on this.
Cheers,
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/33fcab57-a0ad-48e0-afad-71944659e635%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
G. Ann Campbell
Sep 30, 2015, 7:52:30 AM9/30/15
to SonarQube, nicola...@sonarsource.com
To expand on what @Nicolas said, I've actually worked through the entire FindBugs list in terms of either specifying or rejecting all the FB rules. So if it's listed on this report as "pending", that means it's just waiting to be implemented.
If you want to see the specification for any FB-related rule, you can search the rule repository. E.G.: https://jira.sonarsource.com/browse/RSPEC-1944?filter=10375&jql=project%20%3D%20RSPEC%20AND%20resolution%20%3D%20Unresolved%20AND%20type%20%3D%20Specification%20AND%20FindBugs%20~%20BC_IMPOSSIBLE_CAST
Click on the rule's References tab to see all its external mappings.
Ann
On Wednesday, 30 September 2015 07:17:32 UTC-4, Michel Pawlak wrote:
Hi Nicolas,This page indeed answers most of my questions. Thanks.Do you have any ETA for finishing covering Findbugs (be it implement or reject remaining rules) ?Cheers,Michel
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.
thomas....@gmail.com
Oct 2, 2015, 7:20:57 AM10/2/15
to SonarQube, nicola...@sonarsource.com
I'm also missing the rule "FinalLocalVariable" of checkstyle (http://checkstyle.sourceforge.net/config_coding.html#FinalLocalVariable). I couldn't find it ata ll in the checkstyle list (http://dist.sonarsource.com/reports/coverage/checkstyle.html). Same for "FinalParameters".
Ann
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
G. Ann Campbell
Oct 2, 2015, 11:56:04 AM10/2/15
to Thomas McWork, SonarQube, Nicolas Peru
In fact, we had trouble with the reports job last night. The copy of the Checkstyle report I'm currently looking at cuts off at half-done and does not include the pending or rejected sections.
FinalLocalVariable was previously rejected, but is missing from the copy of the report I'm looking at. However, your question prompted a discussion, so I've added an RSpec for it, which will move this one to the pending list: https://jira.sonarsource.com/browse/RSPEC-3353
FinalParameters was not on the list I was working from (i.e. the list of rules in the Checkstyle plugin) but I've added it and written an RSpec for it: https://jira.sonarsource.com/browse/RSPEC-3354
Ann
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/J2EYEFx5fkw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5c4d70bf-7989-437a-9374-a730a4e38c24%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages