Sonar Lint not in sync with my server rules

[oher...@nearsoft.com]

I am using Sonar Lint 2.0, It's connected to my own Sonar Qube server with no issues reported by the plugin.

The issue is that it is not in sync with my server rules.  Found those mentioned in the doc for Java but they also seemed not to be all.  I wonder if these java rule list are used only when it's not connected to any server only.

Does it have a restriction of what rules to use or synchronize when using a remote server?

Is in any case this issue related? https://jira.sonarsource.com/browse/SLI-57

http://www.sonarlint.org/intellij/#Connected

I am running:

Intellij 15.0.2 build #IU-143.1184

JRE 1.8.0_40-release-b105 x86_64

JVM: OpenJDK 64-Bit Server VM by JetBrains s.r.o 

SonarLint 2.0

Thanks

[duarte.meneses]

Hi,

The rules shown in the website are the ones used by default, in the standalone mode.
When using the connected mode, it will use the rules of the SonarQube project. These will depend on the quality profile that is configured for that proejct and also on the versions of the analyzer plugins (Java, Javascript, ..) that are installed in the SonarQube server.
All rules should be used and synchronized, except custom rules.

To troubleshoot the problem, please go to the SonarLint Tool Window, and to the logs tab. There, you can activate the debug and/or analysis logs, as shown in the FAQ. It will display information about analysis that are triggered and which binding is activated.
If you have issues appearing, could you please post this log with both analysis/debug activated?

[oher...@nearsoft.com]

Thanks for the suggestion, It really helped me to understand more how the plugin is working.  I don't have errors reported in logs but the info thrown there was helpful.

Found that Sonar Qube is trying to replace PMD and checkstyle rules with native rules (SSLR) :: http://www.sonarqube.org/already-158-checkstyle-and-pmd-rules-deprecated-by-sonarqube-java-rules/

We were using a profile in our SQ server with those SSLR as not active but using pmd/checkstyle plugins with deprecated active rules.  Notice that SonarLint is saying in logs:

Plugin pmd is not in the SonarLint whitelist. Skip it.

Plugin scmgit is not in the SonarLint whitelist. Skip it.

Plugin clover is not in the SonarLint whitelist. Skip it.

Plugin Sonargraph is not in the SonarLint whitelist. Skip it.

Plugin checkstyle is not in the SonarLint whitelist. Skip it.

Activating SSLR rules and deactivating the pmd rules for example the plugin started to report same issues as the server.

So wondering if we should rely more on SSLR instead of pmd/checkstyle/etc rules from now on.

[Julien HENRY]

Hi,

We won't support external tools like PMD/Checkstyle in SonarLint. See http://www.sonarlint.org/eclipse/index.html#connect_supported_plugins.

++

Julien

[alpe...@gmail.com]

Hi,

I am facing same issue that issues in Eclipse reported by sonar lint is different from reported on server. We are using server version 5.6 and sonarlint version 2.3.1.

I have no pmd or checkstyle plugin but findbug plugins only there.   

sonar-java-plugin-4.0.jar

sonar-findbugs-plugin-3.4.3.jar

I have prepared profile which has combinations of rules in all provided profile below.

FindBugs Java

FindBugs + FB-Contrib Java

FindBugs Security Audit Java

FindBugs Security Minimal Java

Sonar way Java

Sonar way with Findbugs Java

Could you guide me what could be an issue ? Is findbug rules are also not supported ?

Alpesh

[janos....@sonarsource.com]

Hi Alpesh,

The same link by Julien Henry applies here too: http://www.sonarlint.org/eclipse/index.html#connect_supported_plugins

We won't support external tools in SonarLint, including Findbugs.

As for the different issues on the server and in SonarLint, it seems that you are not bound to the correct project, or not bound at all (standalone mode).

Check your bindings in SonarLint, make sure that you are bound to the correct project.

Cheers,

Janos

[alpe...@gmail.com]

Thanks for quick reply.

I am bound to correct project and that I confirm. But I guess issue is because on server I have sonar issues coming from rules from many other repositories and on sonar lint you support rules only from squid repository.  Am I right ? I see repository with name SonarQube has 373 rules and many of them not found in profiles I mentioned below.

Alpesh

[janos....@sonarsource.com]

That is correct. SonarLint should display the same SonarQube issues that you see on the server for the given project and quality profile, excluding 3rd party rules, that won't be visible in SonarLint.

Janos

[alpe...@gmail.com]

It is ok that sonarlint works on own rule engine and show issues based on that but then if it just displays its own rule, it makes use of plugin worthless. Because developer always confused that on server there are many rules and on local machine totally different rules. This means developer can't confirm that last checkin have fixed some issues as he is not able to validate locally.

I understand that sonarlint can't run other thirdparty parser line PMD or Findbugs but at least it should show issues which are already shown on server. Without third party analyzer it will not raised for new issue for those third party rul. But that is ok. This way already I can go to my code where issues were raised, though analysis can't confirm if it is resolved or not.  What is your opinion on that ?

Regards,

Alpesh

[Julien HENRY]

Hi,

2016-12-02 6:14 GMT+01:00 <alpe...@gmail.com>:

What is your opinion on that ?

