Ability to disable specific Sonar rules on specific lines of code?

[dave.w...@owasp.org]

There already is a JIRA issue on this: https://jira.sonarsource.com/browse/SONAR-1407

It indicates that we should create some kind of //NOSONAR annotation or something. Some think it would be better to not promote the use of the NOSONAR mechanism but to rely on standard mechanisms available in most languages like @SuppressWarnings, @Generated annotation in Java, #pragma directive or [GeneratedCode] attribute in C#, ... Which analyzers are you currently using ?

I'm OK with whatever approach works as long as the solution allows you to be very specific to the rule being suppressed. I'd like a mechanism that allows you to any of these 3 things:

1) Disable a specific rule for a specific line of code

2) Disable a specific rule for a specified block of code

3) Disable a specific rule for an entire file

I'm not sure these 3 things can be done with the language specific mechanisms mentioned above. So, I'm kind of leaning towards some kind of NOSONAR approach, but if it can be figured out how to support this with language standard mechanisms so we don't have to invent something new, I'm totally cool with that too.

Anyone have any thoughts on the subject of which approach is 'best'?

Thanks, Dave

[Michael Gumowski]

Hello Dave,

The SonarQube JAVA Analyzer allows you to use the "@SuppressWarnings" annotation to disable a specific rule locally. It will allows you to disable issues on a single line, by placing the annotation directly above an instruction, or in an entire block, by placing it above a class or a method for instance. The only thing you have to provide to the annotation will be the key of the rule, for instance: "@SuppressWarnings("squid:S1197")". You can also disable ALL the issues from ALL the rules by simply using "@SuppressWarnings("all")" at the same places as before.

If you want some simple example of how to use it, you can have a look at this project used for our Integration Tests: https://github.com/SonarSource/sonar-java/tree/master/its/plugin/projects/suppress-warnings

Now, you can't rely on the @SuppressWarnings annotation to disable specific rules for an entire file. The SonarQube platform will however provide the tools in order to disable this rules by targeting explicitly some files. The following page of our documentation will probably answer your questions: Narrowing the Focus - Ignore Issues

The NOSONAR approach should be covered by all our plugins, but it won't allow you to precise which rule to disable, and it will definitely be a pain if you have to mark a whole block. Therefore, it's usually not the approach we recommend.

From a developer of the JAVA analyzer point of view, however, I would be interested to know the causes of your decisions to disable rules. If you think that a rule is not precise enough, or is rising False Positives (FP), surely the rule can be improved! Any feedback you can provide will then help us improving the precision of the rule.

I hope this helps,

Michael GUMOWSKI | SonarSource

Software Developer @ Language Team
http://sonarsource.com

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/091fd488-df33-4667-9d16-ca2f8a9595b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dave Wichers]

Thanks Michael,

I will try these out and if I have questions/feedback I'll let you know. It might be good to post this info as a comment added to: https://jira.sonarsource.com/browse/SONAR-1407 so others concerned about this same issue have access to this information.

If I see any rules that could use improvement, I will of course pass that on as well.

Thanks, Dave

[G. Ann Campbell]

Hi Dave,

That's why you can mark issues False Positive in the interface.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

On Wed, Jun 22, 2016 at 8:27 PM, Dave Wichers <dave.w...@aspectsecurity.com> wrote:

Mike,

Even more concerning is that I just figured out that there are only certain places where you can use @SuppressWarnings. Apparently, "Java annotations can only annotate declarations". Meaning. when you declare a:

TYPE,FIELD,METHOD,PARAMETER,CONSTRUCTOR,or LOCAL_VARIABLE

But, you cannot use this in front of an arbitrary line of code. So, for example, if I have a line of code that violates the null pointer exception rule like so:

methodFooBar(item.getSomething());

The null pointer rule might complain that 'item' might be null. But if I know it can't be, I want to put an @SuppressWarnings("squid:RULEID") in front of this line of code to suppress that specific rule but I can't, because that not a legal location for a SuppressWarnings() annotation in Java.

Now, I can apparently add: //NOSONAR at the end of this line to suppress ALL Sonar rules on that line, but why isn't something supported to suppress only a single SonarRule for a single line like this?

Or is there some other way to do this?

-Dave

---

From: Dave Wichers
Sent: Tuesday, June 21, 2016 5:34 PM
To: mle...@gmail.com
Subject: RE: Ability to disable specific Sonar rules on specific lines of code?

Mike,

I'm finally getting a change to test this out. The first thing I noticed when doing something like this:

@SuppressWarnings("squid:S2068")
some code

Is that Eclipse is now showing a warning:

Unsupported@SuppressWarnings("squid:S2068") on the line where I just added it.  Is there a way to configure Eclipse so it realizes this is OK?

Thanks, Dave

---

From: Dave Wichers [dave.w...@owasp.org]
Sent: Tuesday, May 17, 2016 10:27 AM
To: mle...@gmail.com
Cc: Dave Wichers
Subject: Fwd: Ability to disable specific Sonar rules on specific lines of code?

[andrew murren]

Ann,

Does marking an issue as False Positives prevent the rule from being tested on subsequent runs?  The false positive method sounds more like a work around than a real solution to Dave's question.

Andy

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAEi9rUJsSMfvoAsyGyFJyU8ah10C7-ZZRpkdASwq4G2Qq9qzhQ%40mail.gmail.com.

[G. Ann Campbell]

Hi Andy,

Yes, and no. We take a checksum of the line, and if that changes, we'll re-evaluate that issue for the line. But as long as the line stays the same, the issue won't be re-raised.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

[G. Ann Campbell]

Hi Dave,

Please reply to the group as a whole. Others may benefit from the conversation too.

