gjd6640 / sonar-text-plugin Goto Github PK

I'm trying to use skip and fail in Simple Regex Match but it doesn't work. Example: https://regex101.com/r/Bb6eS3/1

When running sonar-scanner (sonar-text) plug-in I'm getting below warning messages. The sonarqube is working fine as expected but still getting warning messages as below

sonar-scanner.bat : WARN: Property 'sonar-text-plugin.file.suffixes' is not declared as multi-values/property set but was read using
'getStringArray' method. The SonarQube plugin declaring this property should be updated.
At line:1 char:1
sonar-scanner.bat -D sonar.host.url='http://xxx-xx.x.xxxxx'
+ CategoryInfo : NotSpecified: (WARN: Property ...uld be updated.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
WARN: Metric 'comment_lines_data' is deprecated. Provided value is ignored.

This message happens when latest plug-in was installed in SonarQube server

When I checked the latest release of the plug-in, I can see it an alpha version. Can we expect a stable release any time soon?

When a team has this policy regarding Java-based Spring configuration the current rule types aren't sufficient:

All property values should be provided as beans or public fields in the property configuration class. Whichever mechanism is used, remember that the property placeholder configurer bean must be instantiated to resolve the "${...}" placeholders.

When all property values are provided in the property configuration class, it is therefore implied that no other configuration classes should make any reference to Environment, PropertyResolver (@propertysource?), or the @value annotation. Like any other bean in the container, property values should instead be referenced by injecting the property configuration class where needed. There are numerous acceptable ways to make property values accessible from the property configuration class - all of which have only subtle differences that your team may or may not have standardized on.

Possibly the rule "There must be zero to one source file containing match(es) to this expression/pattern." would fit the bill here. We'd then craft an expression that matches on "@Environment", "@propertysource", or "@value". Multiple hits within a single file are ok but once matches occur in more than one file all matches found in any file will be flagged.

This one may deserve to live in a different plugin that uses the Java AST. Let's consider sharing this idea with the Sonarqube team at google groups before working on this.

I found that the plugin uses the ant style to find the files that need to be scanned. How can I match files in multiple formats? For example I only need to scan files in .py or .go format

Issue : The scan doesn't seem to match according to the regex expression and bring up corresponding issues. I've verified my regex expression on https://regexr.com/. I've added an image of the configuration for the same, could you please help me out?

regex : (black[\s-_]*hat)|(black[\s-_]*list)|(black[\s-_]*out)|(brown[\s-_]*out)|(cake[\s-_]*walk)|(\sdisabled*\s)|(\bfemale\b)|(\bgrandfathered\b)|(\bhandicap\b)|(\bkill[a-zA-Z]*\b)|(\bmale\b)|(\bmaster(?!')\b)|(rule[\s-]+of[\s-]+thumb)|(sanity[\s-_]*check)|(sanity[\s-_]*test)|(\bsegregate)|(\bsegregation\b)|(\bslave\b)|(\bsuffer\b)|(war[\s-_]*room)|(white[\s-_]*hat)|(white[\s-_]*list)

I'm using sonarqube v-8.9 community edition

Sometimes you want to flag cases where a file is missing a certain pattern.

For example, a config file for a tool that sends alerts may need to specify the email address that notifications should go to. If the developer forgets to fill that field in the tool will do nothing; If they really want it to do nothing they should remove it. Sample file:

toolConfigBlah: do stuff this way
# notificationTarget: <todo: provide an email address here and uncomment this line before the first release of this software>

Rule would say: If "(?m)^notificationTarget: [regexEmailPattern]" doesn't exist in files named "theTool.config" raise an issue.

Note that the "Required String not Present" rule type allows you to do this already BUT it requires you to define a trigger string that must be present before an issue can be raised.

Hi,

I'm using this plugin and have setup a rule for the file extension ***.ABC. All good. But I also want to get a measure of duplication in all ABC files. Currently the duplication does not seem to look at ABC file. Is there a way?

FYI - I did also activate a text duplication rule. No luck.

Thanks

Rob

sonar-text-plugin is not working in 7.3 & 7.4 in which I am tested.
SonarQube not starts when I add this plugin

Note: This plugin is working fine in 6.75LTS version

The trigger and "must exist" parameters for RequiredStringNotPresentCheck enable DOTALL by default. This isn't obvious / is confusing. Add text to any fields that default to DOTALL describing that they'll get that behavior by default and suggesting that this can be switched off via "(?-s)".

Hi all

I'm trying to use the new released plugin that uses the already existing Text language. Ik can write rules for the text language.
The problem I'm now having is that text files are not coming in to the code. It seems to be that I can not choose text from the "administration" "general setting" "languages" tab. Is this a known problem for the sonarqube Text language and is there a fix for this?

