Repository files navigation

This SonarSource project is a code analyzer for Java projects to help developers produceClean Code. Information about the analysis of Java features is availablehere.

• 600+ rules (including 150+ bug detection rules and 350+ code smells)
• Metrics (cognitive complexity, number of lines, etc.)
• Import oftest coverage reports
• Custom rules

• Project homepage
• Issue tracking
• Available rules
• Sonar Community Forum
• Demo project analysis
• Plugin Wiki

To provide feedback (request a feature, report a bug, etc.) use theSonar Community Forum. Please do not forget to specify the language (Java!), plugin version and SonarQube Server version.

If you have a question on how to use plugin (and thedocs don't help you), we also encourage you to use the community forum.

To request a new feature, please create a new thread inSonar Community Forum. Even if you plan to implement it yourself and submit it back to the community, please start a new thread first to be sure that we can use it.

To submit a contribution, create a pull request for this repository. Please make sure that you follow ourcode style and alltests are passing (all checks must be green).

If you have an idea for a rule but you are not sure that everyone needs it you can implement acustom rule available only for you. Note that in order to help you, we highly recommend to first follow theCustom Rules 101 tutorial before diving directly into implementing rules from scratch.

Would you like to work on this project full-time? We are hiring! Check outhttps://www.sonarsource.com/hiring

To run tests locally follow these instructions.

You needJava 23 to build the project andJava 17 run the Integration Tests (ITs).

• Java 17 can be used to build and test all modules except underjava-checks-test-sources that requiresJava 23.
• Java 23 can be used to build and test all modules except underits that requiresJava 17 because of SQ incompatibility.

To build the plugin and run its unit tests, execute this command from the project's root directory:

mvn clean install

Running unit tests within the IDE might incur in some issues because of the way the project is built with Maven.If you see something like this:

java.lang.SecurityException: class ... signer information does not match signer information of other classes in the same package

try removing the Maven nature of the 'jdt' module.

To run integration tests, you will need to create a properties file like the one shown below, and set the URL pointing to its location in an environment variable namedORCHESTRATOR_CONFIG_URL.

# version of SonarQube Serversonar.runtimeVersion=LATEST_RELEASEorchestrator.updateCenterUrl=http://update.sonarsource.org/update-center-dev.properties# The location of the Maven local repository is not automatically guessed. It can also be set with the env variable MAVEN_LOCAL_REPOSITORY.maven.localRepository=/home/myName/.m2/repository

With for instance theORCHESTRATOR_CONFIG_URL variable being set as:

export ORCHESTRATOR_CONFIG_URL=file:///home/user/workspace/orchestrator.properties

Before running the ITs, be sure your MAVEN_HOME environment variable is set.

The "Sanity Test" is a test that runs all checks against all the test source files without taking into account the result of the analysis. It verifies that rules are not crashing on any file in our test sources. By default, this test is excluded from the build. To launch it:

mvn clean install -P sanity

The "Plugin Test" is an integration test suite that verifies plugin features such as metric calculation, coverage, etc. To launch it:

mvn clean install -Pit-plugin -DcommunityEditionTestsOnly=true

Note for internal contributors: in order to also execute the tests that depend on the SonarQube Server Enterprise Edition, use:

mvn clean install -Pit-plugin

The "Ruling Test" is an integration test suite that launches the analysis of a large code base, saves the issues created by the plugin in report files, and then compares those results to the set of expected issues (stored as JSON files).

To run the test, first make sure the submodules are checked out:

git submodule update --init --recursive

Then, ensure that theJAVA_HOME environment variable is set for the ruling tests execution and that it points to your local JDK 17 installation.Failing to do so will produce inconsistencies with the expected results.

From theits/ruling folder, launch the ruling tests:

mvn clean install -Pit-ruling -DcommunityEditionTestsOnly=true # AlternativelyJAVA_HOME=/my/local/java17/jdk/ mvn clean install -Pit-ruling -DcommunityEditionTestsOnly=true

Note for internal contributors: in order to also execute the tests that depend on the SonarQube Server Enterprise Edition, use:

mvn clean install -Pit-ruling

This test gives you the opportunity to examine the issues created by each rule and make sure they're what you expect. Any implemented rule is highly likely to raise issues on the multiple projects we use as ruling code base.

• For a newly implemented rule, it means that a first build will most probably fail, caused by differences between expected results (without any values for the new rule) and the new results. You can inspect these new issues by searching for files named after your rule (squid-SXXXX.json) in the following folder:

    /path/to/project/sonar-java/its/ruling/target/actual/...

• For existing rules which are modified, you may expect some differences between "actual" (from new analysis) and expected results. Review carefully the changes that are shown and update the expected resources accordingly.

All thejson files contain a list of lines, indexed by file, explaining where the issues raised by a specific rule are located. If/When everything looks good to you, you can copy the file with the actual issues located at:

its/ruling/target/actual/

Into the directory with the expected issues:

its/ruling/src/test/resources/

For example using the command:

cp its/ruling/target/actual/* its/ruling/src/test/resources/

The tests in theautoscan module are designed to detect differences between the issues the Java analyzer can find with and without bytecode.The goal here is to spot and fix the potential FPs, and verify the expected FNs between that would show up inSonarQube Cloud's automatic analysis.

Running this test can be broken down in 2 steps:

1. Compiling the test sources
2. Executing the autoscan test

Make sure that thejava-checks-test-sources module has been compiled (ie: the .class files injava-checks-test-sources/target/ are up to date).

In doubt, go thejava-checks-test-sources module and run:

# Use java 24!mvn clean compile

To run the tests, move to theits/autoscan folder and run:

# cd its/autoscan# use Java 17!mvn clean package --batch-mode --errors --show-version \   --activate-profiles it-autoscan \  -Dsonar.runtimeVersion=LATEST_RELEASE

The artifacts produced during the test execution will be found inits/autoscan/target/actual.You will want to compare the results produced in the autoscan-diff-by-rules

For more detailed information, you can compare the differences between the results found with bytecode and without bytecode by comparing two respective folders:

• java-checks-test-sources-mvn
• java-checks-test-sources-no-binaries

Depending on the results found, you might need to update the ground truth.The expected results are listed insrc/test/resources.

You can debug ITs by adding-Dmaven.binary=mvnDebug as an option when running the tests. This will cause the analyzer JVM to wait for a debugger to be attached before continuing.

Copyright 2012-2025 SonarSource.

SonarQube analyzers released after November 29, 2024, including patch fixes for prior versions, are published under theSonar Source-Available License Version 1 (SSALv1).

See individual files for details that specify the license applicable to each file.Files subject to the SSALv1 will be noted in their headers.