Different results from sonar-scanner and sonarlint

[niraj kumar]

Hello,

I am trying sonarlint to figure out the issues before commiting the code. The results output via sonarlint and sonar-scanner and way different and i do not understand this behavior. Is it something that i am doing wrong or this result is expected.

INFO: 45/45 source files have been analyzed

INFO: Java Test Files AST scan done: 1 ms

INFO:

-------------  SonarLint Report  -------------

          302 issues (45 files analyzed)

          1 blocker

          16 critical

          75 major

          210 minor

-------------------------------------------

This is what i see when i use the sonarlint to scan it. 

But when i use sonar-scanner i get the following in sonarqube UI.

Technical Debt45min

 

Issues9 

 

Blocker	0
Critical	0
Major	6
Minor	3
Info	0

Really this much of a difference?

  Can someone please help

--

Niraj

[Julien HENRY]

Hi,

Few things to check:

  - SonarLint will scan all the files recursively from your current directory. With sonar-scanner you usually pass -Dsonar.sources=<a source folder> so only files in this folder are scanned. Please be sure you are analyzing the same set of files.

  - SonarLint contains Java + JavaScript + PHP analyzers while SonarQube contains only Java + JavaScript out of the box. If you are analyzing a PHP project you have to install PHP plugin in SonarQube.

If it doesn't help please give me an example of issue that is raised by SonarLint and not by SonarQube (for example the critical issue). It may help to understand the difference.

++

Julien

--
You received this message because you are subscribed to the Google Groups "SonarLint" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/c409dfb6-c304-4d84-a85f-484416349b6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[niraj kumar]

Hi,

I am in my current directory while running both of these. 

The difference between two reports i see is the rule been applied. The one with sonarlint has the below rules vs the one with sonar mvn scanner

SonarLint Rules:

Issues per Rule		Issues
	Resources should be closed	1
	Generic exceptions should never be thrown	15
	Instance methods should not write to "static" fields	1
	Sections of code should not be "commented out"	2
	Local variables should not shadow class fields	2
	Standard outputs should not be used directly to log anything	2
	Strings literals should be placed on the left side when checking for equality	8
	Collection.isEmpty() should be used to test for emptiness	4
	Public methods should throw at most one checked exception	2
	Exception handlers should preserve the original exceptions	5
	Methods should not be empty	1
	Declarations should use Java collection interfaces such as "List" rather than specific implementation classes such as "LinkedList"	2
	Unused local variables should be removed	3
	Lamdbas containing only one statement should not nest this statement in a block	5
	@FunctionalInterface annotation should be used to flag Single Abstract Method interfaces	3
	Strings should not be concatenated using '+' in a loop	2
	Dead stores should be removed	17
	The diamond operator ("<>") should be used	13
	Nested "enum"s should not be declared static	4
	Empty statements should be removed	3
	Modifiers should be declared in the correct order	1
	Throws declarations should not be superfluous	1
	Method names should comply with a naming convention	6
	Local variable and method parameter names should comply with a naming convention	5
	String literals should not be duplicated	33
	Array designators "[]" should be on the type, not the variable	2
	Local Variables should not be declared and then immediately returned or thrown	3
	Redundant casts should not be used	1
	String function use should be optimized for single characters	4
	Public types, methods and fields (API) should be documented with Javadoc	147
	Useless imports should be removed Sonar-Scanner: Sections of code should not be "commented out" 0 0 2 Collection.isEmpty() should be used to test for emptiness 0 0 1 Exception handlers should preserve the original exceptions 0 0 1 Declarations should use Java collection interfaces such as "List" rather than specific implementation classes such as "LinkedList" 0 0 2 Comments should not be located at the end of lines of code

[Julien HENRY]

Hi,

Again please verify that you are analyzing the same set of sources. According to your logs SonarLint analyze 45 files. Is it the same with SonarQube Scanner?

To help understanding your issue could you please run the two command line in verbose mode (-X) so that we know exactly what happen.

++

Julien

[niraj kumar]

Below is the output:

sonar-scanner

[INFO] [16:49:44.404] 45 files indexed

[INFO] [16:49:44.779] Quality profile for java: Sonar way

[INFO] [16:49:44.841] JaCoCoSensor: JaCoCo report not found : /home/cdadmin/raw_data/target/jacoco.exec

[INFO] [16:49:44.841] JaCoCoItSensor: JaCoCo IT report not found: /home/cdadmin/raw_data/target/jacoco-it.exec

[INFO] [16:49:44.850] JIRA issues sensor will not run as some parameters are missing.

sonarlint:

sonarlint

INFO: Java 1.8.0_91 Oracle Corporation (64-bit)

INFO: Linux 3.13.0-32-generic amd64

INFO: Index files

INFO: 46 files indexed

INFO: Configured Java source version (sonar.java.source): none

INFO: JavaClasspath initialization...

