SonarSource / sonar-scanner-gradle

SonarScanner for Gradle ============================ About Sonar ----------- Sonar's integrated code quality and code security solutions help developers deliver high-quality, efficient code standards that benefit the entire team or organization. User documentation ------------------ https://redirect.sonarsource.com/doc/gradle.html Have Questions or Feedback? --------------------------- For support questions ("How do I?", "I got this error, why?", ...), please head to the SonarSource forum. There are chances that a question similar to yours has already been answered. Be aware that this forum is a community, so the standard pleasantries ("Hi", "Thanks", ...) are expected. And if you don't get an answer to your thread, you should sit on your hands for at least three days before bumping it. Operators are not standing by. :-) Contributing ------------ If you would like to see a new feature, please create a new thread in the forum "Suggest new features". Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make. Make sure that you follow our code style and all tests are passing. Then, one of the members of our team will carefully review your pull request. You might be asked at this point for clarifications or your pull request might be rejected if we decide that it doesn't fit our roadmap and vision for the product. Reporting Security Issues ------------------------- A mature software vulnerability treatment process is a cornerstone of a robust information security management system. Contributions from the community play an important role in the evolution and security of our products, and in safeguarding the security and privacy of our users. If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately. To responsibly report a security issue, please email us at security@sonarsource.com. Sonar’s security team will acknowledge your report, guide you through the next steps, or request additional information if necessary. Customers with a support contract can also report the vulnerability directly through the support channel. For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly. Responsible Disclosure Policy For more information about disclosing a security vulnerability to Sonar, please refer to our community post: Responsible Vulnerability Disclosure. Developer documentation ----------------------- Building the project To build the plugin and run the tests, you will need Java 11. Fix the error You need to update and review it. Note that the command above only updates the metadata for the dependencies used in the main task. There may be other dependencies used in other tasks, so you may want to run the command for other tasks as well, like : Once you have reviewed the changes, replace with for the changes you accepted. And delete in the the versions that we don't use anymore, because don't remove unused dependencies. But do not delete all unused versions for dependencies with a dynamic version set to (like ), because Gradle cache the version resolution for 24 hours, so for those dependencies, we also need to keep the before last version. When you update a dependency’s checksum in the gradle/verification-metadata.xml file, you validate the change by comparing the sha256 value from Artifactory with the one listed on another package repositories like maven central. First, identify the dependency updated in the file and copy its sha256 checksum. Next, search for the dependency on another package repositories. For instance on Maven Central, you can use the query to find a specific dependency. How the plugin works When the plugin is applied to a project, it will add to that project the Sonar task. It will also add to the project and all its subprojects the Sonar extension. For multi-module projects, the plugin will only apply to the first project where it gets called. The goal is to allow the usage of , for example. **Sonar extension** The extension enables an easy configuration of a project with the Domain Specific Language. **Sonar task** The Sonar task has the name , so it can be executed by calling . It collects information from the project and all its subprojects, generating the properties for the analysis. Then, it runs the SonarScanner analysis using all those properties. The task depends on all compile and test tasks of all projects (except for skipped projects). If all projects are skipped (by adding to the sonar DSL), the analysis won't execute. Using the plugin directly in a project (no need to build/install it in advance) A composite build can be used to substitute plugins with an included build. In the target project, apply the plugin: Run with: Debugging the plugin See the previous point about including the plugin's build when building a target project. To debug, simply add the parameter: Now debug remotely by connecting to the port 5005. Integration Tests By default, Integration Tests are skipped during the build. To run them, you need to follow these steps: • Install the SNAPSHOT version of the root project in the local Maven repository. • Import the project as a Maven project and ensure that Android SDK is set. • Set environment variable • Run the following command from the project: Install a SNAPSHOT in the local Maven repository ./gradlew publishToMavenLocal Using the plugin SNAPSHOT previously installed in the local Maven repository Release and deploy on Gradle…