SonarSource/sonar-java SonarSource/sonar-java

Code Analysis Tools
  • Stars
    star
    1,042
  • Rank 40,361 (Top 0.9 %)
  • Language
    Java
  • License
    GNU Lesser Genera...
  • Created about 11 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
SonarSource/sonar-java
github

SonarSource

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

β˜• SonarSource Static Analyzer for Java Code Quality and Security

Code Quality and Security for Java Build Status Quality Gate Coverage

This SonarSource project is a code analyzer for Java projects to help developers produce Clean Code. Information about the analysis of Java features is available here.

Features

  • 600+ rules (including 150+ bug detection rules and 350+ code smells)
  • Metrics (cognitive complexity, number of lines, etc.)
  • Import of test coverage reports
  • Custom rules

Useful links

Have questions or feedback?

To provide feedback (request a feature, report a bug, etc.) use the Sonar Community Forum. Please do not forget to specify the language (Java!), plugin version and SonarQube version.

If you have a question on how to use plugin (and the docs don't help you), we also encourage you to use the community forum.

Contributing

Topic in SonarQube Community Forum

To request a new feature, please create a new thread in SonarQube Community Forum. Even if you plan to implement it yourself and submit it back to the community, please start a new thread first to be sure that we can use it.

Pull Request (PR)

To submit a contribution, create a pull request for this repository. Please make sure that you follow our code style and all tests are passing (all checks must be green).

Custom Rules

If you have an idea for a rule but you are not sure that everyone needs it you can implement a custom rule available only for you. Note that in order to help you, we highly recommend to first follow the Custom Rules 101 tutorial before diving directly into implementing rules from scratch.

Work with us

Would you like to work on this project full-time? We are hiring! Check out https://www.sonarsource.com/hiring

Testing

To run tests locally follow these instructions.

Java versions

You need Java 17 to build the project and run the Integration Tests (ITs).

Build the Project and Run Unit Tests

To build the plugin and run its unit tests, execute this command from the project's root directory:

mvn clean install

Note that

Running unit tests within the IDE might incur in some issues because of the way the project is built with Maven. If you see something like this:

java.lang.SecurityException: class ... signer information does not match signer information of other classes in the same package

try removing the Maven nature of the 'jdt' module.

Integration Tests

To run integration tests, you will need to create a properties file like the one shown below, and set the URL pointing to its location in an environment variable named ORCHESTRATOR_CONFIG_URL.

# version of SonarQube Server
sonar.runtimeVersion=7.9

orchestrator.updateCenterUrl=http://update.sonarsource.org/update-center-dev.properties

# The location of the Maven local repository is not automatically guessed. It can also be set with the env variable MAVEN_LOCAL_REPOSITORY.
maven.localRepository=/home/myName/.m2/repository

With for instance the ORCHESTRATOR_CONFIG_URL variable being set as:

export ORCHESTRATOR_CONFIG_URL=file:///home/user/workspace/orchestrator.properties

Before running the ITs, be sure your MAVEN_HOME environment variable is set.

Sanity Test

The "Sanity Test" is a test that runs all checks against all the test source files without taking into account the result of the analysis. It verifies that rules are not crashing on any file in our test sources. By default, this test is excluded from the build. To launch it:

mvn clean install -P sanity

Plugin Test

The "Plugin Test" is an integration test suite that verifies plugin features such as metric calculation, coverage, etc. To launch it:

mvn clean install -Pit-plugin -DcommunityEditionTestsOnly=true

Note for internal contributors: in order to also execute the tests that depend on the SonarQube Enterprise Edition, use:

mvn clean install -Pit-plugin

Ruling Test

The "Ruling Test" is an integration test suite that launches the analysis of a large code base, saves the issues created by the plugin in report files, and then compares those results to the set of expected issues (stored as JSON files).

To run the test, first make sure the submodules are checked out:

git submodule update --init --recursive

Then, ensure that the JAVA_HOME environment variable is set for the ruling tests execution and that it points to your local JDK 17 installation. Failing to do so will produce inconsistencies with the expected results.

From the its/ruling folder, launch the ruling tests:

mvn clean install -Pit-ruling -DcommunityEditionTestsOnly=true 
# Alternatively
JAVA_HOME=/my/local/java17/jdk/ mvn clean install -Pit-ruling -DcommunityEditionTestsOnly=true

Note for internal contributors: in order to also execute the tests that depend on the SonarQube Enterprise Edition, use:

mvn clean install -Pit-ruling

This test gives you the opportunity to examine the issues created by each rule and make sure they're what you expect. Any implemented rule is highly likely to raise issues on the multiple projects we use as ruling code base.

  • For a newly implemented rule, it means that a first build will most probably fail, caused by differences between expected results (without any values for the new rule) and the new results. You can inspect these new issues by searching for files named after your rule (squid-SXXXX.json) in the following folder:

      /path/to/project/sonar-java/its/ruling/target/actual/...

  • For existing rules which are modified, you may expect some differences between "actual" (from new analysis) and expected results. Review carefully the changes that are shown and update the expected resources accordingly.

All the json files contain a list of lines, indexed by file, explaining where the issues raised by a specific rule are located. If/When everything looks good to you, you can copy the file with the actual issues located at:

its/ruling/target/actual/

Into the directory with the expected issues:

its/ruling/src/test/resources/

For example using the command:

cp its/ruling/target/actual/* its/ruling/src/test/resources/

Debugging Integration Tests

You can debug ITs by adding -Dmaven.binary=mvnDebug as an option when running the tests. This will cause the analyzer JVM to wait for a debugger to be attached before continuing.

License

Copyright 2012-2022 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

More Repositories

1

sonarqube

Continuous Inspection
Java
8,163
star
2

docker-sonarqube

🐳 SonarQube in Docker
Dockerfile
1,287
star
3

eslint-plugin-sonarjs

SonarJS rules for ESLint
TypeScript
1,051
star
4

SonarJS

SonarSource Static Analyzer for JavaScript and TypeScript
TypeScript
958
star
5

sonar-scanning-examples

Shows how to use the Scanners
COBOL
809
star
6

SonarTS

Static code analyzer for TypeScript
Shell
764
star
7

sonar-dotnet

Code analyzer for C# and VB.NET projects https://redirect.sonarsource.com/plugins/vbnet.html
C#
664
star
8

sonarlint-intellij

SonarLint for IntelliJ
Java
553
star
9

sonarcloud-github-action

Integrate SonarCloud code analysis to GitHub Actions
Dockerfile
528
star
10

sonarlint-vscode

SonarLint for Visual Studio Code
CSS
484
star
11

sonarlint-visualstudio

SonarLint extension for VisualStudio
C#
426
star
12

sonar-php

🐘 SonarPHP: PHP static analyzer for SonarQube & SonarLint
Java
360
star
13

sonar-scanner-msbuild

SonarScanner for .NET
C#
335
star
14

sonar-scanner-cli

Scanner CLI for SonarQube and SonarCloud
Java
309
star
15

sonarlint-eclipse

SonarLint for Eclipse
Java
256
star
16

sonar-custom-rules-examples

Shows how to bootstrap a project to write custom rules for PHP, Python, Cobol, RPG
Java
217
star
17

sonar-python

🐍 SonarQube Python plugin
Java
214
star
18

sonarlint-core

Core library to run SonarLint analysis
Java
210
star
19

helm-chart-sonarqube

Mustache
198
star
20

sonar-scanner-jenkins

SonarQube Scanner for Jenkins
Java
173
star
21

sonar-scanner-cli-docker

Docker image for SonarScanner CLI
Shell
169
star
22

sonar-scanner-gradle

SonarQube Scanner for Gradle
Java
162
star
23

sonarqube-scan-action

Shell
127
star
24

sonar-scanner-maven

SonarQube Scanner for Maven
Java
126
star
25

sonar-custom-plugin-example

Shows how to write a SonarQube plugin
JavaScript
121
star
26

sonar-go

SonarGo: Go Analyzer for SonarQube
Java
119
star
27

sonar-scanner-commons

Common Java library used by many SonarScanners
Java
107
star
28

sonar-scanner-vsts

SonarQube TFS/VSTS Marketplace Extension
TypeScript
87
star
29

sonar-kotlin

SonarSource Static Analyzer for Kotlin Code Quality and Security
Kotlin
86
star
30

slang

Java
81
star
31

sonarqube-roslyn-sdk

SDK for SonarQube Roslyn Analyzer Plugins
C#
77
star
32

sonarlint-cli

SonarLint for CLI
Java
73
star
33

sonar-github

SonarQube GitHub Plugin (deprecated)
Java
72
star
34

sslr

SonarSource Language Recognizer
Java
71
star
35

sonarlint-language-server

Language Server for SonarLint VSCode
Java
61
star
36

sonarqube-quality-gate-action

Shell
54
star
37

sonar-.net-documentation

Documentation targeting the .Net community explaining how to install and use SonarQube to analyse .Net projects
50
star
38

sonar-html

Static analyzer for HTML used in Sonar ecosystem
Java
47
star
39

mysql-migrator

Command line tool to migrate MySQL database of SonarQube 6.7-7.8 to non-MySQL
Java
38
star
40

