chore: Update to sonar-java 6.9.0 #156
Conversation
|
The miner test fails because of some very strange use of paths in the internals of sonar-java. Essentially, it assumes that the current working directory is the root of the project being analyzed, and then tries to resolve input files relative to it. I'm trying to work around it, but it may require us to patch sonar-java. It's not really designed to be used the way we're using it. |
|
Actually, the relative paths thing doesn't appear to be the whole issue. Will need to keep debugging. |
|
Now I've figured out the actual problem. We're essentially using the testing tooling for Key code parts
This entirely defeats our use case, as the code we want to analyze will obviously not have comments marking non-compliant code. I will keep digging a bit to see if there's any way around this behavior, but I don't think we have any other choice than to fork the project. It'd be a pretty low-maintenance fork, though. |
I agree with you, sonar-java is not designed to be used through the java API (it's designed to be used through the SonarSource products, i.e., SonarQube, SonarCloud, and SonarLint), which is why I believe they might not accept patches from us that change their API, but we can try!
Arghhhh.
Ok. I think it would be nice to discuss this issue by voice (in person or remotely). |
I agree. We may have time to touch upon it during the sync meeting today at 14. At the very least, we should have time to schedule such a discussion for some other time :) |
slarse
force-pushed
the
issue/89-update-to-sonar-java-6.9
branch
from
56ec751
to
f5a7e62
Compare
Okay, so there is a very simple fix for this in the testing utilities. Simply change the method here like so: private void checkIssues(Set<AnalyzerMessage> issues) {
+ if (customIssueVerifier != null) {
+ customIssueVerifier.accept(issues);
+ }
if (expectations.expectNoIssues()) {
assertNoIssues(issues);
} else if (expectations.expectIssueAtFileLevel() || expectations.expectIssueAtProjectLevel()) {
assertComponentIssue(issues);
} else {
assertMultipleIssues(issues);
}
- if (customIssueVerifier != null) {
- customIssueVerifier.accept(issues);
- }
}In other words, invoke the Got it to run, does not break any tests. This is however only something of a band-aid, as there are still assertion errors being thrown left and right. It'd be better to be able to just get the analyzer messages, I'll see if I can figure that out without too many changes. |
|
I think a better solution here is to not use the testing methods (e.g. |
|
I've been messing about with this all day. Essentially, doing this the "proper" way does not seem possible, because there is currently no way to include both sonarlint-core and sonar-java in the same project. The problem is that the former is signed, and the latter isn't, and they have some overlapping packages which causes security exceptions. I've been trying for hours and can't get around it, short of manually removing the signatures from the jarfiles. There's another way, but that still involves using some amount of testing infrastructure. It's the easiest for now, though, so I'll go with that. With a proper facade around the sonarqube stuff, future refactoring should be simple. |
slarse
force-pushed
the
issue/89-update-to-sonar-java-6.9
branch
from
889c5f5
to
7cc7297
Compare
Codecov Report
@@ Coverage Diff @@
## master #156 +/- ##
============================================
+ Coverage 82.25% 82.43% +0.17%
- Complexity 367 374 +7
============================================
Files 39 40 +1
Lines 1471 1514 +43
Branches 215 216 +1
============================================
+ Hits 1210 1248 +38
- Misses 159 164 +5
Partials 102 102
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
@fermadeiral I'm not sure I'd call this ready for merge, but I think it's time you look it over.
Essentially, I've managed to upgrade to sonar-java 6.9.0. I ran into quite a few issues with inconsistent use of relative/absolute and non-normalized/normalized paths, which prompted me to open #166 .
There's also one point of breakage: The previously noncompliant code in CodeFactory.java is now not detected as noncompliant. I've ignored it for now, I have not been able to solve it, nor figure out why it happens.
I've also found our use case is a little bit special. sonar is built on a client/server model, and our application is both the server (that generates the analyzer messages) and the client (that consumes them). It doesn't quite mesh with the design of the libraries. These parts are also largely undocumented, and so this is something of trial and error on my part. I've put in a few hacks here (see review comments) to make it work for now, but I expect to be able to remove them as my understanding of how sonar is built improves.
