SonarQube not showing any Bug/Vulnerability Report

[sohan...@gmail.com]

Hello SonarQube Team,

I am trying to analyze the Java Project with the help of SonarQube and Sonar Scanner but after executing the sonar-scanner.bat commend its showing that Execution Successful but when I am checking in SonarQube server by accessing URL http://localhost:9000 its showing Bug/Vulnerability/Code Smell as 0.

I have followed the below steps:

Step-1:I installed SonarQube version sonarqube-5.6.7 under path D:\SonarSetupPOC\sonarqube-5.6.7

Step2: I downloaded sonar-scanner-3.1.0.1141-windows version under path D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows and setup the environment variable value as "D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin" under Path system variable.

Step-3:I make the below entry in the "sonar-scanner.properties" available under path D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\conf

#CIB-Application

sonar.projectKey=CIB-Application

sonar.projectName=CIB-Application

sonar.projectVersion=1.0

sonar.sources=D:/CiBASE_21stFeb2018/CiBaseCode_19MARCH2018/cib-application/src/main/java/com/orange/obsit/sando/cibinternational/application

I provided the value of sonar.sources the path of java project which I want to analyse and where .java file exist.

Step-4:

Now I started the SonarQube server by running StartSonar.bat available under D:\SonarSetupPOC\sonarqube-5.6.7\bin\windows-x86-64

Its started successfully:

Step-5:

Now I executed the sonar-scanner.bat available under path D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin

Its executed successfully without any error and end with message "EXECUTION SUCCESS".Below is the full trace of the execution:

D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin>sonar-scanner.bat

INFO: Scanner configuration file: D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin\..\conf\sonar-scanner.properties

INFO: Project root configuration file: NONE

INFO: SonarQube Scanner 3.1.0.1141

INFO: Java 1.8.0_121 Oracle Corporation (64-bit)

INFO: Windows 7 6.1 amd64

INFO: User cache: d:\Profiles\saswal\.sonar\cache

INFO: SonarQube server 5.6.7

INFO: Default locale: "en_IN", source code encoding: "windows-1252" (analysis is platform dependent)

INFO: Load global repositories

INFO: Load global repositories (done) | time=145ms

INFO: User cache: d:\Profiles\saswal\.sonar\cache

INFO: Load plugins index

INFO: Load plugins index (done) | time=0ms

INFO: Process project properties

INFO: Load project repositories

INFO: Load project repositories (done) | time=140ms

INFO: Load quality profiles

INFO: Load quality profiles (done) | time=47ms

INFO: Load active rules

INFO: Load active rules (done) | time=530ms

WARN: SCM provider autodetection failed. No SCM provider claims to support this project. Please use sonar.scm.provider to define SCM of your project.

INFO: Publish mode

INFO: -------------  Scan CIB-Application

INFO: Load server rules

INFO: Load server rules (done) | time=156ms

INFO: Base dir: D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin

INFO: Working dir: D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin\.scannerwork

INFO: Source paths: D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application

INFO: Source encoding: windows-1252, default locale: en_IN

INFO: Index files

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\bulkupdate\document\IBulkPric

DocumentManagement.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\bulkupdate\document\impl\Bulk

riceDocumentManagementImpl.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\bulkupdate\document\impl\Bulk

riceReviewDocumentProcessor.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\cucib\impl\ProductManagementI

pl.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\cucib\IProductManagement.java

 is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\grp\IGrpProductCatalogManagem

nt.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\grp\impl\GrpProductCatalogMan

gementImpl.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\publishcustomer\ICustomerMana

ement.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\publishcustomer\impl\Customer

anagementImpl.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\publishsite\impl\SiteManageme

tImpl.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\publishsite\ISiteManagement.j

va' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\uploadtool\impl\UploadToolImp

.java' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\uploadtool\IUploadTool.java'

s ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\util\ContextValueIdentifier.j

va' is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

WARN: File 'D:\CiBASE_21stFeb2018\CiBaseCode_19MARCH2018\cib-application\src\main\java\com\orange\obsit\sando\cibinternational\application\util\TemporaryParameter.java'

is ignored. It is not located in module basedir 'D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin'.