Our opinion is that our Java analyzer can be used as a replacement for nearly all PMD/Findbugs/Checkstyle rules. If you see some rules that you consider useful and we still do not support, please report here. If for some reason you prefer to continue using Findbugs/PMD/Checkstyle then each of them already have a plugin for Eclipse and IntelliJ. Our goal is not to compete with them.

++

Julien

[alpe...@gmail.com]

ok, Thanks a lot for support.

regards,

Alpesh

[alpe...@gmail.com]

Hello Julien,

I now created profile using just Squid rules provided default with Sonar analyzer and I have 368 rules with my Sonar 5.6 setup. The problem now seems to resolve (sync between sonar lint and sonar server issues)  but it takes effort.  When I bind my project and see issues list, I don't find issues reported for all classes in my project. Then I checked on server name of java file for which issues reported on server but not in my eclipse. I open that java file in eclipse. Sonar lint did something and I could see same issue for that java file which was seen on sonar server. Also now when I select project, those issues are reflected.

So I see that issues shown on project level are for only those java files which I opened in my Eclipse.  To confirm this I closed all files and unbind project. Also deleted module from .sonarlint/storage/.../module/ folder. Restarted eclipse and bind project again. Now I don't see any issue on project selection. When I open any one file, issues in that files are shown on file and same issues on any other parent folder selection.  Note that if close file again and restart eclipse, all those data again lost and I need to open that file again to see issues on file.

Is this expected behavior ?  As a manager I wish to see all issues in my project without opening every file. I see, in that case I have only option to go to sonar server.  Please suggest correct approach. 

PS: I thought to run analysis manually and turn checkbox "run Sonarlint automatically" off. But neither option to run it manually available nor automatic updates coming for all files in project.

Regards,

Alpesh

[Julien HENRY]

Hi Alpesh,

2016-12-06 8:10 GMT+01:00 <alpe...@gmail.com>:

Is this expected behavior ?  

yes 

As a manager I wish to see all issues in my project without opening every file.

SonarLint is a tool intended for developers, not for managers. 

I see, in that case I have only option to go to sonar server.

For a manager, is it not simpler to open a web page than using an IDE?

 

 Please suggest correct approach. 

Today, our vision is simple and clear:

  - SonarLint is a tool to help developers to not introduce new issues (water leak metaphor), as well as to fix "random" issues using the boy scout approach (ie fixing issues located near the code you just edited)

  - SonarQube is the management tool: track the issues on all your project(s), assign them, comment, ...

We have some plans to progressively add more feature to SonarLint that would extend this initial mission. For example next releases will start having a "batch" analysis of all changed files (based on SCM). The purpose is still to help the developer (pre-commit analysis). Analyzing the full project may arrive later, but still we need to be convinced by the value for the developer.

HTH

Julien

[alpe...@gmail.com]

Hello Julien,

Though my intention was actually to refer Team Lead who code and wish to also track overall module issues from Eclipse, your answer is very clear to me. Thanks for that. And thumbs up for future plan. I wish to see assignee of issue in Sonarlint some day which will help developer to know if manager/TL has assigned issue to him (for those lazy people who don't care boy scout approach :) ).

Regards,

Alpesh

[alpe...@gmail.com]

Hello Julien,

Our opinion is that our Java analyzer can be used as a replacement for nearly all PMD/Findbugs/Checkstyle rules. If you see some rules that you consider useful and we still do not support, please report here. If for some reason you prefer to continue using Findbugs/PMD/Checkstyle then each of them already have a plugin for Eclipse and IntelliJ. Our goal is not to compete with them.

I have checked CERT rules and I see out of 268 java rules/recommendation by CERT only 70 are implemented in Squid. I am sure your team would have checked if other missing rules are already part of some other rule or irrelevant. However, I did some analysis and here is compilation (Just sending to you)

The rule highlighted with color (70) is the one provided by sonar Squid repository.  Dark green are those rule (42) which are mentioned here as match between Sonar rule and related and seems not all rules provided by sonar is mentioned on that link. Not sure who can update that page.

I hope this will help in new rules development in future based on missing rules.

PS: Realized there is no option for attachment. How should I mail you ?

Regards,

Alpesh

missing sonar rule that should be added in future release

[jeanchrist...@sonarsource.com]

Hello,

We're constantly adding support for new rules, however I'm sure you realise that each rule addition takes time and effort, so it's a matter of priorities.

That being said I'd be more than happy to look at your list as I'm sure it would be of great help to us in setting priorities for rules to support next.

Best regards,

--

Jean-Christophe Collet

[alpe...@gmail.com]

Hello Jean-Christophe,

I have sent you file in separate mail. I hope you have received it and seen it.

Regards,

Alpesh

[Jean-Christophe Collet]

Got it, thanks.

--

Jean-Christophe Collet | SonarSource

Product Manager
http://sonarsource.com

[sraul....@gmail.com]

Hello everyone.

I found this topic so I decided to post my problem here because it's a similar situation.