INFO: Bytecode of dependencies was not provided for analysis of source files, you might end up with less precise results. Bytecode can be provided using sonar.java.libraries property

INFO: JavaClasspath initialization done: 0 ms

INFO: JavaTestClasspath initialization...

INFO: Bytecode of dependencies was not provided for analysis of test files, you might end up with less precise results. Bytecode can be provided using sonar.java.test.libraries property

INFO: JavaTestClasspath initialization done: 0 ms

INFO: Java Main Files AST scan...

INFO: 45 source files to be analyzed

INFO: Java Main Files AST scan done: 4440 ms

INFO: 45/45 source files have been analyzed

INFO: Java bytecode has not been made available to the analyzer. The org.sonar.java.bytecode.visitor.DependenciesVisitor@7c644bd5, org.sonar.java.checks.unused.UnusedPrivateMethodCheck@9b21bd3 are disabled

[markus...@gmail.com]

We have currently the same situation, the analysis of SonarQube and SonarLint are different (SonarLint a subset of SonarQube). What is the information the project needs how to analyse that? I would provide a (possible anonymized) log of it.

I need the following information:

* Where do I find a complete log of SonarLint? The version 2.2 we have installed works (only) incrementally, and I don't want to visit all files. Is there a way to provoke a full build with SonarLint?

* Where do I find the information mentioned on the FAQ: "SonarLint supports only the SonarSource Analyzers. We plan to quickly add support for custom rules extending the Java, JavaScript and PHP Analyzers." Where do I find the information in SonarQube which Analyzers are SonarQube ones, and which ones are other?

We have done an analysis in our local installation (some weeks old). At that time, we had 82 issues, and 50 where found by SonarLint, 32 were not found. 

A quick interactive comparison of the results found by SonarLint and SonarQube (both in IntelliJ), I see

* Issues marked with "squid:<ID>" are found both by SonarQube and SonarLint

* Issues marked with "checkstyle:<ID>" are only found by SonarQube

* Same for "pmd:<ID>", "fb-contrib:<ID>"

So is that the difference between SonarQube and SonarLint? Do we have to wait that all Checkstyle, PMD and Findbugs rules are implemented by the SonarQube Analyzers?

We like SonarLint a lot, and would like to configure it in a way that it shows all findings of SonarQube.

Bye

        Markus

[duarte.meneses]

Currently, it's not possible to analyze all the files. The main goal of SonarLint is to analyze the files in which you are working on. We might introduce that feature later (still being discussed internally).

You can find SonarSource's analyzers here: http://docs.sonarqube.org/display/PLUG/Plugin+Library. The ones that SonarLint supports have the SonarLint logo in front.

The difference in the number of issues is probably because you have third party plugins in SonarQube, like Checkstyle, PMD and Findbugs. SonarLint doesn't support them, so even though the rules are defined in the Quality Profile for the project, they won't run in SonarLint.

I suggest you use only SonarSource's analyzers, if you want to have the same results in SonarQube and SonarLint. The SonarSource Java analyzer has a good coverage of Findbugs / Checkstyle rules:

http://dist.sonarsource.com/reports/coverage/checkstyle.html

http://dist.sonarsource.com/reports/coverage/findbugs.html

[markus...@gmail.com]

Thank's a lot for the explanation, that makes it a lot clearer. For us, the rules of Checkstyle, ... are similar to the ones implemented by SonarQube, so we have to look them up. So we need the combination (at the moment) of SonarLint and SonarQube plugins in the IDE (IntelliJ IDEA here).

Bye

[ajanoni]

Hi guys,

I am getting different results from sonarlint in Eclipse and sonarqube 6.2 for the same code like you can see bellow. I am analyzing the rule S2236:

[Duarte Meneses]

Hi,

Could you confirm that you are using the connected mode? Did you try to update the binding?

Also keep in mind that if the issue is marked as resolved in SonarQube (won't fix, False postive, ..), it won't appear in SonarLint.

--

You received this message because you are subscribed to the Google Groups "SonarLint" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sonarlint+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarlint/a7175864-77c9-4513-86e8-7b838757bf81%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Duarte MENESES | SonarSource

http://sonarsource.com