INFO: 0 files indexed

INFO: JaCoCoSensor: JaCoCo report not found : D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin\target\jacoco.exec

INFO: JaCoCoItSensor: JaCoCo IT report not found: D:\SonarSetupPOC\sonar-scanner-3.1.0.1141-windows\bin\target\jacoco-it.exec

INFO: Sensor Lines Sensor

INFO: Sensor Lines Sensor (done) | time=0ms

INFO: Sensor SCM Sensor

INFO: No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.

INFO: Sensor SCM Sensor (done) | time=0ms

INFO: Sensor Zero Coverage Sensor

INFO: Sensor Zero Coverage Sensor (done) | time=15ms

INFO: Sensor Code Colorizer Sensor

INFO: Sensor Code Colorizer Sensor (done) | time=0ms

INFO: Sensor CPD Block Indexer

INFO: Sensor CPD Block Indexer (done) | time=0ms

INFO: Calculating CPD for 0 files

INFO: CPD calculation finished

INFO: Analysis report generated in 94ms, dir size=11 KB

INFO: Analysis reports compressed in 15ms, zip size=3 KB

INFO: Analysis report uploaded in 84ms

INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard/index/CIB-Application

INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report

INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AWLR_JQ-HdRApcCJwmD6

INFO: ------------------------------------------------------------------------

INFO: EXECUTION SUCCESS

INFO: ------------------------------------------------------------------------

INFO: Total time: 4.709s

INFO: Final Memory: 12M/159M

INFO: ------------------------------------------------------------------------

Step-6:

I check the sonarqube server home page by accessing the URL:http://localhost:9000 and getting the below page:

Step-7:

Now when I am clicking on the link "CIB-Application" its showing the below screen:

My question is why I am getting Bug/Vulnerabilty/Code Smell count as 0 in the report.

I suspect that this report is not correct.Also in the Step-5 when I executed sonar-scanner.debug command I got the message "INFO: 0 files indexed" which could be the case that sonar scanner hasve not executed any java file.Please suggest if I missed some configuration.

Please check the issue and reply back to me on urgent basis.

Regards,

Sohan 

[nicolas...@sonarsource.com]

Hi Sohan,

SonarQube shows 0 Lines of Code, and analysis also behaves as if no code was actually detected: 'INFO: 0 files indexed' (in the log you shared).

I suggest you review the debug logs of your analysis (pass sonar.verbose=true as analysis parameter). This will show you full details of which file extensions are being looked for, which exclusions/inclusions apply etc. Altogether this will give you good visibility to understand why no file is currently analysed.

Best regards,

Nicolas

[G. Ann Campbell]

Hi Sohan,

In addition to what @Nicolas advised, I'll point out this analysis parameter:

sonar.sources=D:/CiBASE_21stFeb2018/CiBaseCode_19MARCH2018/cib-application/src/main/java/com/orange/obsit/sando/cibinternational/application

You list a source directory starting with a volume. Instead, it should be relative to where analysis is run from, e.g. 

sonar.sources=src/main/java/...

Now, if you're going to tell me that the code isn't available from where analysis is run, well... that's the problem. Source code is expected to be in (at some level) the directory from which you run analysis, which should be the project root.

Also, from the source directory you did list, it looks like this might be a Maven project. In which case you should be able to run analysis by simply cd-ing into the project directory and executing `mvn clean install sonar:sonar`.

Ann

[sohan...@gmail.com]

Hello Nicolas/Ann,

Thank you so much for your valuable reply.

@Ann:I realized that you are correct I was executing the sonar-scanner.bat command from the sonat scanner bin directory where source file are not available but when I execute the same command from the source file directory it executed successfully and it also published the code analysis report in the Sonarqube server URL http://localhost:9000.

Your suggestion solved my issue.

Now please also provide  me the step by step instruction to integrate the SonarQube with the Eclipse for Java Maven project including the configuration part.I tried to google the topic but no luck.

Thanks in advance.

Have a nice day!

Regards,

Sohan

[nicolas...@sonarsource.com]

Hi Sohan,

Thanks for the follow-through on this. Regarding your latest note:

Now please also provide  me the step by step instruction to integrate the SonarQube with the Eclipse for Java Maven project including the configuration part.I tried to google the topic but no luck.

Understand that this is a community effort where users help each other best effort, based on what they've tried and challenges they're encountering. If you're looking at IDE integration than you should review https://www.sonarlint.org in details, and then can consider a dedicated thread if you've got specific questions open.

Best regards,

Nicolas