Findbugs Reports not imported to SonarQube

[christi...@gmail.com]

Hi,

I'm running Findbugs analysis on my code with sonar runner from jenkins.

The findbugs analysis suceeds and creates the findbugs-result.xml report file. This file also holds several issues.

In sonarqube i have the findbugs plugin enabled and a quality profile using all findbugs rules.

When the analysis completes i don't see finbugs issues in the sonarqube issues list.

What could be the reason for it?

Thanks

Christian

[G. Ann Campbell]

Hi Christian,

Anything unusual in your analysis logs?

Ann

[christi...@gmail.com]

What shall i look for? 

My jenkins job gives me these findbugs messages:

11:16:53 INFO: Quality profile for java: FindBugs + FB-Contrib
...
...
11:17:43 INFO: Sensor FindBugs Sensor
11:17:45 INFO: Loading findbugs plugin: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl\findbugs\fb-contrib.jar
11:17:45 INFO: Loading findbugs plugin: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl\findbugs\findsecbugs-plugin.jar
11:17:45 INFO: Findbugs output report: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl\findbugs-result.xml

I'm analyzing several subprojects within the workspace and always use /src as sources and /bin as binaries.

The reports are created in the workspace root SANITY\.sonar folder foar every project as shown above.

The XML files really contain rule breaks like the following, so obviously the local analysis is working fine.

<BugInstance type="NP_NULL_ON_SOME_PATH" priority="2" rank="8" abbrev="NP" category="CORRECTNESS" instanceHash="17391d5ddfbbc38e937142c33221a612" instanceOccurrenceNum="0" instanceOccurrenceMax="0" cweid="476">
...
...
</BugInstance>

When should the reports be transferred to the sonarqube server?

[G. Ann Campbell]

No WARN or ERROR lines?

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/NNeI-YmzG30/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/d8f16afe-3a19-4f4f-9094-6a6c97498d59%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[christi...@gmail.com]

There are a couple of warnings like:

12:53:30 INFO: Findbugs output report: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl\findbugs-result.xml
12:54:24 WARN: The class 'com.xxx.crypto.zip.CryptZip' could not be match to its original source file. It might be a dynamically generated class.
12:54:24 WARN: The class 'com.xxx.crypto.zip.CryptZip' could not be match to its original source file. It might be a dynamically generated class.
12:54:24 WARN: The class 'com.xxx.crypto.zip.CryptZip' could not be match to its original source file. It might be a dynamically generated class.

No errors.

Could that prevent the whole report from importing?

[G. Ann Campbell]

Hi Christian,

Let's back up to the basics. Your initial email said you have a profile with the FindBugs rules enabled. Can you verify that it's the one used for your project? You should be able to see that on the project front page.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/NNeI-YmzG30/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/216b74c8-2c18-458d-bca6-59930016384d%40googlegroups.com.

[christi...@gmail.com]

Yes. I just have only one active quality profile and it's used in the analysis:

12:52:16 INFO: Quality profile for java: Sonar way

And i added all Findbugs Rules to it as shown in the following screen

[G. Ann Campbell]

Thanks Christian,

Now just to be sure, can you show me a screenshot of this part of your project front page?:

Ann

[christi...@gmail.com]

[G. Ann Campbell]

Thanks Christian,

Okay, to sum up: the FindBugs plugin is installed. Its rules are active in a profile. That profile is applied to your project. Analysis is successful with no relevant WARNings in the logs. And there are no issues on your project. 

It's interesting to me that your screenshot shows changes to your quality profile yesterday. It might be interesting to know what they are. Beyond that, I can only think to ask for the entire analysis log, not that I'm hopeful of seeing anything useful in it.

Ann

On Thursday, 25 August 2016 03:48:03 UTC-4, christi...@gmail.com wrote:

[Nicolas Peru]

Hi Christian, 

Can you share the version of sonar java analyzer, findbugs plugin and sonarqube ? 

What might be happening here is that for some reasons the .classes of your project are not provided to the java analyzer and the findbugs plugin, while correctly generating its report, can't map them back to the sources. (the findbugs plugin still depends on the java analyzer afaik)

Cheers, 

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/9fd56e47-6167-4d98-b63d-77477fd236c8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Nicolas PERU | SonarSource

Senior Developer
http://sonarsource.com

https://twitter.com/benzonico

[christi...@gmail.com]

I'm using:

SonarQube 5.6.1

Java Plugin 4.1 (update to 4.2 behaves the same way)

Fidbugs 3.4.3

[Nicolas Peru]

Hi, 

How is your analyis configured ? you say you are running with sonar-runner so what are the values of the sonar.java.binaries and sonar.java.libraries properties ? Would you be able to share your configuration of sonar runner ?

