<root module key>:<module path> for submodules
sonar.host.url | Server URL |
sonar.projectKey | The project key that is unique for each project. When using Maven, it is automatically set to <groupId>:<artifactId>. | |
sonar.sources | Comma-separated paths to directories containing source files. |
Project identity.
sonar.projectName | Name of the project that will be displayed on the web interface. | |
sonar.projectVersion | "not provided" |
If Anyone does not have permission to perform analyses, you'll need to supply the credentials of a user with Execute Analysis permission for the analysis to run under.
sonar.login | The login or authentication token of a SonarQube user with Execute Analysis permission. | |
sonar.password | The password that goes with the sonar.login username. This should be left blank if an authentication token is being used. |
sonar.ws.timeout | Maximum time to wait for the response of a Web Service call (in seconds). Modifying this value from the default is useful only when you're experiencing timeouts during analysis while waiting for the server to respond to Web Service calls. | 60 |
sonar.projectDescription | The project description. | |
sonar.links.homepage | Project home page Not compatible with Maven, which uses the <url> attribute. | |
sonar.links.ci | Continuous integration Not compatible with Maven, which uses the <ciManagement><url> attribute. | |
sonar.links.issue | Issue tracker Not compatible with Maven, which uses the <issueManagement><url> attribute. | |
sonar.links.scm | Project sources Not compatible with Maven, which uses the <scm><url> attribute. | |
sonar.links.scm_dev | Developer connection Not compatible with Maven, which uses the <scm><developerConnection> attribute. | |
sonar.tests | Comma-separated paths to directories containing tests. | |
sonar.language | Set the language of the source code to analyze. Browse the Plugin Library page to get the list of all available languages. If not set, a multi-language analysis will be triggered. |
|
sonar.sourceEncoding | Set the source file encoding. Encoding of source files. Example of values: UTF-8, MacRoman, Shift_JIS. This property can be replaced by the standard property project.build.sourceEncoding in Maven projects. The list of available encodings depends on your JVM. See (column : ) | System encoding |
sonar.projectDate | Assign a date to the analysis. : This parameter is applicable to a few, special use cases, rather than being an "every day" parameter: To answer those use cases, you can use the sonar.projectDate property. The format is yyyy-MM-dd, for example: 2010-12-01. The process is the following: You may need to adjust your housekeeping settings if you wish to create a long-running history. | Current date |
sonar.branch | Manage SCM branches. If you are a user of Developer Cockpit, please see "Limitation" section in the Developer Cockpit Installation and Usage |
|
sonar.profile | This property is deprecated since SQ 4.5 LTS (see . | Default profile for the given language |
sonar.projectBaseDir | Use this property when you need analysis to take place in a directory other than the one from which it starts. E.G. analysis begins from but the files to be analyzed are in . The path may be relative or absolute. Specify not the the source directory, but some parent of the source directory. The value specified here becomes the new "analysis directory", and other paths are then specified as though the analysis were starting from the new sonar.projectBaseDir. Note that the analysis process will need write permissions in this directory; it is where the sonar.working.directory will be created. | |
sonar.working.directory | Set the working directory for an analysis triggered with the SonarQube Scanner or the SonarQube Ant Task (versions greater than 2.0). Path must be relative and unique for each project. Beware: the specified folder is deleted before each analysis. | |
This property can be used to explicitly tell SonarQube which SCM plugin should be used to grab SCM data on the project (in case auto-detection does not work). The value of this property is always lowercase and depends on the plugin (ex. "tfvc" for the TFVC plugin). Check the documentation page of each plugin to know more. | ||
sonar.scm.forceReloadAll | By default, blame information is only retrieved for changed files. Set this property to true to load blame information for all files. This can be useful is you feel that some SCM data is outdated but SonarQube does not get the latest information from the SCM engine. | false |
See Narrowing the Focus to:
sonar.inclusions | Comma-delimited list of file path patterns to be included in analysis. When set, files matching the paths set here will be included in analysis. | |
