We are running fortify to check security vulnerabilities and sonar for code cleanup.
I would like to know if we can enable static code analysis in fortify and get rid of sonar/pmd/findbugs etc.
I have a java project which will be checked for security vulnerabilities using fortify sca. I also use sonar for code quality and cleanup.
Someone said me that I can configure sonar kind of rules in fortify so that I can avoid sonar and save the build time.
Basically I want to configure sonar rule set in fortify. So that fortify checks the security vulnerabilities and code quality and cleanup.
Thank you in advance.
The default Fortify ruleset includes many "sonar-like" style checks. For example, Null Dereference or Poor Exception Handling. It does not have ALL of the Sonar checks, but you could make them yourself using Custom Rules.
See this post for an example:
How to write Fortify custom rules language specific?
And here is one based on Spring MVC:
http://blog.gdssecurity.com/labs/2013/12/2/building-fortify-custom-rules-for-spring-mvc.html
Fortify also includes findbugs, and also contributes to the findbugs OSS code.
Related
I am using SonarQube 5.1.2 and maven 3.0.4.I run sonar analysis for one of my project and it gives me all the result.But the issue is it is showing the analysis for all the languages and I need only for Java.Is there a way we can exclude other and keep only java
Current analysis is
Property sonar.language is what you're looking for, see Analysis Parameters
We have FxCop analysis being run by Nant/Jenkins. A SonarQube C# analysis is then triggered, and executed successfully.
We'd like to reuse fxcop.xml result file from Jenkins for Sonar's analysis.
We tried this configuration with no luck:
sonar.fxcop.mode=reuseReport
sonar.fxcop.reportsPaths=fxcop.xml
SonarQube is asking for path to FxCopCmd.exe. If specified, Sonar is running FxCop analysis one more time. We don't want that.
According to this thread sonar.fxcop.mode is no longer supported.
Quoted from the thread:
You can skip the execution of FxCop on a specific project by using
another Quality Profile for it, that does not contain any FxCop rule.
Indeed, it is important for the evolution of a project's technical
debt to be trackable over time. Changes in the rules that are applied
during the analysis has an obvious impact on the technical debt, and
therefore should be tracked.
The "sonar.fxcop.mode" property did not allow that, and was therefore
removed. For example, with the reuseReports mode, you could launch
just 1 or 2 rules, whereas in SonarQube all FxCop rules are enabled.
Skipping the FxCop analysis fully when all FxCop rules are enabled in
SonarQube is obviously deceiving.
The reuseReports mode should not be required, as SonarQube is able to
drive FxCop's execution.
I guess FxCop should be started from Sonarqube direct.
How can we enforce developers to resolve static code analysis tools issues before they check in the file to TFS? Below are the details :-
Source Code Repository: TFS
.NET/UI Static code tools: Refactor, JSLint
Java Web Services Code: PMD, FindBugs
If TFS cant be configured, is it possible for us to create some kind of tool which will generate the report by taking data from all these static analysis tools daily at EOD.
I haven't had the chance to configure it myself, but JetBrains released their ReSharper analysis engine as a set of free command-line tools!
There's some information in the blog post above about how to configure the build server to run those. I assume you can configure gated check-in policy to allow check-ins only if no "major" code issues were found.
We are using only FxCop and StyleCop rules in Jenkins and Sonar.
But we are getting more no. of Violations on Sonar Dashboard then in Jenkins.
Jenkins in using 318 rules (FxCop & Stylecop Combined) whereas Sonar is using only 130 rules (FxCop & Stylecop Combined).
But still we get more no. of Violations on Sonar Dashboard then on Jenkins.
Can anyone tell me why this is happening?
And Jenkins shows result of FxCop and StyleCop seperately, whereas Sonar merge result of FxCop and StyleCop and display them. Does any one know how can we seprate the result ?
There can be several explanations why you get more violations in Sonar:
the FxCop and StyleCop rules are not configured with the same parameters (threshold, ...) between Sonar and Jenkins. This is the first thing you should do actually.
maybe you also have Gendarme rules activated in your quality profile on Sonar? (this is the case if you're using the default "Sonar way" profile)
you may also have lots of other Sonar violations (which don't come from external tools like FxCop), ranging from detected duplications to design issues.
And to answer your last question, there's currently no way in Sonar UI to seperate violations based on the tool that generates them. The most important for Sonar users is to get the whole list of violations, whatever the tool that generates them is.
I am using sonar for the last few months and want to know that do sonar works in an incremental way or not i.e if i do soanr analysis for the first time on my project code it will definitely analyze all the code but if i do some enhancement on my core source code and update some files then after updation do sonar analysis again on the same code then will sonar analyze all the files OR only analyze files which i have updated?
I am using "Sonar way with Findbugs" as my default quality profile.
Is there any way to use sonar in an incremental way, to analyze only updated files?
Is this possible in sonar or not?
Kindly revert your help will be appreciated..
Thanks in advance..
Sonar does not currently handle incremental analyses.
If you want, you can watch and vote for the following ticket: http://jira.codehaus.org/browse/SONAR-2815
If your task if code quality metrics in a general way, then you can use these tools directly on Jenkins. See FindBugs Plugin , PMD plugin or Checkstyle Plugin. They independently give what you need in the form of "incremental code" reports. But if you have to use SONAR only, then Fabrice's answer is the correct one.
Here the post where the ticket that #fabrice-sonar-team comments was born:
does Sonar support Incremental code quality analysis
You can read Freddy Mallet's explanation about why this functionality is not trivial to be implemented. It requires lot of effort, so as Fabrice said, vote for the ticket! :)
Just adding on since this is the first google result for 'Sonar incremental preview analysis' in stack, and the answers are way too old.
Sonar has plugins available for IDEs such as Eclipse and NetBeans that can run incremental analysis on the changed files alone. This still needs a connection the SonarQube server though.
You may also run the analysis right from Jenkins by passing an additional sonar analysis property - sonar.analysis.mode=incrementalin your Sonar scan build step. This will report the code quality in a full report - will all code issues as well as a light report containing only new issues (since last full scan as recorded in server).
To take one step further use sonar.issuesReport.html.enable=true and publish the generated html reports to your Jenkins build page - Neat and Trim
Sonar documentation here