使用 Sonar-cxx 社区插件 v1.3.3 在 SonarQube 7.9.5 中未报告 Cppcheck 错误
Cppcheck errors are not getting reported in SonarQube 7.9.5 using Sonar-cxx community plugin v1.3.3
我有 SonarQube 社区版 (v7.9.5) 服务器 运行 sonar-cxx 社区插件 v1.3.3
现在为了测试C++项目,我生成了cppcheck (v2.3) 分析报告和运行 sonar-scanner (https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.5.0.2216-linux.zip)如下。
$ pwd
/testproj
$ ls
file1.cc
$ cat file1.cc
int main()
{
char a[10];
a[10] = 0;
return 0;
}
$ cppcheck --enable=all --xml . 2> cppcheck_issues.xml
$ cat cppcheck_issues.xml
<?xml version="1.0" encoding="UTF-8"?>
<results version="2">
<cppcheck version="2.3"/>
<errors>
<error id="arrayIndexOutOfBounds" severity="error" msg="Array 'a[10]' accessed at index 10, which is out of bounds." verbose="Array 'a[10]' accessed at index 10, which is out of bounds." cwe="788" hash="11923574308940205340">
<location file="file1.cc" line="4" column="2" info="Array index out of bounds"/>
</error>
<error id="unreadVariable" severity="style" msg="Variable 'a[10]' is assigned a value that is never used." verbose="Variable 'a[10]' is assigned a value that is never used." cwe="563" hash="9507758794529763218">
<location file="file1.cc" line="4" column="7"/>
<symbol>a[10]</symbol>
</error>
</errors>
</results>
$ sonar-scanner \
-Dsonar.host.url=<sonar-host-url>\
-Dsonar.login=<sonar-token>\
-Dsonar.projectName=testproj\
-Dsonar.projectKey=testproj\
-Dsonar.projectVersion=0.1\
-Dsonar.cxx.cppcheck.reportPath=cppcheck_issues.xml\
-Dsonar.exclusions=cppcheck_issues.xml
INFO: Scanner configuration file: /code/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.5.0.2216
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.1.12-124.43.4.el7uek.x86_64 amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /code/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 7.9.5
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=142ms
INFO: Server id: 22633092-AXeMotAnTu7ckErSxqZC
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=73ms
INFO: Load/download plugins (done) | time=141ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=9ms
INFO: Project key: testproj
INFO: Base dir: /testproj
INFO: Working dir: /testproj/.scannerwork
INFO: Load project settings for component key: 'testproj'
INFO: Load project settings for component key: 'testproj' (done) | time=74ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=99ms
INFO: Load active rules
INFO: Load active rules (done) | time=1167ms
WARN: SCM provider autodetection failed. Please use "sonar.scm.provider" to define SCM of your project, or disable the SCM Sensor in the project settings.
INFO: Indexing files...
INFO: Project configuration:
INFO: Excluded sources: cppcheck_issues.xml
INFO: 1 file indexed
INFO: 0 files ignored because of inclusion/exclusion patterns
INFO: Quality profile for c++: Sonar way
INFO: ------------- Run sensors on module testproj
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=41ms
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils (file:/root/.sonar/cache/866bb1adbf016ea515620f1aaa15ec53/sonar-javascript-plugin.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO: Sensor C++ (Community) SquidSensor [cxx]
INFO: Load project repositories
INFO: Load project repositories (done) | time=31ms
INFO: Sensor C++ (Community) SquidSensor [cxx] (done) | time=312ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=9ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=3ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=23ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=27ms
INFO: No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: 1 file had no CPD blocks
INFO: Calculating CPD for 0 files
INFO: CPD calculation finished
INFO: Analysis report generated in 157ms, dir size=79 KB
INFO: Analysis report compressed in 22ms, zip size=12 KB
INFO: Analysis report uploaded in 58ms
INFO: ANALYSIS SUCCESSFUL, you can browse <sonar-host-url>/dashboard?id=testproj
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at <sonar-host-url>/api/ce/task?id=AXeQLS1KTu7ckErSxt5M
INFO: Executing post-job 'Final report'
INFO: Turn debug info on to get more details (sonar-scanner -X -Dsonar.verbose=true ...).
INFO: Analysis total time: 5.510 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 7.283s
INFO: Final Memory: 12M/44M
INFO: ------------------------------------------------------------------------
现在项目在SonarQube中成功了created/updated;但是,SonarQube 中没有报告这些问题。有人可以建议可能是什么原因?
Please refer the snapshot of the project in SonarQube
注 1:sonar.cxx.suffixes.sources 在 SonarQube 服务器配置中为 C++(社区)插件配置了“.cc”值。并且,没有看到其他插件具有相同的配置密钥。
注2:在ce.log
中没有看到errors/warnings
经过进一步挖掘后找到了问题原因。
问题原因:C++(社区)对应的默认质量配置文件默认禁用所有规则,也没有启用它们的选项。
修复:创建了一个扩展默认质量配置文件的新质量配置文件,然后为此启用了规则,最后将其作为 C++(社区)的默认质量配置文件解决了这个问题。
更新(21 年 2 月 16 日):从 sonar-cxx 团队得到澄清,这也是有意的,https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Manage-Quality-Profiles
中也有同样的记录
Since the cxx plugin contains a large number of sensors with over 4000
rules, all rules are initially deactivated in the default profile
Sonar way for the programming language CXX. Enabling all rules would
have a negative impact on the analysis performance and mostly only a
subset is needed.