I'm using below regex to find occurance of command EXIT SCRIPT except for last line. However it is not wokring

(?i)(EXIT\s+SCRIPT.*$)(\n)

Working:
(?i)(EXIT\s+SCRIPT.*$)

It's working when used without \n . But I want to capture the code smell only if it not in last line of the file.

Hi,
After upgrading to SonarQube 9.3.0, the plugin cause the following error:

Startup failed: Plugins can't be loaded. See web logs for more information

Web server startup failed: Found a plugin 'Sonar Text Plugin' in the directory 'extensions/plugins' with the same key [text] as a built-in feature 'Text file Code Quality and Security'. Please remove 'extensions/plugins/sonar-text-plugin-1.1.5.jar'.

Apparently there is a new build-in feature with the key "text" in the new version, so it causes the key conflict.
Could you please look into how to fix it?

Provide a rule template that allows you to specify several match patterns individually and have it raise an issue only when all are present. Today you can use the multiline (DOTALL) regex rule template type to do this but you have to figure out how to express in your expression that the patterns can appear in any order. It's simpler for the user to be able to specify several patterns independently. Maybe allow for up to 5 patterns and ignore any unused leftover pattern fields.

I have two files in the directory same content, one with .txt and one with .properties. I have a rule Simple Regex Match (\W\W\W\Wtab\sQDF). Ideally it should give 2 code smells 1 from each file. But only 1 bug from .properties is showing up

I'm facing one issue with multi-line regex. It is working fine when I tested in https://regex101.com but not working as expected when the rule is executed.

Requirement : I want to find all the tabs (///$tab) except QDF & Main when succeeding line is not commented (//)

Expression : (?m)\/\/\/\$tab\s(?!(QDF|(?i)MAIN))(.*\n)(?!(\/\/.*))

Issue
In below example, only tab1 should be captured as the succeeding line is not commented.

But when I executed it in Sonarqube, even if the subsequent line is commented, the code is captured as a code-smell.

Feature request:
Only the first match is being captured. I would like to capture n issues if there are n-tabs in my text file with no comments (starting with //) in subsequent line.

I'm a beginner with both Regular expression and Sonar-qube, so could you please advise if it's something wrong with the expression/template that I use

ON HOLD: Need to consider how to determine if appropriate shading has already been done. How can we direct the custom rules at the post-shading dependency list?

Count the number of matching lines in a file & raise an issue if it exceeds a specified count. Make this a cross-file rule so that for example we can trigger it to be applicable when the SCM path includes "/widely/shared-components/".

Specifically, widely shared components that pull in more than a few dependencies are a red flag.

I'm testing a new plugin version that adds a cross-file check. It works like this:

Rule: Builds compiled to target Java 8 must not be executed on older JVM versions to avoid bugs
triggerFilePattern: /pom.xml
triggerExpression: .1.8.
disallowFilePattern: _/start.sh
disallowExpression: ._jdk1.(6|7).

Any matches of the "disallow" criteria will be raised as issues if and only if the trigger expression matched at least once.

Other possible uses:

This rule type can be run against files with any extension (last I checked extensionless files were problematic - I clone those and add .txtcpy to them before I scan) so in theory one could detect that a project uses a particular version of xerces (the trigger) and then look for java code that exercises functionality from that library that is known to have a problem such as a memory leak. There's no Java AST here so scanning complex content like XML or Java will be imperfect but it is possible.

Another similar example is failure to set the CachingConnectionFactory's consumer caching feature under Spring versions that offer it (2.5.6+). Generally we set that to false to avoid leaks unless there's a particular need for it and due diligence has been done to determine that it is safe to use / won't leak. I'm expecting people to forget to set it during Spring version upgrades and in those cases it'll silently turn on since it defaults to "true" if you don't set it explicitly. To implement this you'd need to run "mvn help:effective-pom -Doutput=effective-pom.xml" prior to scanning your project.

Sometimes projects contain shell script files that have no extension. If you want to scan those with a plugin such as this one you have to give them an extension. Here's a way to do that via a shell command run prior to the Sonar scan.

# Takes any extensionless files and makes copies with '.txtcopy' extensions. This makes us able to run Sonar Text Plugin rules against their content.

find . -type f ! -path '*/.svn/*' ! -path '*/target/*' ! -name "*.*" -exec cp {} {}.txtcopy \;

This copies the extensionless files to create a version that does have an extension. Here I chose a unique extension to make it more obvious that the file name was created by my scan automation.

You also have to add the ".txtcopy" extension to the list that are assigned to the plugin via the Sonar UI's Settings page.