I'm using SonarLint 2.6.0, SonarQube Server 5.6.5 and Eclipse IDE 4.6.2. All my projects are in "connected mode" and correctly binded to the Server projects. I have disabled the "Run automatically" option for performance reasons.

I found several problems when using SonarLint, that I describe below:

1. When I run SonarLint. some of issues reported in the Server don't appear in SonarLint.

From what I read on this thread, it was supposed that all issues from Sonar Analyzer would also be present in SonarLint.

For instance, I have an issue from rule squid:2259 reported on the server, but not in SonarLint.

I suppose SonarLint downloads the java plugin from server so there should not be any mismatch due to different plugin versions, am I right?

2. I also found some issues were they are both present in Server and in SonarLint, but with different severity, because I changed the default severity on the server. Shouldn't the severity also be the same?

For these two problems I described above, I don't know if there might be something wrongly configured in my IDE.

When I look to the SonarLint console, I find this:

Analyzing 1 changed file(s) in 1 project(s)

Trigger: CHANGESET

SonarLint analysis of project com.mycompany.myproject.core (2 files)...

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Binary directory was not added because it was not found. Maybe should you enable auto build of your project.

Connected mode (using configuration of 'abc:com.mycompany.myproject.core' in server 'sonar-main')

Starting analysis with configuration:

[

  moduleKey: abc:com.mycompany.myproject.core

  baseDir: C:\work\eclipse\main\git\main\src\plugins\com.mycompany.myproject.core

  workDir: C:\work\eclipse\main\ws\.metadata\.plugins\org.eclipse.core.resources\.projects\com.mycompany.myproject.core\org.sonarlint.eclipse.core

  extraProperties: {sonar.java.source=1.8, sonar.java.target=1.8, ... , sonar.java.binaries=C:/work/eclipse/main/git/main/src/plugins/com.mycompany.myproject.core/bin, ...

  inputFiles: [

    C:\work\eclipse\main\git\main\src\plugins\com.mycompany.myproject.core\src\com\mycompany\myproject\core\EntityDeleteCommand.java

  ]

]

Found 113 issue(s)

fetchServerIssues moduleKey=abc:com.mycompany.myproject.core, filepath=src/com/mycompany/myproject/core/EntityDeleteCommand.java

Done in 4760 ms

I don't know if the error of missing binary directory can be the root cause for this.

I also don't understand the reason for this, because everything looks correctly configured, the binary directory is actually there in the log.

I have a proposal for two feature/enhancements, I'm not sure if this is the correct place to do it:

3. Allow the Developer to identify the new issues compared to what is already in the Server; either by toggling between all issues / new issues, or to allow to configure different severity, for instance, I would mark new issues as error/warning, and existing issues as info.

This was possible with the old SonarQube Eclipse plugin, and when switching to the SonarLint plugin, I feel that I loose functionality.

4. Ideally, it would also help to see/filter the assignee because although I agree with "boy scout" approach, sometimes there are too many issues and the Developer wants to focus on the ones that are assigned to him.

best regards,

Silvestre

[sraul....@gmail.com]

I'm posting a new message just to change the subject, because I didn't notice the last message's subject was not the same as the original title...

On Friday, February 24, 2017 at 3:36:02 PM UTC, sraul....@gmail.com wrote:

Hello everyone.

I found this topic so I decided to post my problem here because it's a similar situation.

I'm using SonarLint 2.6.0, SonarQube Server 5.6.5 and Eclipse IDE 4.6.2. All my projects are in "connected mode" and correctly binded to the Server projects. I have disabled the "Run automatically" option for performance reasons.

I found several problems when using SonarLint, that I describe below:

1. When I run SonarLint. some of issues reported in the Server don't appear in SonarLint.

From what I read on this thread, it was supposed that all issues from Sonar Analyzer would also be present in SonarLint.

For instance, I have an issue from rule squid:2259 reported on the server, but not in SonarLint.

I suppose SonarLint downloads the java plugin from server so there should not be any mismatch due to different plugin versions, am I right?

2. I also found some issues were they are both present in Server and in SonarLint, but with different severity, because I changed the default severity on the server. Shouldn't the severity also be the same?

For these two problems I described above, I don't know if there might be something wrongly configured in my IDE.

When I look to the SonarLint console, I find this:

Analyzing 1 changed file(s) in 1 project(s)

Trigger: CHANGESET

SonarLint analysis of project com.mycompany.myproject.core (1 files)...

[sju...@gmail.com]

Hi, 

Are there any future plans to add support/implement rules from FindBugs Security Audit?

https://find-sec-bugs.github.io/

Thanks in advance,

With Regards

Stanislav.

[sanja...@gmail.com]

I'm facing same issue. I'm using SonarLint 3.2 on STS and Eclipse which doesn't reflect server rules even after binding the local project to server project. Please let me know if you could resolve this. Thanks!

[Julien HENRY]

Hi,

Please open a new thread instead of replying to an old one.

Julien Henry | SonarSource

Developer

http://sonarsource.com

--
You received this message because you are subscribed to the Google Groups "SonarLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/84cdc384-1525-47d3-8e51-b0645d969620%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.