How can we set the Github plugin only report changed line issues

[Benjamin Liu]

For developer, they only want the plugin reports changed line issues. But now, the developer get all of the issues of the changed files(include the won't fix issues).

SonarQube: 5.6.1

GitHub plugin: 1.3

[G. Ann Campbell]

Hi,

Please don't cross-post here and on StackOverflow.com.

Ann

[Benjamin Liu]

Already removed from StackOverflow, any advice about my question?

[Julien HENRY]

Hi Benjamin,

We are already limiting to report issues on changed files. Many issues can appear because of a change that was made on another line (complexity, NPE, not used variable). So limiting issues to changed lines only would be the best way to miss a lot of useful issues.

++

Julien

[benjami...@gmail.com]

Hi Julien,

Thanks a lot for your reply! 

Another question is that we found the Github plugin will not ignore won't fix issues. Even we marked some issues as won't fix on the SonarQube server, but it will still report by Github plugin.

Is that by design or some params I need to config in my local?

Benjamin

On Friday, November 18, 2016 at 10:01:40 PM UTC+8, Julien HENRY wrote:

Hi Benjamin,

We are already limiting to report issues on changed files. Many issues can appear because oft a change that was made on another line (complexity, NPE, not used variable). So limiting issues to changed lines only would be the best way to miss a lot of useful issues.

[Julien HENRY]

Hi,

This is supposed to work in most cases as long as you configure your P/R analysis to use the same project key (including sonar.branch) as the reference project on your SonarQube server. Known limitations are mostly file rename / folder move.

++

Julien

[Liu Benjamin]

Hi Julien,

I just set sonar.projectKey in my P/R analysis, I do not set sonar.branch. 

Is the key sonar.branch required in my P/R analysis?

Benjamin

[Julien HENRY]

2016-11-22 16:05 GMT+01:00 Liu Benjamin <benjami...@gmail.com>:

I just set sonar.projectKey in my P/R analysis, I do not set sonar.branch. 

Is the key sonar.branch required in my P/R analysis?

It is not required to use sonar.branch. But if you set it for your regular analysis (the one that is published on your SonarQube server) then you also have to set it when doing P/R analysis.

[Liu Benjamin]

Hi Julien,

It seems the issue tracked by the code line, if the line has been changed, the won’t fix issues will be reported as new issue. Is that right?

Thanks,

Bejamin

On Nov 22, 2016, at 5:11 PM, Julien HENRY <julien...@sonarsource.com> wrote:

[Julien HENRY]

Hi,

Not sure I understand correctly, but even if line is modified, the algorithm is able to detect it is the same issue than the one that was marked "won't fix". If the code was changed too much (including preceding and following lines) then in some rare occasion it may fail to match.

Is it working in most cases and only rarely fail? Or do you notice that "won't fix" issues are always reported in your P/R? In the first case we would need a lot of details (previous source code, new code, rule key) to reproduce/investigate. In the second case I advocate for a configuration issue.

++

Julien

[Liu Benjamin]

Hi Julien,

After test with some pull request, the won’t fix issues will be always reported with line changed, even the change is only add new code line.

Below is my configuration & and scan log, please help me to check if anything wrong in it. Thanks a lot! 

BTW: From the log, I found all of the file will be analyzed, not only the changed files in the pull request. Is it function as design?

configuration

sonar.projectKey=org.***.***:java

sonar.projectName=***

sonar.projectVersion=${git_id}

sonar.sourceEncoding=UTF-8

sonar.github.oauth=*********************

sonar.github.repository=g...@github.com:**********************

sonar.github.pullRequest=${ghprbPullId}

sonar.analysis.mode=preview

sonar.host.url=http://sonarqube.*********

sonar.login=**********

sonar.language=java

sonar.java.libraries=**/*.jar

sonar.java.binaries=webapp/target/classes

sonar.sources=.

sonar.exclusions=*********

Log

03:11:28 INFO: Scanner configuration file: /home/ubuntu/SonarQube/sonar-scanner/sonar-scanner/conf/sonar-scanner.properties

