plugin – DevSecOps – SonarQube

plugin – DevSecOps – SonarQube – Code Review Stack Exchange

Sonarqube java Read of unwritten field

I am receiving this criticism from Sonar, but I do not know what should be done to correct it. Could you help me understand?

public class LoginController extends AbstractController  implements AuthenticationProvider, Serializable {
    private static final long serialVersionUID = 1L;
    private Connector connector;    
    @Resource(name = "messageSource")
    protected MessageSource messageSource;      

    @RequestMapping(method = RequestMethod.GET)
    public ModelAndView index() {
        return new ModelAndView("login");
    } 

    private List<Map<String, Object>>  findRecursosMensagem(){
        Map<String, Object> args = new HashMap<>();
        args.put("chave", "MensagemCovid");
        List<Map<String, Object>> mensagem = null;
        mensagem = connector.findServicoReturnList(args, "lms.radar.usuarioFacade.findRecursosMensagem");
        return mensagem;        
    }
}

enter image description here

java – Como resolver critica do SONARqube: Read of unwritten field connector

Em minha classe no método findRecursosMensagem() o SONARqube faz uma crítica, mas não entendi o que deve ser corrigido. Poderiam me ajudar a entender o que deve ser feito?

public class LoginController extends AbstractController  implements AuthenticationProvider, Serializable {
    private static final long serialVersionUID = 1L;
        
    @Resource(name = "messageSource")
    protected MessageSource messageSource;
    
    @Inject
    private IntegracaoService integracaoService;

    @RequestMapping(method = RequestMethod.GET)
    public ModelAndView index() {
        return new ModelAndView("login");
    }

    @ResponseBody
    @RequestMapping(value = "/logar", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
    public Autenticacao logar(@RequestBody AutenticacaoDMN autenticacao, HttpServletRequest request){
        request.getSession().invalidate();
        autenticacao.setSistema(SISTEMA);
        Autenticacao autenticacaoRetorno = integracaoService.login(autenticacao);
        if (autenticacaoRetorno.isAutenticado()) {
            autenticacao.setIdUsuario(autenticacaoRetorno.getIdUsuario());
            integracaoService.setUserAutenticate(autenticacao, request);
        }
        
        return autenticacaoRetorno;
    }   

    private List<Map<String, Object>>  findRecursosMensagem(){
        Map<String, Object> args = new HashMap<>();
        args.put("chave", "MensagemCovid");
        List<Map<String, Object>> mensagem = null;
        mensagem = connector.findServicoReturnList(args, "lms.radar.usuarioFacade.findRecursosMensagem");
        return mensagem;        
    }
}

mensagem/crítica do SONARqube

sonar – ¿Cómo puedo analizar solo un tipo de archivo o varios en sonarqube?

Estoy intentando analizar solamente archivos .java y .js omitiendo el análisis de todos los demás archivos , ya que contiene archivos como .pdf o csv etc.. que causan problemas de compilación, pero son al rededor de 50 extensiones de archivos que omitir por lo feo del proyecto.

Se que lo mejor seria depurarlo, pero por motivos de tiempos ¿alguno sabe como pudo analizar solo los .java y .js omitiendo todo lo demás?

y no quiero colocar una por una de las extensiones.

-Dsonar.exclusions=**/*.pdf,**/*.csv,**/*.jpg, etc...

intentos:

-Dsonar.inclusions=**/*.java -Dsonar.sources=. -Dsonar.sourceEncoding=UTF-8 -Dsonar.java.source=1.6 -Dsonar.jacoco.reportPaths=target/jacoco.exec -Dsonar.scm.disabled=true -X

-Dsonar.exclusions=**/*?.java -Dsonar.sources=. -Dsonar.sourceEncoding=UTF-8 -Dsonar.java.source=1.6 -Dsonar.jacoco.reportPaths=target/jacoco.exec -Dsonar.scm.disabled=true -X

Saben alguna manera?

java – SonarQube flagging String literal duplicated for Sql query bind parameters

We are using SonarQube lint for code quality analysis. The problem is, it is flagging query parameter binding literals as duplicated. However, declaring them as constant does not make sense.

Eg:

String queryStr = "select * from Person p where p.firstName=:firstName";
Query personQuery = session.createQuery(queryStr);
personQuery.setParameter("firstName", "Mark");

Sonarqube is flagging repeated String literal firstName. However, I feel the rule is invalid for this use case because declaring them as constant and changing them at one place won’t work. Because the parameter has to just match what is used in query String.

