donhui / sonar-mybatis

MyBatis Plugin for SonarQube: Rules to check SQL statements in MyBatis Mapper XML files
Other
74 stars 21 forks source link
check-sql-statements mybatis mybatis-mapper sonar sonarqube sonarqube-plugin

Build Status SonarCloud Status GitHub release (latest by date) GitHub All Releases

README 中文版

SonarQube MyBatis Plugin

MyBatis Plugin for SonarQube: Rules to check SQL statements in MyBatis Mapper XML files.

What is Risk SQL?

Risk SQL is that in the mybatis mapper file, there are some dynamic SQL, such as <if test=""></if> elements of Mapper file, if all parameters in the SQL statement elements of Mapper XML file are null , the SQL may at great risk.

an example as follows:

DELETE FROM table_name
WHERE 1=1
<if test="startTime != null">
    AND start_time <![CDATA[=]]> #{startTime}
</if>
<if test="endTime != null">
    AND end_time <![CDATA[=]]> #{endTime}
</if>

MyBatis Rules

There are 7 built-in mybatis rules, which select statement has three rules, update and delete statement has two rules.

mybatis-rules

How to install it?

There are two options to install a plugin into SonarQube:

Marketplace

If you have access to the Internet and you are connected with a SonarQube user having the Global Permission "Administer System", you can go to Administration > Marketplace.

Once download is complete, a "Restart" button will be available to restart your instance.

Manual Installation

The plugin can be downloaded from github release .

Put the downloaded jar in $SONARQUBE_HOME/extensions/plugins, removing any previous versions of the same plugins.

Once done, you will need to restart your SonarQube Server.

How to Use it?

There is an example of using maven build command:

mvn clean compile -U -Dmaven.test.skip=true -Dmaven.javadoc.skip=true sonar:sonar -Dsonar.host.url=http://127.0.0.1:9000/ -Dsonar.projectKey=demo -Dsonar.projectName=demo -Dsonar.sourceEncoding=UTF-8 -Dsonar.sources=. -Dsonar.inclusions=src/main/** -Dsonar.exclusions==src/main/webapp/**

To analysis mybatis mapper file, src/main/resources dir must be in sonar.sources.

Support Global Stmt ID Exclude

For special issues of statements, if you want ignore them, you can put the statement id with namespace into the global stmt id exclude list.

stmt-id-exclude

Skip MyBatis Sensor

If you want to skip mybatis sensor sometimes, you can change the global properties sonar.mybatis.skip to true or add the parameter in the command: -Dsonar.mybatis.skip=true .

Contribute

Please report bugs and feature requests at https://github.com/donhui/sonar-mybatis/issues.

Or you can submit pull requests for fix bugs or create new features, any contribution is welcome.

Stargazers over time

Star History

Star History Chart