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b9d5580f-ce38-480e-8c1a-782354c52cc3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[christi...@gmail.com]

I use an Execute SonarQube Scanner Jenkins Task to run the analysis.

The following shows the project setup + the configuration of one module (i use several modules all configured pretty much the same)

sonar.projectKey=WEB

sonar.projectName=WEB

sonar.projectVersion=1.0.0

sonar.java.source=1.6

sonar.java.libraries = <absolute paths to my lib jars>

sonar.modules=core-base-bl

core-base-bl.sonar.projectName=core-base-bl

core-base-bl.sonar.projectBaseDir=./source/src/base

core-base-bl.sonar.sources=core-base-bl/src

core-base-bl.sonar.java.binaries=core-base-l/bin

This is the relevant part from the log when i run it in jenkins. Only thing I noticed is that it gives me some warnings regarding "could not be match to its original source file. It might be a dynamically generated class."

13:15:00 D:\build\jenkins\tools\hudson.plugins.sonar.SonarRunnerInstallation\SonarQube_Runner

13:15:00 INFO: Scanner configuration file: D:\build\jenkins\tools\hudson.plugins.sonar.SonarRunnerInstallation\SonarQube_Runner\conf\sonar-scanner.properties

13:15:00 INFO: Project root configuration file: NONE

13:15:00 INFO: SonarQube Scanner 2.6.1

13:15:00 INFO: Java 1.8.0_45 Oracle Corporation (64-bit)

13:15:00 INFO: Windows Server 2012 6.2 amd64

13:15:00 INFO: Error stacktraces are turned on.

13:15:01 INFO: User cache: C:\Windows\system32\config\systemprofile\.sonar\cache

13:15:02 INFO: Load global repositories

13:15:02 INFO: Load global repositories (done) | time=200ms

13:15:02 INFO: User cache: C:\Windows\system32\config\systemprofile\.sonar\cache

13:15:02 INFO: Load plugins index

13:15:02 INFO: Load plugins index (done) | time=6ms

13:15:02 INFO: SonarQube server 5.6.1

13:15:02 INFO: Default locale: "en_US", source code encoding: "windows-1252" (analysis is platform dependent)

13:15:03 INFO: Process project properties

13:15:03 INFO: Load project repositories

13:15:03 INFO: Load project repositories (done) | time=567ms

13:15:03 INFO: Execute project builders

13:15:03 INFO: Execute project builders (done) | time=8ms

13:15:03 INFO: Load quality profiles

13:15:04 INFO: Load quality profiles (done) | time=37ms

13:15:04 INFO: Load active rules

13:15:05 INFO: Load active rules (done) | time=1819ms

13:15:05 INFO: Publish mode

13:15:05 INFO: -------------  Scan core-base-bl

13:15:06 INFO: Load server rules

13:15:06 INFO: Load server rules (done) | time=497ms

13:15:06 INFO: Base dir: D:\build\jenkins\workspace\SANITY\source\src\base

13:15:06 INFO: Working dir: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl

13:15:06 INFO: Source paths: core-base-bl/src

13:15:06 INFO: Source encoding: windows-1252, default locale: en_US

13:15:06 INFO: Index files

13:15:07 INFO: 539 files indexed

13:15:07 INFO: Quality profile for java: Sonar way

13:15:08 INFO: Sensor Lines Sensor

13:15:08 INFO: Sensor Lines Sensor (done) | time=98ms

13:15:08 INFO: Sensor JavaSquidSensor

13:15:09 INFO: Configured Java source version (sonar.java.source): 6

13:15:09 INFO: JavaClasspath initialization

13:15:09 INFO: JavaClasspath initialization (done) | time=30ms

13:15:09 INFO: JavaTestClasspath initialization

13:15:09 WARN: Bytecode of dependencies was not provided for analysis of test files, you might end up with less precise results. Bytecode can be provided using sonar.java.test.libraries property

13:15:09 INFO: JavaTestClasspath initialization (done) | time=0ms

13:15:09 INFO: Java Main Files AST scan

13:15:09 INFO: 539 source files to be analyzed

13:15:19 INFO: 32/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\...

13:15:29 INFO: 90/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\...

13:15:39 INFO: 134/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\...

13:15:49 INFO: 208/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\...

13:15:59 INFO: 285/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\..

13:16:09 INFO: 367/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\..

13:16:19 INFO: 420/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\..

