Bytecode on transitive dependencies using provided.
56 views
Skip to first unread message
Johan "Johnnei"
Jan 7, 2017, 8:56:19 AM1/7/17
to SonarQube
Hi,
Recently I've got a comment saying that our builds contain a lot of warnings about missing bytecode of dependencies. We're using the sonar maven scanner to invoke our analysis so I assumed that we had some illogical dependency scope override going on. Once I started looking into it I came to the conclusion that it's related to the usage of 'provided' dependencies.
So I've created a small reproducer to show what happens.
Repo: https://git.johnnei.org/Johnnei/sonarqube-bugs/tree/provided-dependency
Build log: https://git.johnnei.org/Johnnei/sonarqube-bugs/builds/2162
When looking at the classpaths provided to the analyser it is perfectly aligned with the rules of transitive dependencies of maven. However for the second module the analyser wants the bytecode of Field (Annotation on Entity#username) but alas: it's not a transitive dependency of the project and thus the bytecode is not provided.
How should I resolve these warnings or should this be considered a bug in the maven plugin?
Kind regards,
Johan.
Recently I've got a comment saying that our builds contain a lot of warnings about missing bytecode of dependencies. We're using the sonar maven scanner to invoke our analysis so I assumed that we had some illogical dependency scope override going on. Once I started looking into it I came to the conclusion that it's related to the usage of 'provided' dependencies.
So I've created a small reproducer to show what happens.
Repo: https://git.johnnei.org/Johnnei/sonarqube-bugs/tree/provided-dependency
Build log: https://git.johnnei.org/Johnnei/sonarqube-bugs/builds/2162
When looking at the classpaths provided to the analyser it is perfectly aligned with the rules of transitive dependencies of maven. However for the second module the analyser wants the bytecode of Field (Annotation on Entity#username) but alas: it's not a transitive dependency of the project and thus the bytecode is not provided.
How should I resolve these warnings or should this be considered a bug in the maven plugin?
Kind regards,
Johan.
Duarte Meneses
Jan 10, 2017, 11:58:39 AM1/10/17
to SonarQube
Hi Johan,
First of all, thanks for providing a reproducer, makes things much easier.
I had a look and indeed as expected, maven compiles "consumer" without providing the transitive dependency. In this specific case, the transitive dependency is not needed to compile "consumer".
The Java analyzer is a bit too verbose in this case, logging a warning while it recursively resolved symbols about the fact that it can't resolve the annotation "Field", when in fact "Field" is not needed for the compilation.
The guys working on SonarJava will look into it to see how they can improve logging for these kind of cases.
First of all, thanks for providing a reproducer, makes things much easier.
I had a look and indeed as expected, maven compiles "consumer" without providing the transitive dependency. In this specific case, the transitive dependency is not needed to compile "consumer".
The Java analyzer is a bit too verbose in this case, logging a warning while it recursively resolved symbols about the fact that it can't resolve the annotation "Field", when in fact "Field" is not needed for the compilation.
The guys working on SonarJava will look into it to see how they can improve logging for these kind of cases.
Nicolas Peru
Jan 11, 2017, 5:24:05 AM1/11/17
to Duarte Meneses, SonarQube
Hi Johan,
Thanks for reporting this issue and thanks Duarte for the investigation on Maven behavior.
SonarJava is a bit verbose on the classes it may not found. But in this case this is rather harmless.
I tend to think that we could try to limit the noise by not raising class not found on annotation on symbols read from bytecode. Not sure how and when this would be implemented though.
Ticket created for this : https://jira.sonarsource.com/browse/SONARJAVA-2042
Cheers,
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a5a4ac13-68b8-44bf-a8c9-2c7622e0bfcc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Johan "Johnnei"
Jan 11, 2017, 1:04:21 PM1/11/17
to SonarQube, duarte....@sonarsource.com
Hi,
Thanks for the conclusions.
It's good to hear that this isn't likely to harm the analysis results for this case.
Kind regards,
Johan.
Thanks for the conclusions.
It's good to hear that this isn't likely to harm the analysis results for this case.
Kind regards,
Johan.
Reply all
Reply to author
Forward
0 new messages