Login/Register
Migrating from Checkstyle + PMD + Findbugs to SonarQube
Asked Answered
Solved sonarqubecheckstylefindbugspmd
D

3

6

I would like to migrate from Checkstyle + PMD + Findbugs to SonarQube. I´ve read that SonarQube replaces all 3 plugins (and have some new rules in addition). But in my project we have some custom configuration of these plugins, like checkstyle.xml which holds out custom checkstyle rules (At least half of them are custom modified checkstyle rules (like special format of code, filter for rude words, ...).

...
    <module name="RegexpSingleline">
        <property name="format" value="debugger" />
        <property name="message" value="Javascript files must not contain 'debugger' statement" />
        <property name="fileExtensions" value="js" />
    </module>
...

The same things for findbugs

<FindBugsFilter>   
...
    <Match><Bug pattern="XXE_XMLREADER" /></Match> 
...
</FindBugsFilter>

and PMD

...
    <rule ref="category/java/errorprone.xml/AvoidBranchingStatementAsLastInLoop" />
    <rule ref="category/java/errorprone.xml/AvoidDecimalLiteralsInBigDecimalConstructor" />
...

So is there any possibility to analyze current rules, migrate to sonar cube and add new custom rules which are not present in default sonar cube configuration?

The main motivation is to have one instance of sonar cube running on some server and all devs would have installed Sonar plugin in the IDEA which will be connected to that sonar cube instance (so as some auto build from Jenkins etc) so all would use the same rules based on the rules set in current PMD, Checkstyle and Findbugs (in the jenkins build, there are these 3 checks run separately, the ideal solution is to run just sonarqube check)

Dunagan answered 26/2, 2020 at 13:56 Comment(3)
Have you heard about Qulice? It might be a good alternative to SonarQube, see Strict Control of Java Code Quality.Stigmasterol
[1] I think you mean SonarQube, not SonarCube. [2] Does your question only relate to using SonarQube with Intellij IDEA and Jenkins?Hammonds
@Hammonds yea, i am sorry, its SonarQube. Well, the mail goal is to have all checks included now in jenkins build (pmd, findbugs, checkstyle with custom rules) + sonarlint checks in one place (SonarQube instance running on same server as jenkins from where the people can download checks to indea plugins possibly). The nice to have feature would be to be able to chceck all these rules in IDEA (so I know the build will be succesfull when I push my changes).Dunagan
C
4

From my experience there are ups and downs, regarding using just SonarQube and SonarLint, having just checkstyle, PMD and Findbugs and having both.

The benefit of SonarQube itself is, that it shines with a good an easy understandable UI which you can easily integrate into your build pipeline and into your PR Tool.

With SonarLint you also have a good integration into IDEs. But in my opinion it is not suited for git hooks, or fast local verification. We might analyze some classes with SonarLint but not the whole project. Therefor we use the CI/CD.

So those are the benefits of just SonarQube SonarLint. The biggest one is, that you can also have checkstyle PMD and Findbugs within Sonarqube. Those are not supported by SonarLint, but you can use Sonarqube to display the errors of those tools. There are dedicated plugins which are maintained, and which will show you also the errors of the other tools. The downside is that SonarLint is not supporting this plugins.

The sonarqube plugins also sometimes accept reports from outside analysis. eg. Findbugs, you can analyse the code with findbugs, and just provide the report to sonarQube.

But generally speaking, it is possible to migrate those rules. For checkstyle you can import the checkstyle.xml - i am not sure for findbugs and PMD, maybe you need to manually configure them.

Anyways, i would closely evaluate what is important to your build an what not. A checkstyle check via gradle is really fast, where as a sonarqube scanner will run trough and only report at the end. This can be crucial sometimes, if your build resources are limited.

I hope this insight was at least somehow helpful, although it does not 100% cover your question.

Cantor answered 20/4, 2020 at 17:30 Comment(0)
N
0

Use this command to push checkstyle/pmd/cpd/findbugs into SonarQube

Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml -Dsonar.java.spotbugs.reportPaths=target/site/findbugs.xml
Nary answered 28/8, 2020 at 12:20 Comment(0)
D
0

Unfortunatly, the import of checkstyle settings into snoarqube does not really work, so it seems one needs to make all the settings manually :-(

https://github.com/checkstyle/sonar-checkstyle/issues/356

Discreet answered 29/3, 2021 at 11:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.