简体繁体 English

Cobertura更改了Sonar违规行为

[英]Cobertura changes Sonar violations

原文 2016-01-07 18:43:48 0 2 java/ sonarqube/ cobertura

My co-worker found this morning that compiling a project with Cobertura enabled changes the sonar results on the same project. 我的同事今天早上发现，启用Cobertura编译项目会更改同一项目的声纳结果。

On this particular project we ran a build with sonar:sonar and then ran it again with cobertura:cobertura sonar:sonar . 在此特定项目上，我们使用sonar:sonar运行构建，然后再次使用cobertura:cobertura sonar:sonar运行构建。

The sonar results in the comparison are now showing that without Cobertura we have 7/78/153/24/0 violations of the 5 severities, but with Cobertura it changes to 7/81/94/24/0 , and in particular finds 3 new critical violations and 15 new major violations that aren't found without Cobertura. 比较中的声纳结果现在表明，如果没有Cobertura，则违反了5个严重度的7/78/153/24/0 ，而对于Cobertura，则变为了7/81/94/24/0 ，特别是发现3没有Cobertura便找不到新的严重违反和15个新的重大违反。

One of the biggest changes is that without Cobertura there are 60 violations of the rule against empty methods (many of them constructors) and with Cobertura only 3 of those are reported. 最大的变化之一是，在没有Cobertura的情况下，有60个违反空方法的规则（其中很多是构造函数），而在Cobertura中，仅报告了其中3个。

If Cobertura only prevented violations from being found we could run the two independently, but since some violations are only found with Cobertura enabled it seems like we would have to do two separate Sonar analyses. 如果Cobertura仅阻止发现违规行为，我们可以独立运行这两个行为，但是由于只有Cobertura启用后才发现某些违规行为，因此我们似乎必须做两个单独的Sonar分析。

Is this a known interaction? 这是已知的互动吗？ Is there any workaround other than doing Cobertura and Sonar in separate builds? 除了在单独的版本中进行Cobertura和Sonar之外，是否有其他解决方法？ And using both sets of results to get the best data? 并同时使用两组结果来获取最佳数据？

2 个解决方案

Based on the comment you made let me explain what it seems to be happening: You are using FindBugs via SonarQube (rules you are mentioning are findbugs rules) 根据您的评论，让我解释一下正在发生的事情：您正在通过SonarQube使用FindBugs（您提到的规则是findbugs规则）

First let's think about the two tools involved here and how they work (roughly) : 首先，让我们考虑一下这里涉及的两个工具以及它们的工作方式（大致）：

FindBugs : it is a static analysis tool based on bytecode : it will read bytecode and raise issue when it detects bad pattern. FindBugs：这是一个基于字节码的静态分析工具：它将读取字节码并在检测到错误模式时引发问题。
Cobertura : Coverage tool : how does this work ? Cobertura：覆盖率工具：这是如何工作的？ it instruments the bytecode to place probes and when tests are run keep track of which probes where hit or not. 它检测字节码以放置探针，并在运行测试时跟踪是否命中了哪些探针。

Then you can understand where the issue might be : FindBugs ends up analyzing the bytecode instrumented by Cobertura. 然后，您可以了解问题可能出在哪里：FindBugs最终分析了Cobertura检测到的字节码。 That would explain why you have some new issues and why some of the empty methods issues are removed when analyzing with cobertura. 这将解释为什么您有一些新问题，以及为什么在用cobertura分析时会消除一些空方法的问题。

To avoid this issue you have to be sure your bytecode files are not instrumented when you analyze them with FindBugs but (disclaimer, I develop the sonar java plugin so I might be a little biased here ;) ) I would recommend you to stop using FindBugs in favor of the SonarQube Java Analyzer which won't have this issue as its analyzer approach things slightly differently (see this blog post about that) 为避免此问题，您必须确保在使用FindBugs分析字节码文件时未检测到字节码文件，但是（免责声明，我开发了声纳Java插件，因此在这里可能会有一些偏见;）））我建议您停止使用FindBugs支持SonarQube Java分析器，因为它的分析器处理方法略有不同，因此不会出现此问题（有关此内容，请参阅此博客文章）

User error. 用户错误。 :-( :-(

It turns out that the user had run a mvn clean prior to running the sonar:sonar with cobertura, so as implied by benzonico, the findbugs rules that have to analyze compiled code didn't run. 事实证明，用户在使用cobertura运行sonar：sonar之前已经运行了mvn clean，因此，据benzonico暗示，必须运行分析编译代码的findbugs规则。 Only the rules that are run on source code, like the java plugin, generated results. 只有在源代码上运行的规则（如java插件）才能生成结果。 That's why we were missing a bunch of rules and results. 这就是为什么我们缺少一堆规则和结果。

We still have inconsistencies between Bamboo and manual builds, but that would be a topic for a separate post. 我们在Bamboo和手动构建之间仍然存在不一致之处，但这将是单独发布的主题。