Therefore, after installation, no sensor issues are displayed. To
display issues, the corresponding rules must first be enabled in the
Quality Profile being used by the project.
我有 SonarQube 社区版 (v7.9.5) 服务器 运行 sonar-cxx 社区插件 v1.3.3
现在为了测试C++项目,我生成了cppcheck (v2.3) 分析报告和运行 sonar-scanner (https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.5.0.2216-linux.zip)如下。
$ pwd
/testproj
$ ls
file1.cc
$ cat file1.cc
int main()
{
char a[10];
a[10] = 0;
return 0;
}
$ cppcheck --enable=all --xml . 2> cppcheck_issues.xml
$ cat cppcheck_issues.xml
<?xml version="1.0" encoding="UTF-8"?>
<results version="2">
<cppcheck version="2.3"/>
<errors>
<error id="arrayIndexOutOfBounds" severity="error" msg="Array 'a[10]' accessed at index 10, which is out of bounds." verbose="Array 'a[10]' accessed at index 10, which is out of bounds." cwe="788" hash="11923574308940205340">
<location file="file1.cc" line="4" column="2" info="Array index out of bounds"/>
</error>
<error id="unreadVariable" severity="style" msg="Variable 'a[10]' is assigned a value that is never used." verbose="Variable 'a[10]' is assigned a value that is never used." cwe="563" hash="9507758794529763218">
<location file="file1.cc" line="4" column="7"/>
<symbol>a[10]</symbol>
</error>
</errors>
</results>
$ sonar-scanner \
-Dsonar.host.url=<sonar-host-url>\
-Dsonar.login=<sonar-token>\
-Dsonar.projectName=testproj\
-Dsonar.projectKey=testproj\
-Dsonar.projectVersion=0.1\
-Dsonar.cxx.cppcheck.reportPath=cppcheck_issues.xml\
-Dsonar.exclusions=cppcheck_issues.xml
INFO: Scanner configuration file: /code/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.5.0.2216
INFO: Java 11.0.3 AdoptOpenJDK (64-bit)
INFO: Linux 4.1.12-124.43.4.el7uek.x86_64 amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /code/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 7.9.5
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=142ms
INFO: Server id: 22633092-AXeMotAnTu7ckErSxqZC
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=73ms
INFO: Load/download plugins (done) | time=141ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=9ms
INFO: Project key: testproj
INFO: Base dir: /testproj
INFO: Working dir: /testproj/.scannerwork
INFO: Load project settings for component key: 'testproj'
INFO: Load project settings for component key: 'testproj' (done) | time=74ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=99ms
INFO: Load active rules
INFO: Load active rules (done) | time=1167ms
WARN: SCM provider autodetection failed. Please use "sonar.scm.provider" to define SCM of your project, or disable the SCM Sensor in the project settings.
INFO: Indexing files...
INFO: Project configuration:
INFO: Excluded sources: cppcheck_issues.xml
INFO: 1 file indexed
INFO: 0 files ignored because of inclusion/exclusion patterns
INFO: Quality profile for c++: Sonar way
INFO: ------------- Run sensors on module testproj
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=41ms
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils (file:/root/.sonar/cache/866bb1adbf016ea515620f1aaa15ec53/sonar-javascript-plugin.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO: Sensor C++ (Community) SquidSensor [cxx]
INFO: Load project repositories
INFO: Load project repositories (done) | time=31ms
INFO: Sensor C++ (Community) SquidSensor [cxx] (done) | time=312ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=9ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=3ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=23ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=27ms
INFO: No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: 1 file had no CPD blocks
INFO: Calculating CPD for 0 files
INFO: CPD calculation finished
INFO: Analysis report generated in 157ms, dir size=79 KB
INFO: Analysis report compressed in 22ms, zip size=12 KB
INFO: Analysis report uploaded in 58ms
INFO: ANALYSIS SUCCESSFUL, you can browse <sonar-host-url>/dashboard?id=testproj
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at <sonar-host-url>/api/ce/task?id=AXeQLS1KTu7ckErSxt5M
INFO: Executing post-job 'Final report'
INFO: Turn debug info on to get more details (sonar-scanner -X -Dsonar.verbose=true ...).
INFO: Analysis total time: 5.510 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 7.283s
INFO: Final Memory: 12M/44M
INFO: ------------------------------------------------------------------------
现在项目在SonarQube中成功了created/updated;但是,SonarQube 中没有报告这些问题。有人可以建议可能是什么原因? Please refer the snapshot of the project in SonarQube
注 1:sonar.cxx.suffixes.sources 在 SonarQube 服务器配置中为 C++(社区)插件配置了“.cc”值。并且,没有看到其他插件具有相同的配置密钥。
注2:在ce.log
中没有看到errors/warnings经过进一步挖掘后找到了问题原因。
问题原因:C++(社区)对应的默认质量配置文件默认禁用所有规则,也没有启用它们的选项。
修复:创建了一个扩展默认质量配置文件的新质量配置文件,然后为此启用了规则,最后将其作为 C++(社区)的默认质量配置文件解决了这个问题。
更新(21 年 2 月 16 日):从 sonar-cxx 团队得到澄清,这也是有意的,https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Manage-Quality-Profiles
中也有同样的记录Since the cxx plugin contains a large number of sensors with over 4000 rules, all rules are initially deactivated in the default profile Sonar way for the programming language CXX. Enabling all rules would have a negative impact on the analysis performance and mostly only a subset is needed.
Therefore, after installation, no sensor issues are displayed. To display issues, the corresponding rules must first be enabled in the Quality Profile being used by the project.