13:16:26 WARN: Class not found: org.joda.convert.FromString

13:16:26 WARN: Class not found: org.joda.convert.ToString

13:16:29 INFO: 488/539 files analyzed, current file: D:\build\jenkins\workspace\SANITY\source\src\base\core-base-bl\..

13:16:34 INFO: Java Main Files AST scan (done) | time=84994ms

13:16:34 INFO: 539/539 source files have been analyzed

13:16:34 INFO: Java Test Files AST scan

13:16:34 INFO: 0 source files to be analyzed

13:16:34 INFO: Java Test Files AST scan (done) | time=0ms

13:16:34 INFO: Sensor JavaSquidSensor (done) | time=85922ms

13:16:34 INFO: Sensor SCM Sensor

13:16:34 INFO: 0/0 source files have been analyzed

13:16:34 INFO: SCM provider for this project is: svn

13:16:34 INFO: 3 files to be analyzed

13:16:36 INFO: 3/3 files analyzed

13:16:36 INFO: Sensor SCM Sensor (done) | time=2275ms

13:16:36 INFO: Sensor FindBugs Sensor

13:16:38 INFO: Loading findbugs plugin: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl\findbugs\findsecbugs-plugin.jar

13:16:38 INFO: Findbugs output report: D:\build\jenkins\workspace\SANITY\.sonar\WEB_core-base-bl\findbugs-result.xml

13:17:36 WARN: The class 'com.xxx.crypto.zip.CryptZip' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.crypto.zip.CryptZip' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.crypto.zip.CryptZip' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ContactClientSupport.model.ContactClientSupport' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ContactClientSupport.model.ContactClientSupport' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ContactClientSupport.model.ContactClientSupport' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ContactClientSupport.model.ContactClientSupport' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ContactClientSupport.model.ContactClientSupport' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ContactClientSupport.model.ContactClientSupport' could not be match to its original source file. It might be a dynamically generated class.

13:17:36 WARN: The class 'com.xxx.itse.common.bl.Container.ListFavorites.model.ListFavorites' could not be match to its original source file. It might be a dynamically generated 

13:17:36 INFO: Sensor FindBugs Sensor (done) | time=59933ms

Christian

[christi...@gmail.com]

Can I somehow debug where it goes wrong?

I mean the findbugs reports are definatley created on the client as i see them change on every build.

When i check the upload task logs in sonarqube i dont find anything findbugs releated in them (beside the fact that it loads the plugin).

[Nicolas Peru]

Hi Christian, 

As far as I can understand the issue lies in the findbugs plugin and how it map back class name to source file and thus the sonarqube resource.

Seems there was work on this particular topic on the last version of the findbugs plugin : https://github.com/SonarQubeCommunity/sonar-findbugs/commit/9f646a0d3ec84ac54c9bc9a4198f6d50f4e7e7d6 

So I would suggest to submit an issue for the plugin maintainers to pick it up as we (at SonarSource) are not supporting this plugin anymore. 

Cheers, 

Le lun. 29 août 2016 à 09:00, <christi...@gmail.com> a écrit :

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/b9d5580f-ce38-480e-8c1a-782354c52cc3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[christi...@gmail.com]

Thanks. Seems there is already a issue created for this:

https://github.com/SonarQubeCommunity/sonar-findbugs/issues/51

On Monday, September 5, 2016 at 2:31:06 PM UTC+2, Nicolas Peru wrote:

Hi Christian, 

[christi...@gmail.com]

One more question regarding this problem.

Is there a reason why no findbugs violations are imported into sonarqube even when only some classfiles cant be matched to the source files. 

I'm asking this because i have 2 source folders in my project /src and /gensrc (genscr keeping automatically generated java files, i want to exclude from the analysis).

so i have 

/src

/gensrc

both compile to 

/bin

Findbugs Plugin is complaining about not finding the ones in gensrc (wich are excluded on purpose).

What component (findbugs plugin or the runner itself) decides if the existing findbugs-result.xml files are included in the report sent to the server?

Christian

[Michael Gumowski]

Hello Christian,

You should probably directly ask the question on the findbugs plugin github project page. As far as I can tell, it is the Findbugs plugin which check for that file and handle the results (https://github.com/SonarQubeCommunity/sonar-findbugs/blob/31ca93824bef8d88574de6ac2199d9b238fe133a/src/main/java/org/sonar/plugins/findbugs/FindbugsExecutor.java#L136).

Regards,

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/70d66747-0130-4812-9319-5a32cf9cfdc2%40googlegroups.com.