It does not involve any business logic or contract. Is my interpretation correct? If so, How do I go about convincing my peers about it?

java – SonarQube maven plugin

I cannot execute the following Maven command:

mvn clean verify sonar:sonar -Dsonar.projectKey=myProject -Dsonar.host.url=https://myServer.com -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true

I tried not to set the ssl maven options to true as well.

the error i get is: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.7.0.1746:sonar (default-cli) on project: Unable to execute SonarQube: Fail to get bootstrap index from server: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I am able to run a clean maven verfiy without pointing to the sonarQube server.

c # – SonarQube complaining of & # 39; nextProperty & # 39; sucks on at least one run, any help is welcome

 public Expression> GetModelExpression(string mapPropertyKey)
    {
        Expression> expression = null;
        PropertyInfo nextProperty = null;
        Type nextType = this.GetType();

        var navigationProperties = EntitySchemaHelper.SplitProperties(mapPropertyKey);

        foreach (var property in navigationProperties)
        {
            if (object.ReferenceEquals(property, navigationProperties.First()))
                expression = GetExpression(property);
            else
            {
                nextType = nextProperty.PropertyType;
                var nextTModelType = nextType.BaseType.GetGenericArguments()(1);

                var newInstance = Activator.CreateInstance(nextType);
                var methodInfo = nextType.GetMethod("GetExpression", BindingFlags.NonPublic | BindingFlags.Instance);
                var methodResult = methodInfo.Invoke(newInstance, new() { property });

                var combineMethodInfo = this.GetType().GetMethod("Combine", BindingFlags.NonPublic | BindingFlags.Instance);
                combineMethodInfo = combineMethodInfo.MakeGenericMethod(nextTModelType);
                expression = combineMethodInfo.Invoke(this, new() { expression, methodResult }) as Expression>;
            }

            if (!object.ReferenceEquals(property, navigationProperties.Last()))
                nextProperty = nextType.GetProperty(property);
        }

        return expression;
    }

java – SonarQube: replacing the obsolete method with the new replacement

I'm trying to replace ISO8601DateFormat since the SonarQube generates the following error: Delete this use of "ISO8601Utils"; it's obsolete. I did some research and discovered that StdDateFormat was replacing ISO0601Utils. But I have no chance to replace him because he misses the format method. Any help would be greatly appreciated!

Public static class ISO8601DateFormat extends DateFormat {
// public static class StdDateFormat extends DateFormat {
public ISO8601DateFormat () {}

public format StringBuffer (Date date, StringBuffer toAppendTo,
FieldPosition fieldPosition) {
Value of the string = ISO8601Utils.format (date, true);
// I do not know how to replace this line with the help of
// StdDateFormat since there is no formatting method

toAppendTo.append (value);
return to AppendTo;
}

public Date parse (string source, ParsePosition pos) {
pos.setIndex (source.length ());
return ISODateTimeFormat.dateTimeParser (). parseDateTime (source) .toDate ();
}

public Object clone () {
return this;
}

public String toString () {
return this.getClass (). getName ();
}
}

continuous integration – Is there an Ansible plugin to use SonarQube for testing purposes

I work for a company where, until now, there was only one developer. They want to start using CI / CD. This is the first time that I have implemented a CI / CD pipeline.

I was thinking of using Jenkins, but they are already using Ansible and I am told that with Ansible it is possible to do tests and depending on the results of these tests, for example, create an acceptance server. I've looked for it and it seems that Molecule could be very interesting for that.

There is only one problem. We also want to use SonarQube for testing. Until now, I have not found anything to use with SonarQube with Ansible / Molecule.
Do I miss something or should we use Jenkins when we want to use SonarQube?

Are CCQ (Continuous Code Quality) tools such as SonarQube supposed to reject version control changes?

Quality thresholds (controls that must be validated before certain changes can be merged) are a useful way to quickly detect quality issues. These doors can include any type of quality control, including the execution of test suites or the use of static analysis tools. The idea is that it is much easier (and therefore less expensive) to detect and resolve problems earlier than having to debug changes later in your software development process.

Such quality checks may be part of the developer's personal workflow, but it's best not to rely on that. In a query-based workflow, it is useful to apply a quality barrier before you can merge an extraction query with certain features into a shared branch, which will then serve basic to development. These quality checks can then be run by an external CI server, not just the developer's local computer.

Opinions differ as to whether the result of the IC should be simply informative or if any detected problem needs to be corrected. Typically, a team adjusts the configuration of the configuration system so that unnecessary warnings are silenced and the relevant issues are treated as serious errors. For less severe problems, more complex metrics can be used for quality. For example, a change may not increase the absolute number of warnings or add them to the changed rows. Of course, a list of warnings is much more useful when it is small and than it is possible to act, so the quality of static analysis results often requires a high level of quality.

In the case where hard quality doors are undesirable, a lighter version is to run any control. after the changes have been merged. However, it is easy to ignore these problems and let them pile up. Quality doors require that the problem be corrected before the change can go through the door quality, which keeps the wrong code out of the system in the first place.

The use of quality gates with static analysis for extraction requests is actually a standard in open source projects. Contributors can have multiple levels of experience. Automated controls can therefore help them solve these problems before someone spends time on a code review. In a closed team with a lot of experience, this is less important because there will be fewer problems in the first place – but most teams do not have a consistently high experience. Automating some aspects of code review through quality control can save a lot of time. .

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123