sonar.exclusions | Comma-delimited list of file path patterns to be excluded from analysis. | |
sonar.coverage.exclusions | Comma-delimited list of file path patterns to be excluded from coverage calculations | |
sonar.test.exclusions | Comma-delimited list of test file path patterns to be excluded from analysis. | |
sonar.test.inclusions | Comma-delimited list of test file path patterns to be included in analysis. When set, test files matching the paths set here will be included in analysis. | |
sonar.issue.ignore.allfile | Files containing text matching this regular expression will be ignored by analysis. | |
If set to true, all files are imported - with respect to inclusions and exclusions, even if there is no matching language plugin installed. | ||
sonar.cpd.exclusions | Comma-delimited list of file path patterns to be excluded from duplication detection |
Key | Description | Default value |
---|---|---|
sonar.cpd.exclusions | (see the Exclusions/Inclusions section) | |
sonar.cpd.${language}.minimumtokens | A piece of code is considered duplicated as soon as there are at least 100 duplicated tokens in a row (overide with sonar.cpd.${language}.minimumTokens) spread on at least 10 lines of code (override with sonar.cpd.${language}.minimumLines). For Java projects, a piece of code is considered as duplicated when there is a series of at least 10 statements in a row, regardless of the number of tokens and lines. This threshold cannot be overridden. | 100 |
sonar.cpd.${language}.minimumLines | 10 |
Control the quantity / level of logs produced during an analysis. DEBUG: TRACE: | ||
sonar.verbose | Add more detail to both client and server-side analysis logs. There is the potential for this setting to expose sensitive information such as passwords if they are stored as server-side environment variables. | false |
sonar.showProfiling | Display logs to see where the analyzer spends time. This parameter is generating a file containing these timing infos in | false |
sonar.scanner.dumpToFile | Outputs to the specified file the full list of properties passed to the scanner API as a means to debug analysis. |
Those parameters are listed here for completeness of this documentation page - but regular users should not have to worry about them because they mainly target integration use cases.
sonar.analysis.mode | This parameter is set to preview as part of PR analysis. |
https://docs.sonarqube.org/display/SCAN/Advanced+SonarQube+Scanner+Usage https://docs.sonarqube.org/display/SONAR/Analysis+Parameters
Following This tutorial , I can write my custom rule checker.
For now, I can only get the key of project via context.getProject().key() .
The key is defined from scanner command line such as -Dsonar.projectKey=keyOfProject
Is It possible I can defined more customized parameters in the same way and received them in my custom rule?
If not, May be this is a new useful API worthy of implementation?
What’s the ultimate goal – how would you use this when developing rules?
Most customised parameters would be defined for the rule and then adjusted as part of a Quality Profile.
In my case, I want to pass an unique ID to the rule, although the rule is already defined in a specific Quality Profile. But I need this unique ID for applying different checks in the same rule.
Is is possible for me to do that?
In this case, we’d probably suggest creating different rules (the behavior of how the check is applied should be defined mostly by what rules are active in a quality profile, not by analysis parameter).
There are some exceptions you could try and model after if you’re really certain this makes sense, like how we adjust rules based on the sonar.java.version analysis parameter.
Thanks Colin. That helps a lot.
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When analyzing Kotlin dataclasses, I get one "critical" error for each non-nullable constructor parameter without a default value with the following description: "The field is marked as non-null, but isn't written to by the constructor. The field might be initialized elsewhere during constructor, or might always be initialized before use." This is just plain wrong as the property is part of the constructor and to be set there with a non-null value. Sonar Qube 9.9 (build 65466) | Version |
---|---|
SonarQube | 65466 |
Sonar-FindBugs | 4.2.4 |
Maven | 3.9 |
Kotlin | 2.0.20 |
The text was updated successfully, but these errors were encountered:
Thank you for reporting this issue, would you be able to share a sample compiled file and the corresponding source? There should be a log line starting with in your analyzer logs, this should tell you the plugin version you are using. Alternatively it should be visible in the SonarQube admin page for plugin, but you need admin rights to see it |
Sorry, something went wrong.
Hello , thank you, I updated the version in the ticket. Unfortunately I am not allowed to share files from the project publically. Here is a small reproduction: Kotlin Source: "\"case\"") // 'case' is protected SQL keyword, so we have to put it in quotes here data class CaseBE( @Id override val id: CASE_ID = UUID.randomUUID(), override var createdAt: OffsetDateTime, override var updatedAt: OffsetDateTime, var breakdownFormattedAddress: String, // <--- this is perfectly legal, value has to be specified when calling constructor ) : AbstractAuditedBaseBE(id, createdAt, updatedAt)Decompiled class file com.xxx.cases.entity @jakarta.persistence.Entity @jakarta.persistence.Table public final data class CaseBE public constructor(id: com.bmw.cc.csvbe.bm.cases.CASE_ID /* = java.util.UUID */ = COMPILED_CODE, createdAt: java.time.OffsetDateTime, updatedAt: java.time.OffsetDateTime, breakdownCity: kotlin.String) : com.bmw.cc.csvbe.persistence.AbstractAuditedBaseBE { @field:jakarta.persistence.Id public open val id: com.bmw.cc.csvbe.bm.cases.CASE_ID /* = java.util.UUID */ /* compiled code */ public open var createdAt: java.time.OffsetDateTime /* compiled code */ public open var updatedAt: java.time.OffsetDateTime /* compiled code */ public final var breakdownFormattedAddress: kotlin.String /* compiled code */ public final operator fun component1(): com.bmw.cc.csvbe.bm.cases.CASE_ID /* = java.util.UUID */ { /* compiled code */ } public final operator fun component2(): java.time.OffsetDateTime { /* compiled code */ } public final operator fun component3(): java.time.OffsetDateTime { /* compiled code */ } public final operator fun component4(): kotlin.String { /* compiled code */ } public open operator fun equals(other: kotlin.Any?): kotlin.Boolean { /* compiled code */ } public open fun hashCode(): kotlin.Int { /* compiled code */ } public open fun toString(): kotlin.String { /* compiled code */ } }Here's the class file: The error looks in SonarQube like this, even the marker looks like it is on the wrong line (it says 'L1' for line number for each of the errors)
PS: Actually, there are more bogus errors when analyzing files compiled from Kotlin. There was another problem with 'duplicated lines' referencing to line numbers not even existing in the source (where in fact was not a single duplicated line). I was under the impression that FindBugs is supporting Kotlin (not only Java)? If not, how can I deactivate it for Kotlin (currently this is breaking our deployment pipelines). I was trying something like .findbugs.onlyAnalyze>**/*.java</sonar.findbugs.onlyAnalyze>in pom.xml, but it didn't work. PS2: The FindBugs errors are not reported in SonarLint connected to the same project, there are only visible in SonarQube for some reason) |
For Java the compilation process is relatively straightforward and each byte code instructions maps to a source line. There's a sample Kotlin project analysed during the integration tests. It would help immensely if you could provide me with a sample Kotlin source (with minimal dependencies) illustrating the problem. Sorry for the silly request but I don't know Kotlin! Regarding Sonarlint, it does not apply the rules corresponding to plugins by design. I think it wouldn't be easy for Sonarsource to provide a plugin API allowing incremental analysis. This explains why you only see the issues in SonarQube. In the end the problem is most likely with SpotBugs, since the plugin is essentially converting SpotBugs issues into SonarQube issues. |
Ah sorry, just saw you had linked a dummy sample .class file, let me look into that. For the "duplicated lines" issue, I'm not sure what you might be referring to because I could not find that text in the plugin or in SpotBugs, could you please provide more details? |
Here's a simple data class you could add to the sample project: MyData( var mutableProp: String, val immutableProp:String, val immutableProp:String, var mutablePropWithDefault: String = "hello", val immutableNullableProp:String?, var mutableNullablePropWithDefault: String? = "hello", val immutableNullableProp: String?, var mutableNullablePropWithDefaultNull: String? = null, )I will also try to provoke the line duplication errors on another test branch. |
Here's the error about line duplications:
This is how the file looks like: com.xxx.yyy.spring.rest.control import io.swagger.v3.oas.models.OpenAPI import io.swagger.v3.oas.models.Paths import io.swagger.v3.oas.models.info.Contact import io.swagger.v3.oas.models.info.Info import io.swagger.v3.oas.models.security.SecurityScheme import io.swagger.v3.oas.models.security.SecurityScheme.Type.HTTP import io.swagger.v3.oas.models.servers.Server import org.springdoc.core.customizers.OpenApiCustomizer import org.springdoc.core.models.GroupedOpenApi import org.springframework.beans.factory.annotation.Value import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration private const val PROTOCOL_TLS: String = "https://" private const val PROTOCOL_HTTP: String = "http://" private const val REGION_EMEA: String = "eu-central-1" private const val REGION_US: String = "us-east-1" private const val AWS_CLOUD_XXX: String = "aws.cloud.xxx" private const val DAYTONA: String = "daytona" /** * Configuration of swagger. Please check app/pom.xml springdoc-openapi-maven-plugin. * Swagger config will be used both for exporting Swagger UI and for OpenAPI specification generation. */ @Configuration class SwaggerConfig( @Value("\${info.app.msIdLowerCase}") val msIdLower: String, @Value("\${info.app.msIdUpperCase}") val msIdUpper: String, @Value("\${info.app.groupId}") val groupId: String, @Value("\${info.app.name}") val name: String, @Value("\${info.app.description}") val description: String, @Value("\${info.app.contact}") val contact: String, @Value("\${info.app.version}") val version: String, @Value("\${info.app.namespace}") val namespace: String, @Value("\${info.app.product}") val product: String, @Value("\${info.app.productDepotUrl}") val productDepotUrl: String, ) { val defaultExtensions get() = mapOf( "x-xxx-msId" to msIdLower, "x-xxx-audience" to "component-internal", "x-xxx-2ndLevelSupportGroup" to "$namespace:global:2nd", "x-xxx-3rdLevelSupportGroup" to "$namespace:global:3nd" ) /** * Swagger/OpenAPI-Config for the app itself * (See README.MD for test values) */ @Bean fun appApi(): GroupedOpenApi { return GroupedOpenApi .builder() .group("app") .packagesToScan("$groupId.api.app.v1") .pathsToMatch("/**") .addOpenApiCustomizer(::infoCustomizer) .addOpenApiCustomizer(::tagsSorterCustomizer) .addOpenApiCustomizer(::serverUrlCustomizer) .build() } /** * Groups APIs from the testsupport package into one OpenAPI definition with description available under * [OpenAPI description URL]/testsupport. * Usage of GroupedOpenAPI enables to define multiple OpenAPI definitions. To add next OpenAPI definition for * the specified package or path, add another GroupedOpenAPI bean and another execution configuration in the * app/pom.xml file for springdoc-openapi-maven-plugin. */ @Bean fun testSupportOpenApi(): GroupedOpenApi = GroupedOpenApi .builder() .group("testsupport") .packagesToScan(*arrayOf("$groupId.api.testsupport.v1.boundary")) .pathsToMatch("/**") .addOpenApiCustomizer(basicAuthCustomizer()) .addOpenApiCustomizer(::tagsSorterCustomizer) .addOpenApiCustomizer(::testSupportOpenApiCustomizer) .build() /** * Defines basic authorization security scheme. */ private fun basicAuthCustomizer() = OpenApiCustomizer { openAPI: OpenAPI -> openAPI .components( openAPI.components .addSecuritySchemes( "basic", SecurityScheme().type(HTTP).scheme("basic") ) ) } /** * Adjusts API definition to follow the API validation rule requiring alphabetically sorted tags. * * @see [ * API validation rules](link removed) */ private fun tagsSorterCustomizer(openAPI: OpenAPI) = openAPI.tags(openAPI.tags?.sortedBy { it.name } ?: emptyList()) private fun infoCustomizer(openAPI: OpenAPI) = openAPI.info( Info() .title("XXX CV $name API") .description(description) .version(version) .extensions( mapOf( "x-xxx-apiId" to "xxx-cv-${msIdLower.replace("-", "")}-api", ) + defaultExtensions ) .contact( Contact() .name(description) .url("(link removed)") .email(contact) ) ) /** * Adds a server URL to select in the SwaggerUI */ private fun serverUrlCustomizer(openAPI: OpenAPI) { val urlPrefix = "$PROTOCOL_TLS$msIdLower" val urlPostFixEmea = "$REGION_EMEA.$product.$DAYTONA.$REGION_EMEA.$AWS_CLOUD_XXX/$msIdLower" val urlPostFixUs = "$REGION_US.$product.$DAYTONA.$REGION_US.$AWS_CLOUD_XXX/$msIdLower" openAPI.servers = listOf( // ---------------------------- LOCAL -------------------------------- Server() .url(PROTOCOL_HTTP + "localhost:8080/" + msIdLower) .description("Local development"), Server() .url(PROTOCOL_TLS + "localhost:8081/" + msIdLower) .description("Local development (TLS)"), // ---------------------------- EUROPE ------------------------------- Server() .url("$urlPrefix.test.$urlPostFixEmea") .description("EMEA-TEST"), Server() .url("$urlPrefix.e2e.$urlPostFixEmea") .description("EMEA-E2E"), Server() .url("$urlPrefix.int.$urlPostFixEmea") .description("EMEA-INT"), Server() .url("$urlPrefix.prod.$urlPostFixEmea") .description("EMEA-PROD"), // ------------------------------ US ---------------------------------- Server() .url("$urlPrefix.e2e.$urlPostFixUs") .description("US-E2E"), Server() .url("$urlPrefix.prod.$urlPostFixUs") .description("US-PROD") ) } /** * Customizes API definition for test support API. * Adjusts API definition to follow the API validation rules: sets version number in server URL * and removes version numbers from paths. * * @see [ * API validation rules]((link removed)) */ private fun testSupportOpenApiCustomizer(openAPI: OpenAPI) { with(openAPI) { servers = listOf( Server().url("http://localhost:8080/$msIdLower/test-support/v1") ) paths = paths .mapKeys { it.key.replaceFirst("/test-support/v1", "")} .let{ Paths().apply { putAll(it) } } info = Info() .title("XXX CV " + msIdUpper + "Test Support API") .description("Api shows how to use JPA, JMS and external services.") .version("1.0.0") .extensions( mapOf( "x-xxx-apiId" to "xxx-cv-$msIdLower-testsupport", "x-xxx-tags" to listOf("test-support"), ) + defaultExtensions ).contact( Contact() .name(name) .url(productDepotUrl) .email(contact) ) } } }Where are these 12.4% duplicated lines from? Also from the class file (which I can't change as dev)? |
Ah right, the duplicates lines are part of SonarQube's built-in analysis, this is not from the plugin. |
Thanks again for reporting the issue and the samples, I'm testing a fix for the bogus : I suppose that this zero-arg constructor is required because it is a JPA entity and (as SpotBugs is saying) it seems to be assigning nulls to non-null fields. However this is generated code, so probably not very relevant to report this to the developpers. |
The zero-arg constructor is automatically generated by the kotlin 'jpa' compiler plugin (which internally uses the no-args plugin), correct. That's basically a JPA-thing, it does just require a zero-arg-constructor and then sets the values via setters. |
No branches or pull requests
You cannot assign a read-only variable.
When you learn about Ada, you are taught that parameters are passed as copy when you are using the in keyword. The fact is that the compiler can decide to pass the parameter by reference and therefore it views the variable as a read-only variable. You cannot write in that variable.
For instance, a loop through a linked list to find the last element in the list could look like this:
The solution to the problem is to create a local instance and copy the read-only variable in the local instance variable.
Find centralized, trusted content and collaborate around the technologies you use most.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Get early access and see previews of new features.
I'm getting error - "Optional parameters should not be used" in Sonar analysis for C# project. Actually in C# latest version we can define optional parameter but SonarQube analysis says Optional parameters should not be used. How can I solve this issue? I'm using latest SonarQube version 6.0.
You can either deactivate the rule on your SonarQube server or mark it as False Positive for your particular case but I would recommend you to have a look at why we created this rule before you deactivate it. You can find more information about this rule on our Rules website or on Microsoft website .
Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more
Post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
On this page.
There are many cases where you do not want to analyze every aspect of every source file in your project. For example, your project may contain generated code, source code from libraries, or intentionally duplicated code.
In such cases, it makes sense to skip some or all aspects of analysis for these files, thus removing noise and narrowing the focus to issues that really matter.
To help narrow the focus, SonarQube gives you several options to precisely configure what will be analyzed and how. Most of the properties that define your analysis scope can be defined in the SonarQube UI. Other parameters must be set explicitly in the scanner invocation or in the appropriate configuration file as we describe in more detail below; see the Analysis parameters page for more detail.
The initial scope of analysis is controlled by the following parameters:
These parameters define the starting point for analysis scope adjustment:
Additionally, these parameters are:
Test and non-test code are distinguished because
If you are analyzing code using SonarScanner for Maven, SonarScanner for Gradle, or SonarScanner for .NET, the sonar.sources and sonar.tests parameters are automatically determined based on information in your project configuration. You do not have to explicitly set the parameters. If you do explicitly set the parameters (for example in your pom.xml , in the case of Maven), this will override the automatically determined values.
If you use SonarScanner for Maven, see also Adjusting the analysis scope of Maven projects .
If you are not using Maven, Gradle or .NET then
If the defaults are not suitable (for example, if you do have test code) you must set the parameters explicitly in the scanner invocation or in the appropriate configuration file (see Analysis parameters ).
When explicitly set, both sonar.sources and sonar.tests take a comma-delimited list of directories or files.
Let's say your repository looks something like this, with your source and test code clearly separated at the top level:
In this case, you would set your sonar.sources like this:
and your sonar.tests like this:
If you configure your scope in the sonar-project.properties file, it would look like this:
There is no need for any further fine-tuning.
While the sonar.sources and sonar.tests parameters take simple paths, most of the parameters discussed below use path-matching patterns.
The recognized path-matching patterns are defined using the following wildcards:
Unless otherwise noted, all the parameters below are settable at both the global and project level. The UI locations for the settings are found under:
Any setting made at the global level will apply to all projects unless overridden at the project level (the only exceptions are the global exclusion parameters discussed above).
If the directory structure of your project does not cleanly separate source code from test code at the top level, you may have to adjust the scope using exclusions and inclusions.
Inclusions and exclusions should not be part of the initial analysis configuration. We recommend setting them only to solve issues. For example, when you notice that an analysis picked up files that you did not want analyzed.
These are set in the UI for both global and project levels, as follows:
Administration > Configuration > General Settings > Analysis Scope > A. File Exclusions
Project Settings > General Settings > Analysis Scope > A. File Exclusions
To set these parameters by key you can:
The wildcard patterns are interpreted relative to the project base directory.
Exclusions and inclusions apply on top of the sonar.sources and sonar.tests settings. Both the exclusion and inclusion parameters act as filters. They only ever reduce the number of files in the analyzable set, they never add to the set.
Let's say your repository looks something like this, with your test code intermingled with your source code:
You would define your sonar.sources like this, taking in the whole src directory:
and then set Source File Exclusions (key sonar.exclusions ) to
The result is that the set of source files to be scanned is everything under src minus every test subdirectory:
To define the test files, first set sonar.tests to the whole src directory:
and then set Test File Inclusions (key sonar.test.inclusions ) to
The result is that the set of source files to be scanned is everything under src minus everything that is not a test subdirectory:
Note that the initial scoping parameter for test code is sonar.tests (that's tests with an s !) while the exclusion and inclusion parameters for test code are sonar.test.exclusions and sonar.test.inclusions (that's test , without an s !).
The test scoping parameters ( sonar.tests , sonar.test.exclusion , and sonar.test.inclusion ) do not have anything to do with setting up test coverage reporting (see Test coverage ). However, SonarQube will report an error if an imported coverage report lists a test file not encountered in the directories specified by the scoping parameters.
The parameter sonar.coverage.exclusions , on the other hand, is directly related to test coverage reporting (see below).
Analysis Scope > B. Code Coverage Exclusions
This setting lets you exclude specific files or directories from code coverage reporting. The value of the parameter is a comma-delimited list of path-matching patterns relative to the current working directory.
When setting by key, use sonar.coverage.exclusions
Analysis Scope > C. Duplication Exclusions
This setting lets you exclude specific files or directories from duplication checking. The value is a comma-delimited list of path-matching patterns relative to the current working directory.
