-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule template for GCC custom rules not working due to key validation: - sign not allowed #2586
Comments
I found a solution with DB update, but only for admins not for users...
|
Hi @jenspopp, thanks for the feedback. What is exactly the error message you get? Like to verify if this message / check is from the cxx plugin or the SQ framework. Regards, |
Hi @guwirth, The error ist
As mentioned, when I create the rule with some dummy key, I can update it in postgres. After that it works as advertised. On a related topic, some users ask to catch all warnings without rules (so basically new compiler warnings). I'm new to plugins in Sonar, but I'm able to get all gcc rules via the rules web api. I also understand the basic workings of the cxx sensor. But I have found no docu on how to access the rules/web api from the sensor? I would be happy to contribute, if I have a starting point. |
Hi @jenspopp,
In case you wanna create rules / issues on the fly it’s better to use Regards, |
Hi @jenspopp,
The warning is from the SQ core Means we can’t work around it in the cxx plugin. Maybe you can ask in the SQ forum why this limitation exists https://community.sonarsource.com/ Regards, |
Hi @jenspopp,
The cxx plugin is using a XML file to define the supported gcc rules: To extend (add new) rules we have to extend the file and provide a new version of the plugin. Regards, |
Hi @guwirth, sorry for the late reply, had a week off. My idea was to load at the initialization of the scanner al list of all known issues per tool (gcc, cppcheck, ...). When an issue is created I would like to check if the issue (e.g. compiler warning) is a handled issue or an unknown issue. If it is unknown I would change the id to something like UNHANDLED_GCC_WARNING and create a rule for that. We could than decide if we want to activate the rule or not. Reason is, that I have beside the "productive" build on RHEL and SLES a build on latest tumbleweed with the newest gcc to catch any new warnings. It would be cumbersome to check every time, if there is a new warning. The build is on docker against the latest and changes much more often then our sonar instance... As for sonar, I have a workaround with the sql update... a bit cumbersome but workable. My assumption is, that they want to avoid special characters that might cause attack scenarios/warnings... |
Hi @jenspopp,
SQ is working different. During the start of the server all plugins are loaded. The rules are a static list inside of every plugin. It’s not possible to create or change the rules afterwards. Only exception is Regards, |
Hello @guwirth, I don't want to create a new rule ;-) The idea would be to have a fixed rule for each tool (gcc, cppcheck...) with the ruleId = NEW_VIOLATION. My problem is, I don't know, how to access the rule api from within the sensor in a proper way. I already did the needed Rest query via postman... Best regards |
Hi @guwirth,
That should be possible we discussed this in the past already, can’t remember the result? Regards, |
Hi, I did some test runs, where I created an artificial -Wtest-scanner compiler warning. What I see is in the scanner log is no real info: 12:28:05.566 INFO: Sensor CXX GCC compiler report import [cxx] After that is only the upload. On the server side I see in the proxy logs multiple lines: Where it downloads the activated rules (&activation=true). In the real processing in sonar I see only some lines: sonarqube | 2023.11.08 12:45:04 DEBUG ce[][org.apache.http.wire] http-outgoing-0 >> "{"isNewCodeReference":false,"line":388,"project":"AYuuv_isn_AYwlZCmvoP","effort":5,"language":"cxx","sansTop25":[],"type":"CODE_SMELL","resolution":null,"branch":"AYuuv_isn_AYwlZCmvoP","issueUpdatedAt":"2023-11-08T11:44:39.000Z","modulePath":".AYuuv_isn_AYwlZCmvoP.","severityValue":3,"ruleUuid":"AYtbqkCsTZfCf1ai8-E5","owaspAsvs-4.0":[],"scope":"MAIN","dirPath":"src","key":"AYuuwAGtRP1B5X1jRf29","issueCreatedAt":"2023-11-08T11:44:39.000Z","severity":"CRITICAL","vulnerabilityProbability":1,"owaspTop10":[],"filePath":"src/wcs_rv6_receive.c","authorLogin":null,"join_issues":{"name":"issue","parent":"auth_AYuuv_isn_AYwlZCmvoP"},"issueClosedAt":null,"tags":["compiler-gcc"],"cwe":["unknown"],"sonarsourceSecurity":"others","component":"AYuuv_x0RP1B5X1jRf03","indexType":"issue","pciDss-4.0":[],"pciDss-3.2":[],"assignee":null,"owaspTop10-2021":[],"isMainBranch":true,"status":"OPEN"}[\n]" Where "ruleUuid":"AYtbqkCsTZfCf1ai8-E5" is in the db: -Wunused-but-set-variable. But that seems to be only the elastic search entry... So I don't know, where the rule is filtered... if it is already done on the scanner (with the download of the activated rules probable...) or on the server. I have one entry on the server: sonarqube | 2023.11.08 12:45:03 INFO ce[AYuuv_lun_AYwlZCmvoY][o.s.c.t.s.ComputationStepExecutor] Persist issues | cacheSize=52.5 kB | inserts=154 | updates=0 | merged=0 | status=SUCCESS | time=57ms Where the inserts=154 is less then the saved new issues=162 from the scanner. The compiler log has in total 162 warnings. (Please don't look at the time stamps, is from different runs, but same data and fresh projects) Best regards |
Hello @guwirth, I had a longer discussion with the sonarsource developers, final answer: So in the end I would need the following query executed from the scanner side: https://myserver:9001/api/rules/search?languages=cxx&tags=compiler-gcc&f=internalKey That would return all internal keys and I could compare them to the extracted warning. Any idea how to achieve that from the scanner api? Is there any point, to retrieve the logged in http connection or better the rules api itself? Best regards |
Hi,
not really surprised about that answer. They are not really fans of the cxx plugin …
The sensor for gcc is here: Here we add the issue from the report: sonar-cxx/cxx-sensors/src/main/java/org/sonar/cxx/sensors/compiler/CxxCompilerSensor.java Line 75 in a224a6f
sonar-cxx/cxx-sensors/src/main/java/org/sonar/cxx/sensors/utils/CxxIssuesReportSensor.java Line 84 in a224a6f
Here should be a check for unknown rule id and replace it by „unknown“. Not sure how to verify if unknown? Also not sure if this would not result in a performance penalty. Read the rules on server side: Line 29 in a224a6f
Found this to find active rules on scanner side: Found no API for all rules: Regards, |
Hello, thanks for the answer ;-) Found this too. I did also a deeper dig in Sonar Core source. The issue is, that they run the scanner in Spring, but the plugins seem to be in a separate classloader. So I have no easy access to the @Autowired to inject the correct initialized classes. All you get is the context, which only contains already instrumented/initialized interfaces. My only idea right now is to build an own connection to the server and call the API (That would be a lot of code duplication from the sonar source). I still have hope to access the initialized wsClient via reflection, but have not found a way in yet. (all classes only seem to have already filled maps, no connection objects) I basically had already the complete code, if AutoWired would have worked :-( It would be only minimal change in the existing code, when you save the rule. I'm still very interested in this topic and will continue, but probably only over the next holidays... Perhaps it helps, if you vote this one up ;-) https://stackoverflow.com/questions/77493510/sonarqube-access-api-from-sensor Best regards |
Hello @guwirth, good news, I finally had a bit of time to create a solution. I tested it with gcc, cppcheck and clangtidy. I used the java httpclient to download the all rule ids for the sensors and check whether the rule is already existing. Unknown rules are mapped to the key "unknown" (customizable with a property - see readme change). There is also a small fix in the default regex for gcc Open points:
The default fallback is on the existing behavior with a warning printed. Please find attached the git diff; let me know, if I should fork and create a pull request.. Best regards |
Describe the bug
When analyzing gcc compiler warnings I wanted to add a new one for -Wstringop-truncation
When trying to enter this key, I get a validation error, that key is only allowed to be upper and lower case letters, digits and "_" , so "-" is not allowed. Since this is used as id from the regex, I don't know how to use this key...
Also backup, manual edit of xml and restore does not work
To Reproduce
Try to create a new custom rule from gcc rule template
Expected behavior
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: