How does sonar:sonar work?

Asked 19/9, 2016 at 12:59 Answered 19/9, 2016 at 13:11

Solved java maven sonarqube bamboo sonarqube-scan

We want to use SonarQube with some CI tool in our project. Sonar Server url is configured in main pom.xml.

There are several team memebers in the project. So what happen when one team member executes sonar:sonar locally with his local changes, then another team member executes sonar:sonar with his local changes, and then someone executes sonar:sonar from CI tool (it is configured to analyse source code in Git repository)?

Will SonarQube display issues related team members local changes? What if there are differences between team members local source code and source code in Git repository?

Pontiac answered 19/9, 2016 at 12:59 Comment(3)

Its best to keep the keep sonarqube setting in a different file sonar.properties than pom.xml. And don't include it as part of your Source Management which is shared among developers. Finally place the file in the directory on the system where CI is running the build and configure it appropriately. – Malorie 19/9, 2016 at 13:15

@Malorie Keeping build configuration separate from the codebase is a royal headache, and CI systems are moving to storing the metadata inside it. (Looking at you, Jenkins.) – Xanthine 19/9, 2016 at 13:28

@chrylis i meant keep the configuration out of pom file. and not out of source management. CI can pick anything which is part of source management and can be downloaded. Ya I know Jenkins.. Jenkins has something called pipelines and execute from batch.. So its about how you setup Jenkins. Keeping configuration separately will prevent accidently report upload to sonar. – Malorie 22/9, 2016 at 21:15

sonar:sonar executes analysis and sends the results to the server - assuming you're running it with the token of an account that has the appropriate privileges.

Developers should not be running this type of analysis locally to check their changes. Instead, they should be using SonarLint and perhaps pull request analysis (depending on your infrastructure).

(EDIT: Pull request analysis has been deprecated and replaced by a fuller-featured Branch analysis($).)

To expand a little on why developers shouldn't be using sonar:sonar locally: it updates the central server in a last-saved-wins manner. So if you've edited A.java and analyzed it locally before commit, and I've renamed A.java to B.java and done a similar pre-commit local analysis... what's visible on the SonarQube server? Depends on who saved/analyzed last.

Instead, sonar:sonar should be run only from your CI tool on the checked-in code that's already visible to the whole team.

Undersecretary answered 19/9, 2016 at 13:11 Comment(4)

If it is first build, when new project will be created in SonarQube? After executing sonar:sonar Sonar Maven Plugin get rules from SonarQube Server, SonarQube Server creates new project, Sonar Maven Plugin executes analysis and sends the results to the server? Did I describe right sequence? – Pontiac 21/9, 2016 at 6:54

I believe project creation happens after the analysis report is submitted to the server. – Undersecretary 21/9, 2016 at 11:12

After executing sonar:sonar in maven. Sonar given report of code duplication in java file. Like "1 duplicated blocks of code must be removed". So i reviewed my code no where code is duplicated in java file except only few method are duplicated on different object. In this senior we can able remove or rename something like that on duplicated methods. Is there any to resolve this type of problem in sonar. Or is there an exclusion to add in pom.xml file ??? – Plutocracy 6/7, 2018 at 5:52

Pls have a look : #56027891 – Spadework 7/5, 2019 at 17:4

As you said that sonar server url is cofigured in mail pom.xml and your team member's run sonar:sonar command at there local machine. But because of all referring to the same server url. So all changes will reflect for a common project. If you want to see then difference separately for each team member. then either you need to update the project name distinct from each other. Other wise you will see latest one there.

Sonar gives you difference in graphical manner. as well as you can compare two build too.

Second If user has administrator grant only then they can update sonar server else not.

Resh answered 19/9, 2016 at 13:9 Comment(0)

Recommended topics

Hot tags