Suraj M Suraj M - 1 month ago 19
Java Question

MethodInvocationTree usage in SonarQube using Java

The requirement is to flag all the occurrences of

HttpSession session = request.getSession();


I am using the Tree.Kind.METHOD_INVOCATION within the method nodesToVisit for intercepting all method invocations. I am successfully getting the instances of HttpSession

HttpSession session1 = request.getSession(); // Noncompliant
HttpSession session2 = request.getSession(true); // Noncompliant


But the symbol type for the tree comes to !unknownSymbol!

Appreciate any inputs here. Is any specific setting required for sonarqube analyzer to recognize javax.servlet package?

Answer

The symbolType is unknown due to the missing libraries in the classpath. We need to add the dependency in the pom.xml for the custom plugin.

  1. When testing the source code analysis via Junit, we must use the maven-dependency-plugin for providing the dependency jars.
  2. After deploying the plugin in sonarqube, we need to add the following properties in sonar-project.properties.

sonar.java.libraries=lib/*.jar

sonar.java.test.libraries=lib/*.jar

Below is the plugin maven-dependency-plugin addition in the pom.xml.

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.10</version>
    <executions>
        <execution>
            <id>copy</id>
            <phase>test-compile</phase>
            <goals>
                <goal>copy</goal>
            </goals>
            <configuration>
                <artifactItems>
                    <artifactItem>
                        <groupId>javax</groupId>
                        <artifactId>javaee-api</artifactId>
                        <version>7.0</version>
                        <type>jar</type>
                    </artifactItem>
                </artifactItems>
                <outputDirectory>${project.build.directory}/test-jars</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>
Comments