SonarQube 8.1 Support

[mc1arke]

Adds support for Sonarqube 8.1. As this change is not completely backwards compatible, the approach taken here may be introducing more complexity than required, so may be subject to change. In the meantime, this PR should be backwards compatible with Sonarqube 7.8 to 8.0 (inclusive)

Please see the latest comments on this PR: the recent changes mean that this PR will no longer support SonarQube 8.0 and any older versions

[mc1arke]

See sonarqube-community-branch-plugin-1.2.1-SNAPSHOT.zip for a ZIP file containing the plugin/module JAR for anyone who wants to try it out. Please report any initial testing results here.

[MariuszNowakowski]

Hi. I also tryied the sonarqube-community-branch-plugin-1.2.1-SNAPSHOT.zip with SonarQube 8.1.0.31237. I did it under Azure DevOps build. For me integration with SonarQube 8.1 works correctly. I did't had issues as @Sotam reported. I tried analysis of different branches and pull requests.

[Sotam]

Hi, please ignore my previous post (I've also deleted it) as it's working now. I'm not quite sure how, but I've setup a new SonarQube (8.1.0.31237) docker container and it's working now. Thanks!

[stefanwendelmann]

Running 8.1

[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default-cli) on project Varial-Fibu-Pojos: Unable to load component class org.sonar.scanner.scan.filesystem.InputComponentStore: 
Unable to load component interface org.sonar.scanner.scan.branch.BranchConfiguration: SHORT -> [Help 1]```

[stefan01]

Hi, i tried it on sonarqube version 8.1.0.31237 and I get the following error, when running ./gradlew sonarqube ... :

Caused by: Failed to upload report - An error has occurred. Please contact your administrator

In the server log I see the following error:

java.lang.IllegalStateException: Current edition does not support branch feature
	at com.google.common.base.Preconditions.checkState(Preconditions.java:508)
	at org.sonar.server.ce.queue.BranchSupport.createComponentKey(BranchSupport.java:63)
	at org.sonar.server.ce.queue.ReportSubmitter.submit(ReportSubmitter.java:83)
	at org.sonar.server.ce.ws.SubmitAction.handle(SubmitAction.java:113)
	at org.sonar.server.ws.WebServiceEngine.execute(WebServiceEngine.java:110)
	at org.sonar.server.platform.web.WebServiceFilter.doFilter(WebServiceFilter.java:88)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:88)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:72)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:58)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Unknown Source)

[mc1arke]

@stefanwendelmann are you sure you're running the right version of the plugin in both the extensions/plugin and lib/common directories?

@stefan01 It sounds like you've not installed the plugin to one of these locations. Please check you've followed the installation instructions fully.

[stefan01]

@mc1arke thx for the fast response!
I am running sonarqube via docker-compose.
I added the volume sonarqube_common:/opt/sonarqube/lib/common and restarted it with docker-compose restart. After that I put the .jar you provided in this thread at the two respective locations (in the extensions volume on /plugins and in the common volume on /) and restarted sonarqube.

[stefanwendelmann]

@mc1arke running 1.2.0 in both folders

[nixel2007]

@mc1arke could you rebase this onto latest master features such as pr decorations?

[JordanGoasdoue]

Hello,

I have tested the new Sonarqube v8.1 with the sonarqube-community-branch-plugin-1.2.1-SNAPSHOT

I can see a difference between the Sonarqube v8.0 with the sonarqube-community-branch-plugin-1.2.0-SNAPSHOT and this new version :

From Sonarqube v8.0 + 1.2.0-SNAPSHOT :
On the Overview page, I had branch-xxx From master with only New Bugs, Vulnerabilities, Code Smells displayed

From Sonarqube v8.1 + 1.2.1-SNAPSHOT :
On the Overview page, I have only branch-xxx, and I see all the Bugs, Vulnerabilities, Code Smells displayed from the Main Branch, instead of having the New ones only.

Am I the only one with this result, or is it same in other testers ?

Thanks

[mc1arke]

I've pushed an updated version of my 8.1 modifications that provides a few changes. See the commit message for full details but the highlights are:

1. Supports Pull Request Decoration of Github, Gitlab, and Bitbucket (same as current master build)
2. Uses the new Sonarqube UI for managing Pull Request decoration
3. Removes all the compatibility layer, as this version can no longer support 8.0 and previous versions

@4n4n4s I'm interested in your opinions on this change given it removed the delete functionality from the Bitbucket decorator you'd written.

@tisoft I'm also interested in your opinion on the fact I've removed the delete functionality for the Gitlab decorator, but you may also want to take a look at the ScannerPullRequestPropertySensor this change introduces as it should allow you to report the pipeline ID to sonarqube as you were looking for to complete the TODO item you had in your code

Could I ask for people to run this and report any feedback (both positive and negative) please?

[4n4n4s]

Hi @mc1arke
thanks for the info.