To answer your question, it doesn't. Yet.

We've never had meaty, full-featured branch support in SonarQube but we're planning to tackle that this year.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

On Thu, Jun 23, 2016 at 2:56 PM, Dave Wichers <dave.w...@aspectsecurity.com> wrote:

But how does that help if I have 50 branches of the same code base? And so 50 sonar projects?

Dave

-------- Original Message --------

Subject: Re: Ability to disable specific Sonar rules on specific lines of code?

From: "G. Ann Campbell" <ann.ca...@sonarsource.com>

Date: Jun 23, 2016, 5:35 AM

To: Dave Wichers <dave.w...@aspectsecurity.com>,SonarQube <sona...@googlegroups.com>

[Dave Wichers]

Ok. So how do I suppress this issue in 50 branches today?

Dave

-------- Original Message --------

Subject: Re: Ability to disable specific Sonar rules on specific lines of code?

From: "G. Ann Campbell" <ann.ca...@sonarsource.com>

Date: Jun 23, 2016, 9:08 AM

[G. Ann Campbell]

Hi Dave,

We've already outlined all the options:

@SuppressWarnings, //NOSONAR, False Positive.

The rest is elbow grease.

Ann

On Thursday, 23 June 2016 15:56:17 UTC+2, Dave Wichers wrote:

Ok. So how do I suppress this issue in 50 branches today?

Dave

-------- Original Message --------

Subject: Re: Ability to disable specific Sonar rules on specific lines of code?

From: "G. Ann Campbell" <ann.ca...@sonarsource.com>

Date: Jun 23, 2016, 9:08 AM

To: Dave Wichers <dave.wichers@aspectsecurity.com>

Hi Dave,

Please reply to the group as a whole. Others may benefit from the conversation too.

To answer your question, it doesn't. Yet.

We've never had meaty, full-featured branch support in SonarQube but we're planning to tackle that this year.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

On Thu, Jun 23, 2016 at 2:56 PM, Dave Wichers <dave.wichers@aspectsecurity.com> wrote:

But how does that help if I have 50 branches of the same code base? And so 50 sonar projects?

Dave

-------- Original Message --------

Subject: Re: Ability to disable specific Sonar rules on specific lines of code?

From: "G. Ann Campbell" <ann.ca...@sonarsource.com>

Date: Jun 23, 2016, 5:35 AM

To: Dave Wichers <dave.wichers@aspectsecurity.com>,SonarQube <sona...@googlegroups.com>

Hi Dave,

That's why you can mark issues False Positive in the interface.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.

[Dave Wichers]

OK.

How about a relatively simple feature request then?

Add support for a file like sonar.properties or sonar-config.xml or whatever that you can drop into the main folder of a project.

And in that file, you can do the kinds of filtering that you can do via the SonarQube UI, or maybe most of them anyway. I'm thinking the suppress a single vuln would be hard, wouldn't work that way. But suppress entire files, use of regex, start/end ignore tokens, etc. should be pretty straightforward. That way, when you branch that project many times, the copy of this file will replicate with the branches, and then ALL the branches will have the same sonar configuration. And this mechanism is leveraging existing suppression features so should be relatively easy to implement. Far easier than some sophisticated support for branches in the SonarQube UI (I would think anyway).

Can we JIRA this idea and get it on the roadmap?

-Dave

---

From: G. Ann Campbell [ann.ca...@sonarsource.com]
Sent: Thursday, June 23, 2016 10:18 AM
To: SonarQube
Cc: ann.ca...@sonarsource.com; Dave Wichers

[G. Ann Campbell]

Hi Dave,

Thanks for your input. We already have sophisticated branch support on the road map, but we haven't decided yet how that should work, so I'm not going enter a ticket for this idea.

I can say that rather than this you're more likely to end up with a UI-based solution, though.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

To: Dave Wichers <dave.w...@aspectsecurity.com>

Hi Dave,

Please reply to the group as a whole. Others may benefit from the conversation too.

To answer your question, it doesn't. Yet.

We've never had meaty, full-featured branch support in SonarQube but we're planning to tackle that this year.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

On Thu, Jun 23, 2016 at 2:56 PM, Dave Wichers <dave.w...@aspectsecurity.com> wrote:

But how does that help if I have 50 branches of the same code base? And so 50 sonar projects?

Dave

-------- Original Message --------

Subject: Re: Ability to disable specific Sonar rules on specific lines of code?

From: "G. Ann Campbell" <ann.ca...@sonarsource.com>

Date: Jun 23, 2016, 5:35 AM

To: Dave Wichers <dave.w...@aspectsecurity.com>,SonarQube <sona...@googlegroups.com>

Hi Dave,

That's why you can mark issues False Positive in the interface.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Owner

http://sonarsource.com

To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

[jtavar...@gmail.com]

The above solution is for JAVA, but how do I exclude lines of code from SonarQube scanning in C#?

[G. Ann Campbell]

Hi,

First, the common courtesies (Hi, Thanks, ...) are appreciated in this group.

Second, this thread is >6 months old and several messages long. The identity of "the above solution" is not clear, and I doubt many will have the patience to read backward to find it.

In short, please start a new thread and clearly state you problem and your goal. Feel free to refer to this thread, but don't rely on it for context.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Manager

http://sonarsource.com

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/szJ7EXbevHk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/25cb1782-fc94-4911-9334-2e776dfc56a1%40googlegroups.com.

[Joe Tavarez]

Your response was very helpful. Thank you.

--

Regards,

J.Tavarez

"Ordinary programmers write code to pay the bills. Great hackers think of it as something they do for fun, and which they're delighted to find people will pay them for."-Paul Graham on 'Great Hackers'