Sonar 在旧代码中显示新的违规行为
我们正在使用 Sonar Qube 6.7.3 和 sonar-java-plugin 5.3
我们最近对声纳配置进行了以下更改
- 启用新规则
- 将配置更改为包含字节码(从 'clean sonar:sonar' 更改为 'clean package sonar:sonar')
我们正在使用声纳 svn 插件并为其提供有效凭据.
我了解向 sonar 提供字节码将有助于它识别更多问题,但是,我希望 Sonar 根据 svn 代码提交日期和最后分析日期标记新问题,但事实并非如此..p>
请告诉我为什么它将旧代码中的问题标记为新代码?
解决方案Sonar Sanner 总是扫描整个代码库.如果有人确定某些代码结构是错误的或危险的(规则集已更改),那么 SonarQube 必须通知该代码的所有出现.为什么?让我们考虑以下示例:
插件升级后,SonarQube 提供了一个新的非常重要的安全规则,禁止使用危险的密码算法.现在是问题:
- 只有在新代码中才有危险吗?
- 总是很危险吗?
当然,这总是很危险的.SonarQube 不会强迫您修复所有问题(质量门的使用是可选的).它的主要目标是让您了解整个代码库中存在多少问题(代码异味/错误/漏洞).
We are using Sonar Qube 6.7.3 and sonar-java-plugin 5.3
We have made below changes to our sonar configuration recently
- Enabled new rules
- Changed configuration to include byte code(changed from 'clean sonar:sonar' to 'clean package sonar:sonar')
We are using sonar svn plugin and provide valid credentials to it.
I understand providing byte code to sonar will help it identify more issues but, I expect Sonar to flag new issues based on svn code commit date and last analysis date, but it is not.
Please let me know why it is flagging issues in old code as new?
解决方案Sonar Sanner always scans the entire code base. If somebody has decided that some code structures are wrong or dangerous (the ruleset have been changed) then SonarQube has to notify about all occurrences of that code. Why? Let's think about the following example:
After a plugin upgrade, SonarQube provides a new very important security rule which forbids the use of a dangerous cipher algorithm. Now is the question:
- is it only dangerous in new code?
- is it always dangerous?
Of course, it is always dangerous. SonarQube doesn't force you to fix everything (usage of the quality gates is optional). Its main goal is to let you know how many problems (code smells/bugs/vulnerabilities) exist in the whole code base.
相关文章