To be clear, though, the way sorald used sonar before was also a hack, so this is not a step backwards. Perhaps a bit sideways :)
Let me know what you think of all of this, and if you have any ideas for the particular hacks that I've employed. As you've been working on this longer, you may know things I don't.
| new VisitorsBridge( | ||
| checks, | ||
| // TODO set the classpath to something reasonable | ||
| Collections.emptyList(), |
There was a problem hiding this comment.
This argument sets the classpath for the VisitorsBridge. It's later supplied to the parser, so I'm assuming that it's used to resolve types etc (but I haven't checked inside the parser). We will probably want to set it to something reasonable in the context. For example, when analyzing a project that uses maven, the full classpath can be generated with mvn dependency:build-classpath.
| // FIXME The SensorContextTester is an internal and unstable component in sonar, | ||
| // we should implement our own SensorContext | ||
| SensorContextTester context = SensorContextTester.create(baseDir); |
There was a problem hiding this comment.
Like the comment in the code says, we shouldn't be using the internal SensorContextTester, but it will serve for the time being.
| // FIXME I'm very unsure about supplying null for all of these constructor values. | ||
| // They should not be null, but at this time I don't know that to put there, and | ||
| // with our current usage this hack appears to work. | ||
| super(null, fs, null, null, null, null); |
There was a problem hiding this comment.
Like the comment says, this is a pretty nasty hack. It appears to work, but it's definitely not pretty nor safe as it initializes fields that should not be null to null.
slarse
changed the title
|
Conflict. |
|
Conflicts fixed, and also applied a trivial optimization in 163e4c2 that makes execution of checks that don't require symbolic execution several times faster. Let's postpone a review of this until next week, I'll probably need the rest of this week to conjure up the rule prioritization scripts anyway :) |
I've done it.
In the current stage of the things, this is minor in my opinion, I'm happy you just ignored it.
Maybe we will always need to hack, because the SonarSource team didn't design its products to be used like we want. I see this PR as a step forwards because now we use a newer version of sonar java at least. For now, I think this PR is pretty good. Ready to merge? |
|
@fermadeiral Yes, ready to merge! |
|
@slarse thank you for this great PR! |
| <exclusions> | ||
| <exclusion> | ||
| <!-- must be excluded as it is signed, which causes problems with unsigned version from sonar --> | ||
| <groupId>org.eclipse.jdt</groupId> | ||
| <artifactId>org.eclipse.jdt.core</artifactId> | ||
| </exclusion> | ||
| </exclusions> |
There was a problem hiding this comment.
@slarse Do you remember what problems were arising in the absence of its exclusion? I am using the local build of spoon with this change in the comment, but sorald throws an error that it cannot find the .get method for HashtableOfPackage. I am assuming it is because of this line.
I tried removing the exclusion and now it throws OutOfMemory: Java heap space. Weird.
There was a problem hiding this comment.
As I recall, Sonar-java 6.9 pulled in (or bundled, maybe) an unsigned jdt package, while the one pulled in from Spoon is signed. Signed as in there's a GPG signature on it.
That caused errors on building it.
As both Spoon and Sonar-Java use jdt, you need to make sure that the version they depend on is the same. Otherwise you'll get strange errors.
Fix #89
This PR depends on #144 (that's why it looks huge), I will rebase on master once that's merged. Only b6b3383 and onward is actually new.
The transition to sonar-java 6.9.0 mostly went smoothly, but there were/are a few problems.
First, the interface of the
JavaCheckVerifier/MultiFilesJavaCheckVerifierhave been entirely deprecated, and so everything needed to be revamped. I've added an adapter,Verifier, that serves as the interface with the currently unstable API of the verifier functionality of sonar-java.Second, some checks have slightly altered behavior. In particular,
ArrayHashCodeAndToStringCheckdoesn't flag the code inCodeFactory.javaas non-compliant anymore: https://github.com/SpoonLabs/sorald/blob/ea7d6264d5ad02eb52189fed7cda65ebac516a6d/src/test/resources/CodeFactory.java#L19-L23I'm not sure if this is a bug, I'll keep investigating.
Third, the miner test fails miserably. I haven't looked at that yet.