When setting by key, use sonar.cpd.exclusions
Languages > Your Language
Most languages offer a way to restrict the scope of analysis to files matching a set of extensions. You can specify one or more suffixes (file extensions) for each language. For example, for the C language, .c and .h are set by default.
When setting by key, use the appropriate parameter of the form sonar.<LANGUAGE>.file.suffixes .
By default, SonarQube detects exposed secrets in all files processed by the language analyzers. You can refine the scope of the secret detection: see Adjusting the secret detection scope .
Analysis Scope > D. Issue Exclusions > Ignore Issues on Files
You can ignore files that contain a block of code matching a given regular expression. All issues as well as security hotspots, will be ignored within those files. In this setting, you can enter one or more regular expression patterns. Any file containing at least one of the specified patterns will be ignored.
For example, let's say you have generated class files in your Java project that you wish to exclude. The files look something like this:
To exclude all such files, you might set this parameter to:
Note that since this value is a regular expression, you need to escape the ( and ) parentheses characters and use the expression .* match the string in between those parentheses.
The key for this parameter is sonar.issue.ignore.allfile , however, because it is a multi-value property, we recommend that it only be set through the UI.
Analysis Scope > D. Issue Exclusions > Ignore Issues on Blocks
You can ignore specific blocks of code within a file while continuing to scan the remainder of the file. Blocks to be ignored are delimited within the file by start and end strings. You specify these start and end strings by regular expressions. All issues as well as security hotspots within those blocks, will be ignored. You can enter one or more pairs of regular expression patterns. Any code in any file that lies between the start pattern and its corresponding end pattern will be ignored. Note that:
For example, let's say you want to ignore the code in the method doSomethingElse using block delimiters, like this:
You could specify the following regular expressions:
Start of block : \s*//\s*START-NOSCAN
End of block: \s*//\s*END-NOSCAN
These regular expressions ensure that the start and end block delimiters will be recognized regardless of the number of spaces around the line comment characters ( // ).
The key for this parameter is sonar.issue.ignore.block . However, because it is a multi-value property, we recommend that it only be set through the UI.
Analysis Scope > D. Issue Exclusions > Ignore Issues on Multiple Criteria
You can prevent specific rules from being applied to specific files by combining one or more pairs of strings consisting of a rule key pattern and a file path pattern .
The key for this parameter is sonar.issue.ignore.multicriteria, however, because it is a multi-value property, we recommend that only be set through the UI.
A rule key pattern consists of a rule repository name, followed by a colon, followed by a rule key, or a rule name globbing pattern.
For example:
You can find the fully qualified rule ID of the rule definition and the rule name in the rule definition.
For example, for this rule :
A file path pattern uses the path-matching format described above to specify a set of directories or files.
You can only apply specific rules to specific files.
The mechanics of setting these parameters are the same as for sonar.issue.ignore.multicriteria , above: Each entry consists of a rule key pattern and a file path pattern. The difference is that in this case, it means that the specified rule will only be applied to the specified set of files.
The key for this parameter is sonar.issue.enforce.multicriteria . However, because it is a multi-value property, we recommend that it should only be set through the UI.
Your SonarQube analysis will automatically exclude files that are ignored by your source code control system. For example, in git repositories, it respects the .gitignore file. SonarQube also respects the ignore directives used in SVN repositories.
This behavior can be disabled by setting sonar.scm.exclusions.disabled = true in the configuration file or command line.
Note that while SonarQube understands standard .gitignore directives, it does not understand .gitignore negation patterns . These are the patterns preceded by an exclamation mark( ! ). We recommend not using them in SonarQube projects.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
IMAGES
VIDEO
COMMENTS
In your if condition block, you are setting variable to null and it happens to be your method parameter. Instead of assigning the value to the method parameter, create a local variable and use it and return the value of the local variable from the method if at all it is intended.
1 - There is a bug in the checkstyle plugin. 2 - The code sonar analysed is not quite the code you posted here. I believe that violation should apply in the following case: /**. * @param lastAccessTime the lastAccessTime to set. */. public void setLastAccessTime(Date lastAccessTime) lastAccessTime = lastAccessTime == null ? null : new Date ...
