• Stars
    star
    1,042
  • Rank 44,217 (Top 0.9 %)
  • Language
    Java
  • License
    GNU Lesser Genera...
  • Created about 12 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

☕ SonarSource Static Analyzer for Java Code Quality and Security

Code Quality and Security for Java Build Status Quality Gate Coverage

This SonarSource project is a code analyzer for Java projects to help developers produce Clean Code. Information about the analysis of Java features is available here.

Features

  • 600+ rules (including 150+ bug detection rules and 350+ code smells)
  • Metrics (cognitive complexity, number of lines, etc.)
  • Import of test coverage reports
  • Custom rules

Useful links

Have questions or feedback?

To provide feedback (request a feature, report a bug, etc.) use the Sonar Community Forum. Please do not forget to specify the language (Java!), plugin version and SonarQube version.

If you have a question on how to use plugin (and the docs don't help you), we also encourage you to use the community forum.

Contributing

Topic in SonarQube Community Forum

To request a new feature, please create a new thread in SonarQube Community Forum. Even if you plan to implement it yourself and submit it back to the community, please start a new thread first to be sure that we can use it.

Pull Request (PR)

To submit a contribution, create a pull request for this repository. Please make sure that you follow our code style and all tests are passing (all checks must be green).

Custom Rules

If you have an idea for a rule but you are not sure that everyone needs it you can implement a custom rule available only for you. Note that in order to help you, we highly recommend to first follow the Custom Rules 101 tutorial before diving directly into implementing rules from scratch.

Work with us

Would you like to work on this project full-time? We are hiring! Check out https://www.sonarsource.com/hiring

Testing

To run tests locally follow these instructions.

Java versions

You need Java 21 to build the project and Java 17 run the Integration Tests (ITs).

  • Java 17 can be used to build and test all modules except under java-checks-test-sources that requires Java 21.
  • Java 21 can be used to build and test all modules except under its that requires Java 17 because of SQ imcompatibility.

Build the Project and Run Unit Tests

To build the plugin and run its unit tests, execute this command from the project's root directory:

mvn clean install

Note that

Running unit tests within the IDE might incur in some issues because of the way the project is built with Maven. If you see something like this:

java.lang.SecurityException: class ... signer information does not match signer information of other classes in the same package

try removing the Maven nature of the 'jdt' module.

Integration Tests

To run integration tests, you will need to create a properties file like the one shown below, and set the URL pointing to its location in an environment variable named ORCHESTRATOR_CONFIG_URL.

# version of SonarQube Server
sonar.runtimeVersion=LATEST_RELEASE

orchestrator.updateCenterUrl=http://update.sonarsource.org/update-center-dev.properties

# The location of the Maven local repository is not automatically guessed. It can also be set with the env variable MAVEN_LOCAL_REPOSITORY.
maven.localRepository=/home/myName/.m2/repository

With for instance the ORCHESTRATOR_CONFIG_URL variable being set as:

export ORCHESTRATOR_CONFIG_URL=file:///home/user/workspace/orchestrator.properties

Before running the ITs, be sure your MAVEN_HOME environment variable is set.

Sanity Test

The "Sanity Test" is a test that runs all checks against all the test source files without taking into account the result of the analysis. It verifies that rules are not crashing on any file in our test sources. By default, this test is excluded from the build. To launch it:

mvn clean install -P sanity

Plugin Test

The "Plugin Test" is an integration test suite that verifies plugin features such as metric calculation, coverage, etc. To launch it:

mvn clean install -Pit-plugin -DcommunityEditionTestsOnly=true

Note for internal contributors: in order to also execute the tests that depend on the SonarQube Enterprise Edition, use:

mvn clean install -Pit-plugin

Ruling Test

The "Ruling Test" is an integration test suite that launches the analysis of a large code base, saves the issues created by the plugin in report files, and then compares those results to the set of expected issues (stored as JSON files).

