Coverity® Sonar Plugin

The Coverity Sonar Plug-in automatically imports issues from Coverity Connect into SonarQube.

Current Version: 1.7.5

Coverity Sonar Plug-in Installation and Configuration Guide

This guide is intended to assist you with the installation and configuration of the Coverity Sonar plug-in. Once completed, you will be able to view Coverity Analysis issues within the SonarQube environment.

Compatibility Matrix

The table below displays the software versions supported by the Coverity Sonar plug-in.

Software	Supported versions
SonarQube	7.9.1 - 8.9
SonarQube Scanner	3.0 - 4.0
Coverity Connect	8.0+

Installing the Coverity Sonar Plug-in

To install the Coverity Sonar plug-in, complete the following steps.

1. Ensure that you have a supported version of SonarQube and SonarQube Scanner installed.
   Sonar installation and setup instructions are located at http://docs.sonarqube.org/display/SONAR/Setup+and+Upgrade.

2. Download and unzip the Coverity Sonar plug-in to the Sonar plugins folder: <SonarInstallDirectory>/extensions/plugins

3. Restart SonarQube.

Note: After upgrading SonarQube, reset the quality profile for the languages which use Coverity (in Quality Profiles, select Restore Built-in Profiles, and select the language.)

Configuring the Coverity Sonar Plug-in

Once installed, you must configure the Coverity Sonar plug-in for general use.

1. Log in to SonarQube as an administrator.

2. Click on Administration.

3. Choose Configuration > General Settings.

4. Choose Coverity.

5. Enter the appropriate information in each of the fields for your Coverity Connect instance. Ensure that the Enable Coverity option is set to “True” to allow the import of Coverity data.

6. Click Save Coverity Settings to complete the basic configuration.

Configuring your Project Settings

After configuring the general plug-in settings, you must select the correct Coverity Connect project to associate with each of your Sonar projects.

1. Log in to SonarQube as an administrator.

2. Ensure that you have uploaded your project at least once (with SonarQube Scanner), and select the project in SonarQube.

3. Click on Quality Profiles.

4. Change the Quality Profile option for your project to Coverity(<language>), and click Update.

5. Choose Configuration > General Settings.

6. Choose Coverity.

7. Ensure that the Enable Coverity option is set to “True” to allow the import of Coverity data.

8. Enter the name of the Coverity Connect project that corresponds to the current Sonar project.

9. Click Save Coverity Settings.

Once completed, SonarQube will pull the current Coverity Analysis data whenever you run SonarQube Scanner on the specified project. This configuration must be completed for each project you wish to link with Coverity Connect.

Setting Up sonar-project.properties

For the plug-in to successfully display Coverity defects, the correct source paths must be entered in the sonar-project.properties file at the root of the project you are scanning. The sonar.sources variable must contain the absolute path names of the source files. For example, on a Linux system, the variable’s setting might look like this:

sonar.sources=/home/gwen/source/ces-tools/src/main/java

On windows it might look like this:

sonar.sources=C:\\Users\\gwen\\source\\ces-tools\\src\\main\\java

See below for a complete example sonar-project.properties file.

# Required metadata

sonar.projectKey=My-Project-Key

sonar.projectName=My-Project-Name

sonar.login=admin

sonar.password=admin

sonar.host.url=http://localhost:9000

sonar.projectVersion=1.5.0

# Comma-separated paths to directories with sources (required)

sonar.sources=.

# Encoding of the source files

sonar.sourceEncoding=UTF-8

sonar.coverity.connect.hostname=localhost

sonar.coverity.connect.port=8080

sonar.coverity.connect.username=user

sonar.coverity.connect.password=password

sonar.projectVersion=1.5.0

sonar.coverity.stream=MyStream

sonar.coverity.project=MyProject

sonar.coverity.enable=true

# sonar.coverity.prefix=MyOptionalPrefix

Note: When using the Coverity plug-in, use the language key "cov-cpp" instead of "c", "c++", or "cpp". This language key prevents conflicts with non-Coverity plug-ins.

To specify the language key:

• In Administration > Coverity > Languages, configure "C/C++ source files suffixes" appropriately.
• Make sure that Administration > Configuration > Languages and your project level settings (Project Settings > General Settings > Languages) don't contain the suffixes that you configured above to avoid conflicts. For example, if your Coverity language configuration includes **./*.cpp , make sure to remove **./*.cpp everywhere else.
• See https://community.sonarsource.com/t/language-of-file-dal-db2-vb-can-not-be-decided-as-the-file-matches-patterns-of-2-languages/21998 and https://community.sonarsource.com/t/language-of-file-can-not-be-decided-as-the-file-matches-patterns/16246 to see example conflicts.

Note: The "sonar.coverity.prefix" property is used to help locate files when anlyzing with the sonar scanner. The prefix value will be removed from the "File path" value on the Coverity Connect issue.

• the value must match exactly, if having trouble finding the source files look at the Coverity Connect issues "File" column
• when running analysis on windows Coverity Connect returns values with linux path separators
• by using --strip-path during analysis this property can be avoided

Note: Coverity SonarQube Plugin now supports both stream and project.

• If sonar.coverity.stream is configured, then the plugin will only fetch defects from configured stream, regardless sonar.coverity.project is configured.
• If sonar.coverity.stream is not configured, then the plugin will use sonar.coverity.project to fetch defects from.

The Coverity Widget

The Coverity plug-in includes a Coverity widget that displays Coverity-specific measures. The Coverity widget is available with SonarQube versions before version 6.2.

