Missing issue information for external analyzers

[christopher-watanabe-snkeos]

Describe what you need to know

I am using the Sonar CNES report tool v4.1.1 with SonarQube Community Edition 8.9.8. What I've noticed is that SonarSource errors are generated with name, description, type, severity and number information. External Roslyn analyzer issues are however only shown with the name (i.e. "external_roslyn:CA1051") and number information. Other fields are given "?", as if the information were missing. The "?" labelled fields are available on the SonarQube server however, so I expect this information is not truly missing (see screenshots).

I'd like to know whether I'm configuring my report generation wrong or whether this is a feature that is not yet supported, namely importing of external analyzer issues in the report with full information.

Screenshots & log

"?"-labelled content in the report

Information given in SonarQube with the same external error code (circled red)

User environment

Please complete the following information.

• OS: Windows 10
• Project version: Release 4.1.1, SonarQube Community v.8.9.8

[Sancretor]

Hi @ChristopherWatanabe
Thanks for the feedback ! ... and sorry for this issue.
Honestly, I would need to investigate a bit to answer correctly, but it may be an issue on our side, rather than a misconfiguration on yours.
I'll give you an update as soon as possible.

[christopher-watanabe-snkeos]

Thank you @Sancretor ! In the meantime, it seems that quite a few of these external warnings (incorrectly mislabelled errors by me!) can be picked up by expanding the SonarQube C# Ruleset, which is perhaps why this is just now become an issue. For the greatest amount of analysis and peace of mind however, I would ultimately like to include external analyzer warnings and information as well.

I hope your investigation is fruitful! Looking forward to your results!!!

[christopher-watanabe-snkeos]

Hi @Sancretor,

Just taking a short look around, I think the problem is here. It seems if the rule is not listed in the Sonar ruleset - as is the case for all external rules - then it is assumed that the report doesn't include information about that rule, which is not always the case.

[christopher-watanabe-snkeos]

Hi again @Sancretor ,

Looking deeper and doing a couple rounds of debugging, I see that this is exactly what's happening. As the report is given as an argument, I wonder why not simply iterate over the issues of the report? I've exchanged the current logic with this:

        for (Issue i : report.getIssues()) { // construct each issues
            final List<String> issue = new ArrayList<>();
                // add name
            issue.add(i.getRule());
            // add description
            issue.add(i.getMessage()
                    .replaceAll(DELETE_HTML_TAGS_REGEX, StringManager.EMPTY));
            // add type
            issue.add(i.getType());
            // add severity
            issue.add(i.getSeverity());
            // add number
            issue.add("1");

            issues.add(issue);
        }

Null checks would be simple to implement then, and the Question Mark logic could remain in the form of a null check over the Issue field value. Something like `issue.add((i.getRule() == null) ? QUESTION_MARK : i.getRule()), or so.

With this, I now see the external_roslyn messages as so:

The big issue with this fix is that every issue is then considered unique, so I simply set the issue number field to 1. A solution to this would be to first pre-process the report issues in order to find only the unique fields. For this, there would have to be agreement on what exactly consists of a "unique field". I would say two issues are the same if the fields in the report are equal.

In other words, if Issue A and Issue B have the same Rule, Description, Severity, and Type, then they are the same.

[Sancretor]

Hi @christopher-watanabe-snkeos

Sorry for the delay, you seem to have a lot more free time than I do !
Your explanation seems logic to me and may very well be right.

We decided to extract data from the rule linked to the issue because it contains more data or more trustworthy data than the issue itself. At least, it was right when we first developed that class, so that may not be true anymore.
And yes, having a unique list of issues with their number of occurencies would become harder with your fix... more investigation I guess.

I'm looking into it right now, I promise :)

[christopher-watanabe-snkeos]

Hi @Sancretor

No rush! I considered developing this processing to generate the unique list of issues with their number of occurrences myself, but I'm no Java expert and I don't have that much free time! 😄 My team also ended up considering a paid service that generates these sort of PDFs with SonarQube/SonarCloud output, especially if we take the SonarCloud route. Perhaps you've heard of it it? It's called BiteGarden.

Thank you for your response! :)

[Sancretor]

No free time for us then ;)
Yes we've heard about it, and if it perfectly matches your needs so be it !
Either way, we'll try to solve that issue because we are facing it ourselves...