To run the test, first make sure the submodules are checked out:

git submodule update --init --recursive

Then, ensure that the JAVA_HOME environment variable is set for the ruling tests execution and that it points to your local JDK 17 installation. Failing to do so will produce inconsistencies with the expected results.

From the its/ruling folder, launch the ruling tests:

mvn clean install -Pit-ruling -DcommunityEditionTestsOnly=true 
# Alternatively
JAVA_HOME=/my/local/java17/jdk/ mvn clean install -Pit-ruling -DcommunityEditionTestsOnly=true

Note for internal contributors: in order to also execute the tests that depend on the SonarQube Enterprise Edition, use:

mvn clean install -Pit-ruling

This test gives you the opportunity to examine the issues created by each rule and make sure they're what you expect. Any implemented rule is highly likely to raise issues on the multiple projects we use as ruling code base.

  • For a newly implemented rule, it means that a first build will most probably fail, caused by differences between expected results (without any values for the new rule) and the new results. You can inspect these new issues by searching for files named after your rule (squid-SXXXX.json) in the following folder:

      /path/to/project/sonar-java/its/ruling/target/actual/...
    
  • For existing rules which are modified, you may expect some differences between "actual" (from new analysis) and expected results. Review carefully the changes that are shown and update the expected resources accordingly.

All the json files contain a list of lines, indexed by file, explaining where the issues raised by a specific rule are located. If/When everything looks good to you, you can copy the file with the actual issues located at:

its/ruling/target/actual/

Into the directory with the expected issues:

its/ruling/src/test/resources/

For example using the command:

cp its/ruling/target/actual/* its/ruling/src/test/resources/

Autoscan Test

The tests in the autoscan module are designed to detect differences between the issues the Java analyzer can find with and without bytecode. The goal here is to spot and fix the potential FPs, and verify the expected FNs between that would show up in SonarCloud's automatic analysis.

Running this test can be broken down in 2 steps:

  1. Compiling the test sources
  2. Executing the autoscan test
Compiling the test sources

Make sure that the java-checks-tests-sources module has been compiled (ie: the .class files in java-checks-tests-sources/target/ are up to date).

In doubt, go the top-level of the project and run:

# Use java 21!
mvn clean compile --projects java-checks-test-sources --also-make-dependents
Executing the autoscan test

To run the tests, move to the its/autoscan folder and run:

# cd its/autoscan
# use Java 17!
mvn clean package --batch-mode --errors --show-version \
   --activate-profiles it-autoscan \
  -Dsonar.runtimeVersion=LATEST_RELEASE

The artifacts produced during the test execution will be found in its/autoscan/target/actual. You will want to compare the results produced in the autoscan-diff-by-rules

For more detailed information, you can compare the differences between the results found with bytecode and without bytecode by comparing two respective folders:

Depending on the results found, you might need to update the ground truth. The expected results are listed in src/test/resources.

Debugging Integration Tests

You can debug ITs by adding -Dmaven.binary=mvnDebug as an option when running the tests. This will cause the analyzer JVM to wait for a debugger to be attached before continuing.

License

Copyright 2012-2024 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

More Repositories

1

sonarqube

Continuous Inspection
Java
8,163
star
2

docker-sonarqube

🐳 SonarQube in Docker
Dockerfile
1,287
star
3

eslint-plugin-sonarjs

SonarJS rules for ESLint
TypeScript
1,148
star
4

SonarJS

SonarSource Static Analyzer for JavaScript and TypeScript
TypeScript
958
star
5

sonar-scanning-examples

Shows how to use the Scanners
COBOL
809
star
6

SonarTS

Static code analyzer for TypeScript
Shell
763
star
7

sonar-dotnet

Code analyzer for C# and VB.NET projects https://redirect.sonarsource.com/plugins/vbnet.html
C#
664
star
8