03:11:28 INFO: Project root configuration file: /home/ubuntu/workspace/Create3_TPR/sonar-project.properties

03:11:28 INFO: SonarQube Scanner 2.8

03:11:28 INFO: Java 1.8.0_45-internal Oracle Corporation (64-bit)

03:11:28 INFO: Linux 3.2.0-69-virtual amd64

03:11:29 INFO: User cache: /home/ubuntu/.sonar/cache

03:11:30 INFO: Load global repositories

03:11:30 INFO: Load global repositories (done) | time=157ms

03:11:30 INFO: User cache: /home/ubuntu/.sonar/cache

03:11:30 INFO: Exclude plugins: devcockpit, buildstability, pdfreport, report, scmstats, buildbreaker, views, jira

03:11:30 INFO: Load plugins index

03:11:30 INFO: Load plugins index (done) | time=4ms

03:11:30 INFO: SonarQube server 5.6.1

03:11:30 INFO: Default locale: "en_US", source code encoding: "UTF-8"

03:11:31 INFO: Process project properties

03:11:31 INFO: Load project repositories

03:11:31 INFO: Load project repositories (done) | time=215ms

03:11:32 INFO: Execute project builders

03:11:33 INFO: Starting analysis of pull request: https://github.com/*********/pull/5292

03:11:34 INFO: Execute project builders (done) | time=1904ms

03:11:34 INFO: Load quality profiles

03:11:34 INFO: Load quality profiles (done) | time=21ms

03:11:34 INFO: Load active rules

03:11:34 INFO: Load active rules (done) | time=432ms

03:11:34 INFO: Issues mode

03:11:34 INFO: Scanning only changed files

03:11:34 INFO: -------------  Scan ***** (Java Code)

03:11:34 INFO: Language is forced to java

03:11:34 INFO: Load server rules

03:11:35 INFO: Load server rules (done) | time=113ms

03:11:35 INFO: Base dir: /home/ubuntu/workspace/Create3_TPR

03:11:35 INFO: Working dir: /home/ubuntu/workspace/Create3_TPR/.sonar

03:11:35 INFO: Source paths: .

03:11:35 INFO: Source encoding: UTF-8, default locale: en_US

03:11:35 INFO: Index files

03:11:35 INFO: Excluded sources: 

03:11:35 INFO:   integration_test_suite/**/*.java

03:11:35 INFO:   **/src/test/**

03:11:35 INFO:   test_utils/**/*.java

03:11:35 INFO:   polyglot.ruby/src/main/resources/ruby/gems/**/*.java

03:11:35 INFO:   **/target/**

03:11:35 INFO:   tenant.management/src/main/resources/**

03:11:41 INFO: 1651 files indexed

03:11:41 INFO: 23079 files ignored because of inclusion/exclusion patterns

03:11:41 INFO: Quality profile for java: JAVA

03:11:42 WARN: ----------------------------------------------------------------

03:11:42 WARN: Sonargraph Integration: Skipping project ******* (Java Code) [org.*******.*****:java], since no Sonargraph rules are activated in current SonarQube quality profile [JAVA].

03:11:42 WARN: ----------------------------------------------------------------

03:11:43 INFO: Sensor JavaSquidSensor

03:11:43 INFO: Configured Java source version (sonar.java.source): none

03:11:43 INFO: JavaClasspath initialization

03:11:49 INFO: JavaClasspath initialization (done) | time=6532ms

03:11:49 INFO: JavaTestClasspath initialization

03:11:49 WARN: Bytecode of dependencies was not provided for analysis of test files, you might end up with less precise results. Bytecode can be provided using sonar.java.test.libraries property

03:11:49 INFO: JavaTestClasspath initialization (done) | time=0ms

03:11:50 INFO: Java Main Files AST scan

03:11:50 INFO: 1651 source files to be analyzed

Will analyze all of the 1651 source files one by one **************************************************************************