I think for Bitbucket the delete functionality can still be kept. The challenge is, that you need to find the userSlug for the user, that is commenting on the PR.
This can also be achieved using the following endpoint "/plugins/servlet/applinks/whoami" instead of the property.
Issue was that this is not documented in their API for some reason... 😱

If you don't want to add those additional feature toggles (delete comments, comment on file level, comment overall) to the UI anymore, then I would suggest that the default for delete should also be enabled, as otherwise the PR will be cluttered with tons and tons of comments if it's open for some time.
Example would be PR goes to development branch and every change on the development branch is also causing a rebuild of the current PR.

[mfolnovic]

I'd just like to agree with @4n4n4s, deleting old comments is really useful because MR (GitLab) / PR (everything else) will be filled with old, irrelevant comments. :)

[jrepko]

We are just using the plugin with standard git

I get this error from a gradle build using the snapshot on 8.1
I was getting this error from the previous 1.2.1 snapshot as well.

FAILURE: Build failed with an exception.
  
* What went wrong:
Execution failed for task ':sonarqube'.
> Key 'branch' was provided twice with parameters 'characteristic'

[mc1arke]

@jrepko You need to provide a bit more information if you want help diagnosing your issue: what command are you using to run your scan, what configuration is in your build.gradle file, what does Gradle show for the output if your add --stacktrace to the launch command?

[mc1arke]

@4n4n4s I agree with you on the cluttering with comments. In Github this is handled by creating CheckRuns per commit and only the last CheckRun being kept for each app on each commit.

Gitlab has the concept of resolving a discussion, which is what I think we should be using for this case, as deleting a comment still leaves the discussion marker in place, but without any relevant content. We'd need to add some logic for identifying where an issue was no longer present in a re-scan so we scan ensure we're not closing discussions just to create an identical issue, especially if a real discussion has then stemmed from the Sonarqube comment

For the Bitbucket use-case, I have no issue with deleting comments if we can identify the correct ones to delete. However, we probably need to check if someone has responded to a comment as we'd then end up with orphaned responses, or Sonarqube creating a comment on a response that may reference the original Sonarqube comment. Does the endpoint you've suggested exist in all versions of Bitbucket server (can we reliably depend on it)?

Is it worth introducing a pattern into the decorators where they get told if an issue is new/updated/resolved so they can then check for a comment relating to that issue and either create a new comment or delete/resolve/comment-on an outdated comment?

[tisoft]

I agree, that resolving discussions instead of deleting them is the way to go for gitlab. I think, that discussions on obsolete commits (e.g. in case of rebases) are autoresolved. But I think if there is an issue on a commit and a new commit fixes this, the discussion might stay there. I will test the behaviour, and see what needs to be done for gitlab.

[mc1arke]

The auto-resolution of out-dated discussions on Gitlab is a configurable feature. I know that the main instance I regularly use has the auto-resolution disabled on all their projects to ensure that any discussions are still reviewed to ensure that a subsequent change not actually associated with the discussion on that line doesn't incorrectly resolve the discussion (e.g. changing formatting, but not fixing a potential NullPointerException).

[artemy-osipov]

@mc1arke for Bitbucket you cannot delete comments that has responses so the discussion will remain. Actually, Bitbucket has a similar concept as CheckRun at GitHub, but it only came in new versions. Looks like that's how the paid sonar works https://docs.sonarqube.org/latest/analysis/pr-decoration/

Endpoint "/plugins/servlet/applinks/whoami" was added for testing but it's on by default and was added a long time ago. I think it can be used by default, and if an error occurs, require a login in the configuration.

[mc1arke]

@artemy-osipov Are you sure you can't delete comments that have responses? The UI certainly allows me to do it on bitbucket.com, I've not checked through the API on a BitBucket server instance though.

Whilst possibly less useful for some people who aren't quick to upgrade their self-hosted software, is it worth switching to use the new BitBucket features so we don't have to worry about using an undocumented/unsupported API, and can get the benefit of any future enhancements those features provide?

[artemy-osipov]

@mc1arke I checked the master branch for this case and the sonar comments with the replies were not deleted. This corresponds to documentation:

Comments that have replies may not be deleted, regardless of the user's granted permissions

It's most likely because Bitbucket Server and Bitbucket Cloud are different products with different code bases and the rules for working with comments may differ.

I think the Code Insight reports is more promising and preferable, but until it is implemented, I hope the current way through comments will remain so that we can start using this plugin.

[jrepko]

what command are you using to run your scan, what configuration is in your build.gradle file, what does Gradle show for the output if your add --stacktrace to the launch command?

