Skip to content

Latest commit

 

History

History
98 lines (74 loc) · 4.63 KB

README.md

File metadata and controls

98 lines (74 loc) · 4.63 KB

SonarClojure

A SonarQube plugin to analyze Clojure source.

Build Status Quality Gate Coverage

Current State

Features:

  • Static code analysis powered by eastwood and kibit.
  • Detection of outdated dependencies/plugins powered by lein-ancient.
  • Coverage reports powered by cloverage.
  • Detection of vulnerable dependencies powered by lein-nvd.

Installation

In order to install SonarClojure:

  1. Download the latest jar of the plugin.
  2. Place the jar in the SonarQube server plugins directory, usually located under: /opt/sonarqube/extensions/plugins/
  3. Restart the SonarQube server.

Usage

  1. Change your project.clj file and add the required plugins:

    :plugins [[jonase/eastwood "0.3.5"]
              [lein-kibit "0.1.6"]
              [lein-ancient "0.6.15"]
              [lein-cloverage "1.1.1"]
              [lein-nvd "1.0.0"]]

Note: Please make sure the plugins above are setup correctly for your project. A good way to test this is to execute each one of them individually on your project. Once they are running fine, SonarClojure should be able to parse their reports.

  1. Create a sonar-project.properties file in the root folder of your app:

    sonar.projectKey=your-project-key
    sonar.projectName=YourProjectName
    sonar.projectVersion=1.0
    sonar.sources=src,project.clj
  2. Run sonar-scanner on your project.

Configuring Sensors

Disabling

Sensors can be disabled by setting sonar.clojure.<sensorname>.disabled=true in the sonar-project.properties or by using the command line argument -Dsonar.clojure.<sensorname>.disabled when running sonar-scanner. Sensor names are eastwood, kibit, ancient, nvd and cloverage.

Report file location

Some sensors use report files to parse the results. Both cloverage and lein-nvd use this report files. By default they have a path already set but you can change the file locations by setting the property in the sonar-project.properties:

sonar.clojure.cloverage.reportPath=target/coverage/codecov.json

sonar.clojure.nvd.reportPath=target/nvd/dependency-check-report.json

Setting a timeout

By default, sensors have a timeout value of 300 seconds. This value applies per sensor while they are executing. You can change the default value by setting the property sonar.clojure.sensors.timeout in the sonar-project.properties file.

Debugging

  • SonarClojure is in its early days and therefore you might face problems when trying to run the plugin, especially because we rely on other plugins that are also in its early days. A nice way to try to debug a problem you might have is to make sure the particular plugin you are using is running fine before executing the sonar-scanner. For instance, if you are trying to visualize the coverage data on SonarQube, make sure to run cloverage against your project using lein cloverage --codecov for instance. Once you fix the cloverage issue on your project, then SonarClojure should be able to parse the results. The same idea applies to all the plugins.

  • In general, plugins should not stop execution in case of errors, unless an exception happens.

  • You can use -X or --debug when running sonar-scanner to get a detailed information of what SonarClojure is trying to do.

Building from Source

./mvnw clean package

Maven will generate a SNAPSHOT under the folder target.

Compatibility

At the moment, SonarClojure was tested on SonarQube up to version 7.1.

We noticed that in later versions of SonarQube, the project overview might be empty. This normally suggests that SonarClojure was not able to detect analyzable files during the scanning.

License

SonarClojure is open-sourced software licensed under the MIT license.