03:34:59 INFO: Java Main Files AST scan (done) | time=1389110ms

03:34:59 INFO: 1651/1651 source files have been analyzed

03:34:59 INFO: Java Test Files AST scan

03:34:59 INFO: 0 source files to be analyzed

03:34:59 INFO: Java Test Files AST scan (done) | time=0ms

03:34:59 INFO: Sensor JavaSquidSensor (done) | time=1396208ms

03:34:59 INFO: 0/0 source files have been analyzed

03:34:59 INFO: Sensor Sonar-Sonargraph-Plugin [3.5]

03:34:59 INFO: ----------------------------------------------------------------

03:34:59 INFO: Sonargraph: Skipping project ****** (Java Code) [org.***********.***:java], since no Sonargraph rules are activated in current SonarQube quality profile.

03:34:59 INFO: ----------------------------------------------------------------

03:34:59 INFO: Sensor Sonar-Sonargraph-Plugin [3.5] (done) | time=2ms

03:34:59 INFO: Sensor CheckstyleSensor

03:34:59 INFO: Execute Checkstyle 6.12.1...

03:34:59 INFO: Checkstyle configuration: /home/ubuntu/workspace/Create3_TPR/.sonar/checkstyle.xml

03:34:59 INFO: Checkstyle charset: UTF-8

03:35:07 INFO: Execute Checkstyle 6.12.1 done: 7920 ms

03:35:07 INFO: Sensor CheckstyleSensor (done) | time=7926ms

03:35:07 INFO: Sensor FindBugs Sensor

03:35:09 INFO: Loading findbugs plugin: /home/ubuntu/workspace/Create3_TPR/.sonar/findbugs/fb-contrib.jar

03:35:09 INFO: Loading findbugs plugin: /home/ubuntu/workspace/Create3_TPR/.sonar/findbugs/findsecbugs-plugin.jar

03:35:09 INFO: Findbugs output report: /home/ubuntu/workspace/Create3_TPR/.sonar/findbugs-result.xml

03:35:18 WARN: The class 'com.******.core.webapp.RouterCallable$RouterCallableResult' could not be matched to its original source file. It might be a dynamically generated class.

03:35:18 WARN: The class 'com.******.core.webapp.RouterCallable$RouterCallableResult' could not be matched to its original source file. It might be a dynamically generated class.

03:35:18 INFO: Sensor FindBugs Sensor (done) | time=11539ms

03:35:18 INFO: Sensor SurefireSensor

03:35:18 INFO: parsing /home/ubuntu/workspace/Create3_TPR/target/surefire-reports

03:35:18 INFO: Sensor SurefireSensor (done) | time=1ms

03:35:18 INFO: Sensor JaCoCoSensor

03:35:18 INFO: JaCoCoSensor: JaCoCo report not found : /home/ubuntu/workspace/Create3_TPR/target/jacoco.exec

03:35:18 INFO: Project coverage is set to 0% as no JaCoCo execution data has been dumped: /home/ubuntu/workspace/Create3_TPR/target/jacoco.exec

03:35:18 INFO: Sensor JaCoCoSensor (done) | time=89ms

03:35:18 INFO: Sensor JaCoCoItSensor

03:35:18 INFO: JaCoCoItSensor: JaCoCo IT report not found: /home/ubuntu/workspace/Create3_TPR/target/jacoco-it.exec

03:35:18 INFO: Project coverage is set to 0% as no JaCoCo execution data has been dumped: /home/ubuntu/workspace/Create3_TPR/target/jacoco-it.exec

03:35:18 INFO: Sensor JaCoCoItSensor (done) | time=27ms

03:35:18 INFO: Sensor JaCoCoOverallSensor

03:35:18 INFO: JaCoCoOverallSensor: JaCoCo reports not found.

03:35:18 INFO: Analysing /home/ubuntu/workspace/Create3_TPR/.sonar/jacoco-overall.exec

03:35:18 INFO: No information about coverage per test.

