使用 SonarLint 一次分析整个项目 - 逐个文件分析会产生不完整的结果

2022-01-17 00:00:00 sonarqube eclipse sonarlint

我正在使用 SonarLint eclipse 插件评估 SonarQube 5.4.

I'm evaluating SonarQube 5.4 with SonarLint eclipse plugin.

SonarQube 以及插件已设置并正在运行.但现在我很困惑 SonarLint 应该如何在连接模式"下运行:

SonarQube as well as the plugin are set up and are running. But now I'm pretty confused how SonarLint is supposed to run in 'connected mode':

  • SonarLint 与 SonarQube 连接,并绑定到相应的项目.但有些问题仅在 SonarQube 中显示.我的理解是,SonarLint 应该能够识别诸如恶意代码漏洞 - 可能通过合并对可变对象的引用来暴露内部表示 之类的问题.但事实并非如此.SonarQube 可以.
  • 使用 SonarLint 分析单个文件时,SonarLint 控制台中有很多调试消息,例如 Class not found in resource cache : org/company/project/CommonSuperClass.但更糟糕的是:Class not found in resource cache : java/lang/Class.它应该这样做吗?
  • 我们特别有兴趣突出开发者提出的问题.SonarQube 连接了我们的 repo,并且在责备提交者方面做得很好.但似乎没有办法在 sonarlint 中显示 我自己的问题.
  • 我想在自己选择的时间运行 SonarLint 分析,因此我决定停用自动运行 SonarLint".但似乎我只能手动分析文件,不能分析包或项目.我又错过了什么?我不想点击我的〜2000个文件中的每一个并手动分析它.
  • SonarLint is connected with SonarQube and is bound to the corresponding project. But some issues are only shown in SonarQube. It was my understanding SonarLint should be able to identify issues like Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object. But it does not. SonarQube does.
  • When analysing a single file with SonarLint, there are a lot of debug messages in the SonarLint Console like Class not found in resource cache : org/company/project/CommonSuperClass. But even worse: Class not found in resource cache : java/lang/Class. Is it supposed to do that?
  • We are specifically interested in highlighting the issues introduced by developer. SonarQube is connected our repo and does a nice job in blaming the committer. But it seems there is no way of showing my own issues in sonarlint.
  • I'd like to run the SonarLint analysis at a time of my choice, so I decided to deactivated "Run SonarLint automatically". But it seems I can only analyze files manually, not packages or projects. Am I missing something again? I do not want to click on every one of my ~2000 files and analyze it by hand.

推荐答案

SonarLint 和 SonarQube 是 2 个不同的产品:

SonarLint and SonarQube are 2 different products:

  • 您希望对正在处理的代码进行快速反馈,以确保不会注入问题 => SonarLint 在您打开文件以编写或审查代码时对其进行分析
  • 您希望 360 度全方位了解您的代码质量 => SonarQube 会分析您项目的所有文件

连接模式"是两个世界之间的桥梁,其发展仍在进行中.例如,我们计划在 SonarLint 中查看 SonarQube 在项目中发现的所有问题(请参阅并投票支持 SLE-54).

The "connected mode" is the bridge between the 2 worlds, and its development is still underway. For instance, we plan to make it possible to see inside SonarLint all the issues found on the project by SonarQube (see and vote for SLE-54).

相关文章