sonarcloud-github-action

Integrate SonarCloud code analysis to GitHub Actions
Shell
571
star
9

sonarlint-intellij

SonarLint for IntelliJ
Java
553
star
10

sonarlint-vscode

SonarLint for Visual Studio Code
CSS
498
star
11

sonarlint-visualstudio

SonarLint extension for VisualStudio
C#
426
star
12

sonar-php

🐘 SonarPHP: PHP static analyzer for SonarQube & SonarLint
Java
360
star
13

sonar-scanner-msbuild

SonarScanner for .NET
C#
335
star
14

sonar-scanner-cli

Scanner CLI for SonarQube and SonarCloud
Java
331
star
15

sonarlint-eclipse

SonarLint for Eclipse
Java
256
star
16

helm-chart-sonarqube

Mustache
221
star
17

sonar-custom-rules-examples

Shows how to bootstrap a project to write custom rules for PHP, Python, Cobol, RPG
Java
217
star
18

sonar-python

🐍 SonarQube Python plugin
Java
214
star
19

sonarlint-core

Core library to run SonarLint analysis
Java
210
star
20

sonar-scanner-cli-docker

Docker image for SonarScanner CLI
Shell
182
star
21

sonar-scanner-jenkins

SonarQube Scanner for Jenkins
Java
173
star
22

sonarqube-scan-action

Shell
165
star
23

sonar-scanner-gradle

SonarQube Scanner for Gradle
Java
162
star
24

sonar-scanner-maven

SonarQube Scanner for Maven
Java
135
star
25

sonar-custom-plugin-example

Shows how to write a SonarQube plugin
JavaScript
121
star
26

sonar-go

SonarGo: Go Analyzer for SonarQube
Java
119
star
27

sonar-scanner-commons

Common Java library used by many SonarScanners
Java
107
star
28

sonar-kotlin

SonarSource Static Analyzer for Kotlin Code Quality and Security
Kotlin
93
star
29

sonar-scanner-vsts

SonarQube TFS/VSTS Marketplace Extension
TypeScript
91
star
30

slang

Java
86
star
31

sonarqube-roslyn-sdk

SDK for SonarQube Roslyn Analyzer Plugins
C#
77
star
32

sonarlint-cli

SonarLint for CLI
Java
76
star
33

sonar-github

SonarQube GitHub Plugin (deprecated)
Java
72
star
34

sslr

SonarSource Language Recognizer
Java
71
star
35

sonarlint-language-server

Language Server for SonarLint VSCode
Java
69
star
36

sonarqube-quality-gate-action

Shell
61
star
37

sonar-.net-documentation

Documentation targeting the .Net community explaining how to install and use SonarQube to analyse .Net projects
50
star
38

sonar-html

Static analyzer for HTML used in Sonar ecosystem
Java
47
star
39

mysql-migrator

Command line tool to migrate MySQL database of SonarQube 6.7-7.8 to non-MySQL
Java
38
star
40

sonar-training-examples

Java
38
star
41

sonar-loc-count

PowerShell
37
star
42

local-travis

🐳 Run travis builds on a developer workstation
Shell
37
star
43

sonar-jacoco

SonarQube JaCoCo Plugin
Java
36
star
44

sonar-developer-toolset

Developer Toolset for Sonar-* Projects
Shell
35
star
45

rspec

Rule Specification
TypeScript
34
star
46

argument-injection-vectors

A curated list of argument injection vectors
HTML
32
star
47

sonar-ldap

🏬 LDAP Plugin for SonarQube
Java
31
star
48

sonar-xml

Java
30
star
49

SonarTS-example

TypeScript
27
star
50

sq-com_example_standard-sqscanner-travis

Standard SQ-Scanner-based project analyzed on SonarCloud using Travis
PHP
26
star
51

