Closed znerd closed 2 years ago
KengoTODA
commented
5 years ago similar with #258, but why don't you configure Quality Profile?
If you have two kinds of project: one with SpotBugs and another without SpotBugs, use different Quality Profile then you can fulfill your objective.
znerd
commented
5 years ago I have no FindBugs rules in the Quality Profiles associated with my Project in SonarQube. Looks like I'm hitting a bug similar to #37, but also as mentioned in a comment to #258.
But even if the bug would not be there, I would appreciate the flexibility of disabling the sensor explicitly per code base (or even per branch).
rmlekus
commented
5 years ago Hi, I ran into the very same problem / question: I need to analyze a large java project with just a view custom sonar-java (squid) rules. For that purpose a project specific QualityProfile (SonarQube 6.7.6 + spotbugs 3.9.4) was created, without a single findbugs/spotbugs rule activated.
Despite of this the spotbugs sensor is activated (and throws an "invalid byte code" excpetion of every single of the > x*1000 java/class files encountered. Custom Squid Rules and JVM 8 got no such problem, and also in all other projects the spotbugs rule are required and works fine. (Thus removing the spotbugs plugin is no option).
Thus I'd really like to avoid having the Sensor consuming time and cpu resources on this project, without having to install a separate SonarQube Server instance. I would be fine with using the herein mentioned property, but also with a solution based on the non-existance of findbugs rules in the SonarQube profile used for this project.
Merging that fix/enhancement into the 3.9.x branch to support SonarQube 6.7.x servers would also be appreciated, since an update from SQ 6.7 to the most recent LTS (7.9) would require to migrate from our MySQL based installation to an installation based on Postgres, which will need extra planing and time to be invested.
Best Regards, Robert
h-ngo
commented
4 years ago This would be greatly helpful for multi-module projects (Scala/Java). We can the control of the on/off switch at module level instead of listing all packages in the exclude xml, especially, when all Java Scala packages share the same package prefix.
pagarwal-ignitetech
commented
3 years ago i also need to disable findBugs from sonar scanner
gtoison
commented
2 years ago The issue seems to be that there are some FindSecBugs JSP rules enabled, probably because they are in the default JSP profile: https://github.com/spotbugs/sonar-findbugs/pull/294#issuecomment-987716288
gtoison
commented
2 years ago Since https://github.com/spotbugs/sonar-findbugs/pull/294 was closed and the main problem seems to fixed I'll close that issue, unless someone still feels that there's a use case for an option to disable the plugin
MarkvanOsch
commented
6 months ago I'm also looking for this option, but I see this "sonar.findbugs.enabled" option only merged to the mtooth/sonar-findbugs repo.
Will it also be merged to spotbugs repo itself?
gtoison
commented
6 months ago You normally would setup a Sonar quality profule without SpotBugs rule if you don't want it to run. There was a bug were the analysis would run even though no rules was enabled, but that is solved now.
@MarkvanOsch do you have a use case that you couldn't work out with a quality profile?
MarkvanOsch
commented
6 months ago The use case is a central sonarqube server waiting to be updated so it can support java 21. I'm experimenting with a java 21 project and want disable the findbugs sensor without being dependant on the central department. I know sonarqube itself is not yet supporting java 21, but curious for the results.
MarkvanOsch
commented
6 months ago I also tried a different approach by using the "sonar.findbugs.excludesFilters" options with a findbugs.xml file. But it seems that the findbugs sensor plugin still analyses these classes, causing to fail. Should it not exclude these files from analysis too?
Is there maybe another workaround for this? So that the findbugs sensor does not analyse the code / classes? In the end I just want to skip the findbugs sensor using the sonar scanner maven plugin, and a central sonarqube server that I don't manage.
gtoison
commented
6 months ago Hold on, I'm a bit confused because SpotBugs supports Java 21 while SonarQube doesn't. So why are you trying to disable the plugin?
The exclusion filters do not work for this because SpotBugs starts by analyzing the compiled .class files, and then it locates the corresponding source file. It needs to analyze the .class files even if they might be excluded because other classes might be referring to it. I think that you could exclude all .java files (using sonar's native exclusions) and then it would detect that there is no source file
MarkvanOsch
commented
6 months ago Yes, agree, my use case is maybe not possible anyway. But I wanted to move forward with Java 21 code, and work around it. Or just be patient for the SonarQube 10.5, announced to have Java 21 support.
gtoison
commented
6 months ago In case you're trying to experiment with newer versions you can probably spin up a local instance of SonarQube, for instance we are using Sonar's orchestrator in the project's integration tests: https://github.com/spotbugs/sonar-findbugs/blob/master/src/test/java/org/sonar/plugins/findbugs/it/FindbugsTestSuite.java
MarkvanOsch
commented
6 months ago Thanks, will try that. This option "
Is your feature request related to a problem? Please describe. I would like to be able to explicitly skip the FindBugs/SpotBugs sensor during the sonar scan.
Describe the solution you'd like I'd like to be able to explicitly configure certain code basis to indicate the FindBugs/SpotBugs sensor should not be executed when the SonarQube Scanner is run.
Describe alternatives you've considered
.classfiles available: in some cases the class files are just there already..classfiles: this seems a hack, and it may in fact affect other sensors, like the Java plugin.Additional context Some of the other SonarQube plugins also support a
skipconfiguration setting.Suggested property:
sonar.findbugs.skip(default value beingfalse).