03:35:18 INFO: Sensor JaCoCoOverallSensor (done) | time=29ms

03:35:18 INFO: Sensor XmlFileSensor

03:35:18 INFO: Sensor XmlFileSensor (done) | time=13ms

03:35:18 INFO: Load server issues

03:35:20 INFO: Load server issues (done) | time=1496ms

03:35:20 INFO: Performing issue tracking

03:35:21 INFO: 1924/1924 components tracked

03:35:21 INFO: ANALYSIS SUCCESSFUL

03:35:21 INFO: Executing post-job GitHub Pull Request Issue Publisher

Thanks,

Benjamin

On Nov 25, 2016, at 3:40 PM, Julien HENRY <julien...@sonarsource.com> wrote:

Hi,e

[Julien HENRY]

Hi Benjamin,

Thanks for the log. It seems to prove that your project key configuration is correct. Now can you try to call this URL from your web browser:

https://<your SQ server>/batch/project?key=<your project key>&issues_mode=true

the project key should be the one you passed to sonar.projectKey (ie org.***.***:java).

You should receive a JSON response. Please check that you get one entry per file with a non empty value for the "hash" attribute. This is what is used to determine if a file is changed or not.

For example, on one of our project, we get:

Do you have any process that would locally change the files and make SonarQube consider them all as changed? For example I remember someone having a script that would insert the commit id in every file header.

++

Julien

2016-11-28 5:00 GMT+01:00 Liu Benjamin <benjami...@gmail.com>:

Hi Julien,

After test with some pull request, the won’t fix issues will be always reported with line changed, even the change is only add new code line.

Below is my configuration & and scan log, please help me to check if anything wrong in it. Thanks a lot! 

BTW: From the log, I found all of the file will be analyzed, not only the changed files in the pull request. Is it function as design?

configuration

sonar.projectKey=org.***.***:java

sonar.projectName=***

sonar.projectVersion=${git_id}

sonar.sourceEncoding=UTF-8

sonar.github.oauth=*********************

sonar.github.repository=git@github.com:**********************

[Liu Benjamin]

Hi Julien,

I checked with our sonar server, the following is the response, only missed revision property:

{

  "timestamp": 0,

  "settingsByModule": {},

  "fileDataByModuleAndPath": {

    "org.***.***:java": {

      "****/****/****.java": {

        "hash": "ac8c510cd47e74dd0fb597e35965af33"

      },

      "****/****/****.java": {

        "hash": "df4bc9a4765a6483d4c23febe88b2dc1"

      },

      "****/****/****.java": {

        "hash": "760a58a3c2f7e9b95da6320ff36960ad"

      }

………..

    }

  },

  "lastAnalysisDate": 1480321689974

}

And I also checked our jenkins job workspace&script(the PR scan runs by jenkins job), all of the changed files do not include any useless change.

BTW, our SonarQube version is 5.6.1 and Github plugin version is 1.3.

Thanks,

Benjamin

On Nov 28, 2016, at 4:24 PM, Julien HENRY <julien...@sonarsource.com> wrote:

Hi Benjamin,

Thanks for the log. It seems to prove that your project key configuration is correct. Now can you try to call this URL from your web browser:

https://<your SQ server>/batch/project?key=<your project key>&issues_mode=true

the project key should be the one you passed to sonar.projectKey (ie org.***.***:java).

You should receive a JSON response. Please check that you get one entry per file with a non empty value for the "hash" attribute. This is what is used to determine if a file is changed or not.

For example, on one of our project, we get:

<image.png>

[Julien HENRY]

In theory the "revision" attribute is not used in preview mode. But I'm wondering if this could not be an evidence of a deeper issue.

Could you please do the following test:

  - temporarily change your main analysis job to analyze your project in a branch (-Dsonar.branch=test-pr-analysis) -> this should create a new project on your SQ server with key org.***.***:java:test-pr-analysis

  - also update your pull request analysis job to use the sonar.branch=test-pr-analysis

Check if that work on this branched analysis (ie if only changed files are analyzed).

++

Julien

[serc...@gmail.com]

Sorry Julien, but I have a burning question. Why do you need to do all these hashes comparison for every file to determine which ones changed?
You already have the pull request, why not just get the list of updated files from the pull request itself?