sonar-update-center-properties

Shell
25
star
52

sonar-auth-bitbucket

Bitbucket Authentication for SonarQube
Java
24
star
53

sonar-css

SonarCSS: CSS Analyzer for SonarQube
Java
23
star
54

sonar-analyzer-commons

Logic useful for a language plugin
Java
22
star
55

ebcdic-to-ascii-converter

Java
21
star
56

sonarlint-atom

SonarLint for Atom.io
JavaScript
21
star
57

sonar-plugin-api

API to develop plugins for SonarQube, SonarCloud and SonarLint
Java
19
star
58

sonar-auth-github

GitHub Authentication for SonarQube
Java
18
star
59

sq-com_example_java-maven-travis

Java Maven-based project analyzed on SonarCloud using Travis
Java
17
star
60

sonar-iac

Static Code Analyser for Infrastructure-as-Code languages such as CloudFormation and Terraform as well as DevOps like Docker and Kubernetes
Java
17
star
61

sonar-classloader

Toolbox for Java classloaders
Java
15
star
62

sonar-scm-git

Java
14
star
63

sonar-scanner-ant

SonarQube Scanner for Ant
Java
14
star
64

eslint-config-sonarqube

ESLint configuration for SonarQube and its plugins.
JavaScript
13
star
65

sq-com_example_c-sqscanner-travis

C SQ-Scanner-based project analyzed on SonarCloud using Travis
C
12
star
66

sonar-flex

ActionScript
12
star
67

sonarqube-webclient-dotnet

C#
11
star
68

sonarcloud-github-action-samples

Sample projects for the configuration of SonarCloud on GitHub Actions
11
star
69

sonar-scm-svn

SonarQube Plugin for SVN
Java
9
star
70

sonarcloud_examples

Listing of example projects analyzed on SonarCloud
9
star
71

sonarcloud-circleci-orb

Support of SonarScanner CLI in CircleCI
9
star
72

orchestrator

Java library for running SonarQube in tests
Java
9
star
73

sonar-update-center

Java
7
star
74

sonar-dev-maven-plugin

DEPRECATED - Maven plugin to deploy a plugin to a local SonarQube installation
Java
7
star
75

sq-com_example_java-gradle-travis

Java Gradle-based project analyzed on SonarCloud using Travis
Java
7
star
76

parent-oss

Parent file of public Maven projects
Shell
7
star
77

sslr-squid-bridge

Java
7
star
78

sonarcloud_example_go-sqscanner-travis

Go project analyzed on SonarCloud using Travis
Go
7
star
79

sonarjs-cli

[ ⛔️DEPRECATED] CLI for SonarJS
Java
7
star
80

travis-utils

Toolset for SonarSource jobs on Travis
Shell
7
star
81

pycon-sonar-workshop

PyCon US Sonar Workshop
Python
6
star
82

git-files-blame

A git command implemented with JGit that blames multiple files simultaneously
Java
6
star
83

sonar-text

sonar-text
Java
6
star
84

sonar-ui-common

Common UI lib for SonarQube and SonarCloud
TypeScript
5
star
85

sonar-auth-saml

SAML 2.0 Authentication for SonarQube
Java
5
star
86

websites

Deprecated - customers page of old wordpress website
HTML
5
star
87

python-test-sources

Python
5
star
88

sonarcloud_example_cpp-cmake-linux-travis

C++
5
star
89

sync-jira-github-action

Change status of JIRA tickets when opening and merging pull requests
JavaScript
5
star
90

sonar-dummy-oss

Java
4
star
91

sonarlint-website

HTML
4
star
92

sonarcloud-github-c-cpp

Integrate SonarCloud code analysis to GitHub Actions when build wrapper or relative paths support is required. Use https://github.com/SonarSource/sonarcloud-github-action otherwise
Shell
4
star
93

php-test-sources

PHP
3
star
94

public-git-sync

Private to public Git repository synchronization
Shell
3
star
95

sonarlint-omnisharp

Java
3
star
96

chocolatey-packages

PowerShell
3
star
97

javascript-test-sources

Used for https://github.com/SonarSource/SonarJS ruling
JavaScript
3
star
98

jsts-test-sources

TypeScript
3
star
99

license-headers

Source file headers of SonarSource projects
Shell
3
star
100

echoes-react

A React implementation of Echoes, Sonar's design system.
TypeScript
3
star