Home - Yash-777/sonar-java GitHub Wiki

SonarSource

Sonar Sourcerules, making Code Analyzers - Quality software comes from quality code

  • SonarQube Continuous Code Quality - Analyze code in your, on-premise CI. For Online Use SonarQube as a Service
  • Use Sonarlint which Catches the issues on the fly, in your IDE.

In SonarQube, analyzers contribute rules which are executed on source code to generate issues. There are four types of rules:

  • Code Smell (Maintainability domain)
  • Bug (Reliability domain)
  • Vulnerability (Security domain)
  • Security Hotspot (Security domain)

First Analysis of a Java Project

  • Install SonarQube Server (see Setup and Upgrade for more details)
  • Install SonarJava (see Installing a Plugin for more details). By default SonarJava is provided out of the box with SonarQube.
  • Execute analysis: For Maven projects, use the SonarQube Scanner for Maven by executing the following command from the root directory of the project: 
    mvn sonar:sonar -Dsonar.host.url=[your SonarQube URL]
  -Dsonar.projectKey=[project key id]
  -Dsonar.login=[SonarQube as a Service KEY]

Sonar Qube Rule:

  • squid:S1126 - Return boolean expressions instead of boolean literal

  • Inappropriate "Collection" calls should not be made (squid:S2175)
    SonarJava - Fix Version: 4.12 - Partial semantic with type inference can trigger false. jira, Stack

    List<String> list = new ArrayList<String>();
list.add("1");
Integer integer = Integer.valueOf(1);
if (list.contains(integer)) { }
// Noncompliant; always false.
// list.add(integer) doesn't compile, so this will always return 'false'

  • Inappropriate regular expressions should not be used (squid:S2639)

    Regular expressions are powerful but tricky, and even those long used to using them can make mistakes.
    The following should not be used as regular expressions:

    • . - matches any single character. Used in replaceAll, it matches everything
    • | - normally used as an option delimiter. Used stand-alone, it matches the space between characters
    • File.separator - matches the platform-specific file path delimiter. On Windows, this will be taken as an escape character
    String str = "/File|Name.txt";

String clean = str.replaceAll(".","");
// Noncompliant; probably meant to remove only dot chars, but returns an empty string
String clean2 = str.replaceAll("|","_");
// Noncompliant; yields _/_F_i_l_e_|_N_a_m_e_._t_x_t_
String clean3 = str.replaceAll(File.separator,"");
// Noncompliant; exception on Windows

To Skip the Sonar Rules: stack

  • For method level use annotation @SuppressWarnings("squid:S2175") with the rule id.
  • For a specific Line use comment //NOSONAR to ignore the error.

To Skip the Sonar Rules: stack

  • To Skip Specific rules to a method/class level use an annotation @SuppressWarnings("squid:S2175") with the rule id. @SuppressWarnings({"squid:S2078", "squid:S2076"}) Multiple rules can be separated using comma.
  • To Skip all the rules
    • For specific block use @SuppressWarnings("all").
    • For a specific Line use comment //NOSONAR that tells SonarQube to ignore all the errors.
⚠️ **GitHub.com Fallback** ⚠️