FindBugs sensor expecting classes folder and not the output jar

[fcandalija]

Hi @Zetten

I am testing this plugin on a Java codebase against a SonarQube server with the FindBugs sensor enabled in its Quality Profile. When I run the scanner in my project I end up seeing this error:

INFO: Sensor FindBugs Sensor [findbugs]
WARN: Findbugs needs sources to be compiled. Please build project before executing sonar or check the location of compiled classes to make it possible for Findbugs to analyse your (sub)project (/private/var/tmp/_bazel_fcandalija/0d91d8aee3d7bf9d86d406d9d8f9627c/<path to my project>).
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
INFO: Total time: 25.609s
INFO: Final Memory: 49M/188M
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarQube Scanner execution
ERROR: Can not execute Findbugs
ERROR: Caused by: One (sub)project contains Java source files that are not compiled (/private/var/tmp/_bazel_fcandalija/0d91d8aee3d7bf9d86d406d9d8f9627c/<path to my project>).
ERROR:
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.

It looks like the error happens because the FindBugs sensor is expecting the sonar.java.binaries property to be pointing to the directory containing all the *.class files, instead of to the output jar file, which is what the code is currently doing:

"{JAVA_BINARIES}": ",".join([parent_path + j.short_path for j in java_files["output_jars"].to_list()]),

Indeed, the Sonar documentation defines sonar.java.binaries as:

Any idea how could we access the *.class files directory to see if this error is fixed? I checked on the JavaInfo provider and there's nothing in the outputs. I am quite new with Bazel and still not sure how this could be achieved.

Thanks for the plugin and the help!

[Zetten]

Hi @fcandalija!

Using archives as inputs to the sonar.java.binaries property seems to work with the standard Java analyzer (or it would fail for me too!), but it looks like the Findbugs plugin is doing an additional check for 'source-like' content which is getting triggered in this case: https://github.com/spotbugs/sonar-findbugs/blob/master/src/main/java/org/sonar/plugins/findbugs/FindbugsConfiguration.java#L122

If you check out the sonar-project.properties files in bazel-bin, what values are being set there? I wouldn't expect it to be anything other than .jar files - and indeed that's what I get locally - but maybe I've missed something.

When building the first iteration of this tool I think there was no good way to get the .class files out of Bazel - IIRC java_library doesn't provide them as rule outputs.

I can think of a couple of options:

• Ask the Findbugs plugin whether they can accept jar inputs for sonar.java.binaries :grinning:
• It's less-than-ideal, but we could add an action to unjar the library files before analysis (like we dereference all runfiles symlinks)... Next week I'll try to investigate whether this is feasible.