Reassigning existing variable to new value introduces additional complexity to the code and violates the immutability paradigm. New variable should be created instead of mutating of existing one. This should have an exception for the for loops and do/while loops as those (unfortunately) rely on the reassignment. snippet of Noncompliant Code found at GitHub - kamilbeben/variable-reassignment ...
Analysis parameters
Analysis / Command line parameters: Defined when launching an analysis with -D on the command line. Note that only parameters set through the UI are stored in the database. For example, if you override the sonar.exclusions parameter via command-line for a specific project, it will not be stored in the database.
martin-strecker-sonarsource changed the title S3900 FP: when string value is re-assigned S3900 FP: Re-assignment of parameters is ignored Apr 5, 2023 pavel-mikula-sonarsource moved this from To do to In progress in Best Kanban Apr 6, 2023
Note that only parameters set through the UI are stored in the database. For example, if you override the sonar.exclusions parameter via the command line for a specific project, it will not be stored in the database.Subsequent analyses, or analyses in SonarLint with connected mode, would still be executed with the exclusions defined in the UI and therefore stored in the DB.
Add the reproducer option to the scanner configuration: sonar.cfamily.reproducer= "Full path to the button.c file" Re-running the scanner should generate a file named sonar-cfamily.reproducer in the project folder. Please share this file (I can send you a PM if you want to share it privately) I'm looking forward to nail down this false positive!
For example, if you override the sonar.exclusions parameter via command line for a specific project, it will not be stored in the database. Local analyses in Eclipse, for example, would still be executed with the exclusions defined in the UI and therefore stored in the DB. ... Allowed characters are: letters, numbers, '-', '_', '.' and ...
gebitang (gebitang) January 4, 2021, 3:55am 1. Following This tutorial, I can write my custom rule checker. For now, I can only get the key of project via context.getProject ().key () . The key is defined from scanner command line such as -Dsonar.projectKey=keyOfProject. Is It possible I can defined more customized parameters in the same way ...
First, if a parameter is passed via reference, then after the parameter value is changed inside the method, this value is passed to the argument that requested calling this method. Very often, this occurs accidentally and leads to unfortunate effects. Even if parameters are usually passed by value (and not by reference) in your programming ...
Setting configuration on the command line. For CI-based analysis (not automatic analysis), parameters can also be set on the command line using the -D option indicator when launching an analysis.This can be done with the standalone command-line tool sonar-scanner, as well as with any of the build-tool-specific variants like SonarScanner for Maven and SonarScanner for Gradle.
Its not in a constructor, and its not a parameter. Here is a bit more context and an expanded example that should help. The function's intention is to get the column header indexes for each text label (in case the user re-orders columns) ExcelWorkbook inputSheet is a function parameter.
close #2317 There is a PEG issue with the order of template-parameter: type-parameter parameter-declaration type-parameter type-constraint rule matches in case of non integral data type. Sa...
By default, sonar.sources is set to the current working directory (the path .). By default, sonar.tests is not set. Explicit settings. If the defaults are not suitable (for example, if you do have test code) you must set the parameters explicitly in the scanner invocation or in the appropriate configuration file (see Analysis Parameters).
Issue Description When analyzing Kotlin dataclasses, I get one "critical" error for each non-nullable constructor parameter without a default value with the following ...
2. You cannot assign a read-only variable. When you learn about Ada, you are taught that parameters are passed as copy when you are using the in keyword. The fact is that the compiler can decide to pass the parameter by reference and therefore it views the variable as a read-only variable. You cannot write in that variable.
1. You can either deactivate the rule on your SonarQube server or mark it as False Positive for your particular case but I would recommend you to have a look at why we created this rule before you deactivate it. You can find more information about this rule on our Rules website or on Microsoft website. Rules website link mentioned in your reply ...
By default, sonar.sources is set to the current working directory (the path .). By default, sonar.tests is not set. Explicit settings. If the defaults are not suitable (for example, if you do have test code) you must set the parameters explicitly in the scanner invocation or in the appropriate configuration file (see Analysis parameters).