@mc1arke
The command I'm using is:

./gradlew --stacktrace -Dversion=1.01.dev-4 -Dsonar.projectVersion=1.01.dev-4 -Dsonar.branch.name=test-plugin-conf --info check sonarqube

and the config from the build.gradle has

sonarqube {
    properties {
        property "sonar.login", "${sonar_token}"
        property "sonar.sourceEncoding", "UTF-8"
     }
}

The exception is below:

  * Exception is:
  org.gradle.api.tasks.TaskExecutionException: Execution failed for task ':sonarqube'.
  	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$3.accept(ExecuteActionsTaskExecuter.java:166)
  	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter$3.accept(ExecuteActionsTaskExecuter.java:163)
  	at org.gradle.internal.Try$Failure.ifSuccessfulOrElse(Try.java:191)
  	at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:156)
  	at org.gradle.api.internal.tasks.execution.ValidatingTaskExecuter.execute(ValidatingTaskExecuter.java:62)
  	at org.gradle.api.internal.tasks.execution.SkipEmptySourceFilesTaskExecuter.execute(SkipEmptySourceFilesTaskExecuter.java:108)
  	at org.gradle.api.internal.tasks.execution.ResolveBeforeExecutionOutputsTaskExecuter.execute(ResolveBeforeExecutionOutputsTaskExecuter.java:67)
  	at org.gradle.api.internal.tasks.execution.ResolveAfterPreviousExecutionStateTaskExecuter.execute(ResolveAfterPreviousExecutionStateTaskExecuter.java:46)
  	at org.gradle.api.internal.tasks.execution.CleanupStaleOutputsExecuter.execute(CleanupStaleOutputsExecuter.java:94)
  	at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
  	at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:95)
  	at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
  	at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:56)
  	at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
  	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
  	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
  	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
  	at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:416)
  	at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:406)
  	at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165)
  	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250)
  	at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158)
  	at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:102)
  	at org.gradle.internal.operations.DelegatingBuildOperationExecutor.call(DelegatingBuildOperationExecutor.java:36)
  	at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
  	at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:43)
  	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:355)
  	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:343)
  	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:336)
  	at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:322)
  	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker$1.execute(DefaultPlanExecutor.java:134)
  	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker$1.execute(DefaultPlanExecutor.java:129)
  	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:202)
  	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.executeNextNode(DefaultPlanExecutor.java:193)
  	at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:129)
  	at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
  	at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
	at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
Caused by: Key 'branch' was provided twice with parameters 'characteristic'

[jobecode]

@stefanwendelmann are you sure you're running the right version of the plugin in both the extensions/plugin and lib/common directories?

@stefan01 It sounds like you've not installed the plugin to one of these locations. Please check you've followed the installation instructions fully.

I have the same problem. I already ensured the plugin is in both locations but the problem persists.
I'm using SonarQube 8.1 + plugin 1.2.1

[ktibi]

HI guys,

We have same issue, can you provide the last 1.2.1-SNAPSHOT for test on sonar 8.1 ?

[Insidexa]

Test latest release 1.3.0 with sonarqube 8.2 and github integration
In ALM Integrations -> Github I fill next fields: github url, app id and private key.

After save configuration, I got next error:

Request URL: https://sonarqubeserver/api/alm_settings/create_github
Request Method: POST
Status Code: 404 

{"errors":[{"msg":"Unknown url : /api/alm_settings/create_github"}]}

[Sotam]

@Insidexa like @bisvo01 already said: 1.3.0 is not compatible with SQ 8.1, you need to build from this branch.

[hungluong5791]

Just asking, I see that #85 is fixed here. Is that fix compatible with LTS (7.9) and could be backported to that?

[mc1arke]

I've update the branch with a refactor of my previous changes plus the missing unit tests for the new functionality.

However, the submission of a new branch to Sonarqube does not give the results I'd expect: it treats all new issues as an existing issue, alongside the existing issues. Subsequent scans then show some of these new issues as existing issues, which seems incorrect. I've not manage to pinpoint what Sonarqube is failing with here, but suspect the reference branch being passed in the scanner result is being set incorrectly. I'll dig into the further, but would welcome any other input here.

[paveldvoinos]

Hello,

I built a snapshot version from this branch, plugin is working and I got PR analyzed.
But github checks are not appearing.
Also, I can't find any logs at all.

I there any way how to debug it?
Maybe enable more verbose logging?

[BenjaDiaz]

@mc1arke Thanks a lot for all the good work. Just so you know, I've got it working with Github. Besides the big issue of mixing old with existing issues, I found two small things:

1. When registering the Github App in SonarQube (Settings>Pull Request Decoration), in the Github URL field, the Help information is not accurate. It features a trailing slash in the API url (https://api.github.com/), which generated the following error:
   Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: https://api.github.com//app/installations.
   It was fixed by removing the trailing slash (https://api.github.com).

2. The plugin did not work when the Github app was configured with permissions to all repositories. It showed the following error:
   Caused by: java.lang.IllegalStateException: No token could be found with access to the requested repository with the given application ID and key
   It was fixed by setting specific repos in the permissions configuration ofo the Github App.

Cheers!

[crazy-max]

@mc1arke I will fix https://github.com/mc1arke/sonarqube-community-branch-plugin/pull/58/checks?check_run_id=746834162#step:9:76

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
2 Code Smells

86.7% Coverage
0.0% Duplication