local-travis

🐳 Run travis builds on a developer workstation
Shell
37
star
41

sonar-training-examples

Java
36
star
42

sonar-developer-toolset

Developer Toolset for Sonar-* Projects
Shell
35
star
43

sonar-jacoco

SonarQube JaCoCo Plugin
Java
34
star
44

sonar-ldap

🏬 LDAP Plugin for SonarQube
Java
31
star
45

rspec

Rule Specification
TypeScript
30
star
46

sonar-xml

Java
30
star
47

sonar-loc-count

PowerShell
29
star
48

argument-injection-vectors

A curated list of argument injection vectors
HTML
29
star
49

SonarTS-example

TypeScript
27
star
50

sq-com_example_standard-sqscanner-travis

Standard SQ-Scanner-based project analyzed on SonarCloud using Travis
PHP
26
star
51

sonar-auth-bitbucket

Bitbucket Authentication for SonarQube
Java
24
star
52

sonar-update-center-properties

22
star
53

sonar-css

SonarCSS: CSS Analyzer for SonarQube
Java
22
star
54

sonar-analyzer-commons

Logic useful for a language plugin
Java
21
star
55

ebcdic-to-ascii-converter

Java
21
star
56

sonarlint-atom

SonarLint for Atom.io
JavaScript
20
star
57

sonar-auth-github

GitHub Authentication for SonarQube
Java
18
star
58

sonar-iac

Static Code Analyser for Infrastructure-as-Code languages such as CloudFormation and Terraform as well as DevOps like Docker and Kubernetes
Java
17
star
59

sq-com_example_java-maven-travis

Java Maven-based project analyzed on SonarCloud using Travis
Java
17
star
60

sonar-classloader

Toolbox for Java classloaders
Java
15
star
61

sonar-scm-git

Java
14
star
62

sonar-scanner-ant

SonarQube Scanner for Ant
Java
14
star
63

sonar-plugin-api

API to develop plugins for SonarQube, SonarCloud and SonarLint
Java
14
star
64

sq-com_example_c-sqscanner-travis

C SQ-Scanner-based project analyzed on SonarCloud using Travis
C
12
star
65

sonar-flex

ActionScript
12
star
66

eslint-config-sonarqube

ESLint configuration for SonarQube and its plugins.
JavaScript
12
star
67

sonarcloud-github-action-samples

Sample projects for the configuration of SonarCloud on GitHub Actions
12
star
68

sonarqube-webclient-dotnet

C#
10
star
69

orchestrator

Java library for running SonarQube in tests
Java
9
star
70

sonar-scm-svn

SonarQube Plugin for SVN
Java
9
star
71

sonarcloud-circleci-orb

Support of SonarScanner CLI in CircleCI
9
star
72

sonarcloud_examples

Listing of example projects analyzed on SonarCloud
8
star
73

sonar-update-center

Java
7
star
74

sonarjs-cli

[ ⛔️DEPRECATED] CLI for SonarJS
Java
7
star
75

sonar-dev-maven-plugin

DEPRECATED - Maven plugin to deploy a plugin to a local SonarQube installation
Java
7
star
76

travis-utils

Toolset for SonarSource jobs on Travis
Shell
7
star
77

sonarcloud_example_go-sqscanner-travis

Go project analyzed on SonarCloud using Travis
Go
7
star
78

sslr-squid-bridge

Java
7
star
79

sq-com_example_java-gradle-travis

Java Gradle-based project analyzed on SonarCloud using Travis
Java
6
star
80

sonar-ui-common

Common UI lib for SonarQube and SonarCloud
TypeScript
5
star
81

sonar-auth-saml

SAML 2.0 Authentication for SonarQube
Java
5
star
82

websites

Deprecated - customers page of old wordpress website
HTML
5
star
83

python-test-sources

Python
5
star
84

parent-oss

Parent file of public Maven projects
Shell
5
star
85

sonarcloud_example_cpp-cmake-linux-travis

C++
5
star
86

pycon-sonar-workshop

PyCon US Sonar Workshop
Python
5
star
87

sonar-dummy-oss

Java
4
star
88

sync-jira-github-action

Change status of JIRA tickets when opening and merging pull requests
JavaScript
4
star
89

git-files-blame

A git command implemented with JGit that blames multiple files simultaneously
Java
4
star
90

sonarlint-website

HTML
4
star
91

php-test-sources

PHP
3
star
92

sonarlint-omnisharp

C#
3
star
93

sonar-text

sonar-text
Java
3
star
94

javascript-test-sources

Used for https://github.com/SonarSource/SonarJS ruling
JavaScript
3
star
95

chocolatey-packages

PowerShell
3
star
96

jsts-test-sources

TypeScript
3
star
97

license-headers

Source file headers of SonarSource projects
Shell
3
star
98

sonarcloud-github-c-cpp

Integrate SonarCloud code analysis to GitHub Actions when build wrapper or relative paths support is required. Use https://github.com/SonarSource/sonarcloud-github-action otherwise
Shell
3
star
99

jfrog-setup-wrapper

Ease the usage of jfrog/jfrog-setup within Sonar
2
star
100

public-git-sync

Shell
2
star