• The Coverity logo and the Coverity Project are both clickable links that take you to the Coverity Connect instance. There, you can view the Coverity project that contributes data to your Sonar project.
• The Outstanding Issues count is the number of outstanding Coverity issues found in the most recent scan.
• The other three counts are the numbers of issues at each of Coverity’s three impact levels.
• The Coverity widget is no longer supported as of SonarQube v6.2. The metrics that were displayed by the widget are shown in SonarQube under Measures.
• The Coverity widget can be added to the Dashboard by two different routes: as Admin, go to Dashboards > Manage dashboards, or in a Project, go to Dashboard and add it there.

Sonar Scanner with SSL

Coverity SonarQube Plugin provides a connection to Coverity Connect through SSL. The certificates should be imported to the java key chain where Sonar Scanner is running from.

Sonar Scanner provides its own jre bundle as part of Sonar Scanner. This means that if a user installed java locally, the certificates need to be imported to the jre which is bundled with Sonar Scanner.

keytool -importcert -keystore /jre/lib/security/cacerts -storepass changeit -file -alias

Limitations

The Coverity Sonar plug-in has the following limitations, which may be addressed in future releases.

• Cannot modify data in Coverity Connect (such as triage). Data from Coverity Connect is read-only in Sonar.

• A Sonar instance can only work against a single Coverity Connect instance.

• Does not distinguish between Quality, Test Advisor, and Security issues.

• Interacts with Coverity Connect only through web services, meaning the plug-in will not interact with build or analysis, and source code is separately maintained between Coverity Connect and Sonar.

• No parsing of source code – the plug-in is language agnostic.

• No creation of related Coverity Connect projects in Sonar.

• The file paths must match exactly in Sonar and Coverity Connect; otherwise issue data will not be imported. However, because Coverity Analysis may not be performed on the same directory as Sonar Analysis, you may remove the beginning of the filename to make it relative to Sonar’s project root.

To do so, navigate to the “Configuration -> General Settings -> Coverity” menu, and specify the prefix to be removed in the “Coverity Files Prefix” field.

• There are no immediate plans for localization to languages other than English.

Support

If you have questions or issues with the Coverity plugin, please contact coverity-support@synopsys.com

Changelog

• 1.7.5

  • Fixed crash on start up of plug-in (SQP-156)
  • Updated minimum supported version of SonarQube to 7.9.1 (SQP-141)
  • Added support for SonarQube 8.* (SQP-148)

• 1.7.4

  • Fixed an issue where C/C++ doesn't show up under 'languages' filter in the Projects page. (SQP-134)
  • Fixed an issue where lines of code not reporting consistently for c/c++ in SonarQube. (SQP-135)
  • Enhancement Request - addition of Coverity c/c++ rules into SonarQube plugin (SQP-133)

• 1.7.3

  • Fixed an issue where C/C++ project is displayed as an empty project in the SonarQube after running Coverity SonarQube plugin. (SQP-144)
  • "sonar.coverity.cov-cpp.suffixes" property is declared as multi-value property. (SQP-136)

• 1.7.2

  • Coverity SonarQube plugin now support importing defects from configured stream. (SQP-130, SQP-131)
  • Coverity SonarQube plugin now support SonarQube 7.9LTS. (SQP-137)

• 1.7.1

  • Fixed an issue finding the physical source file via sonar.coverity.prefix in the sonar-project.properties file. (SQP-128)

• 1.7.0

  • Minimum support version of SonarQube has been changed to version 6.7.5. (SQP-121)

• 1.6.2

  • The Coverity SonarQube plugin handles the multiple occurrences of Coverity defects where each occurrence has different file path. (BZ 108516)

• 1.6.1

  • Fixed an issue where the SonarQube issue's line number is different compared to the defect's line number from the Coverity Connect. (BZ 105639)
  • SonarQube Coverity plugin creates the Sonarqube issue with similar description, compared to the defect description displayed in the Coverity Connect. (BZ 105640)
  • Added logging to console on the progress of retrieving Coverity defects from Coverity Connect. (BZ 107598)

• 1.6.0

  • The SonarQube Coverity plugin now uses tags for each rule to provide easy filtering and lookup. (BZ 96223)
  • The SonarQube Coverity plugin now uses the prefix to match the file location in the Windows operating system. (BZ 90691)
  • Updated to support SonarQube version 5.6 and newer. (BZ 90540)
  • Added support for Coverity JavaScript, Python, PHP, and Objective-C/C++ language checkers. (BZ 90023, 90056, 90061, 90188)
  • SonarQube Coverity plugin now imports DC.WEAK_CRYPTO, TOCTOU, and RESOURCE_LEAK defects from CIM and creates SonarQube issues. (BZ 89850)
  • Removed conflict with other C++ plugins for SonarQube by using a unique language (key="cov-cpp") for Coverity C languages. (BZ 88234)
  • The Coverity SonarQube plugin will try to match the any "Parse Warnings" defects from Coverity Connect with the rules the plugin provides upfront to the SonarQube server. If none of the rules match, then it will create a general "Parse Warnings" rule so that there are corresponding SonarQube issues. (BZ 83997)

• 1.5.0

  • Upgraded web services from v6 to v9.
  • Fixed issue of Dismissed defects being counted.
  • Coverity Metrics are set to have integer values so other plugins can use our information for statistics and other computations.
  • More rules definitions for all supported languages.
  • Fixed bug of C++ headers not being scanned.
  • Fixed bug of Coverity defects with no main event not being counted.