SonarQube无法识别自定义PomCheck规则

Question

Running SonarQube 6.4 using Java plugin 4.9.0.9858.I have written a rule to confirm that maven projects developed internally are importing a parent POM file that contains standard version numbers for various libraries. I've coded, unit tested, deployed, and activated the rule in the Quality Profile successfully. However when I run a scan against a maven project using that Quality Profile, the rule is not fired.

I can see class org.sonar.java.xml.XmlAnalyzer decides which rules are fired for xml files in general and pom files in particular. Specifically, XMLAnalyzer selects all rules that are instances of org.sonar.java.xml.maven.PomChecks to apply to pom.xml files.

Problem is, my custom rule is an instance of the class org.sonar.java.xml.maven.PomCheck , as follows

import org.sonar.java.xml.maven.PomCheck;

...snip...

@Rule( key = "UseParentPOM" )

public class UseParentPOM implements PomCheck {

...snip...

This "implements PomCheck" method is exactly how java-plugin supplied rules like GroupIdNamingConventionCheck define themselves as PomChecks - and they are being are selected during my scanning runs. I've checked that I'm compiling my custom rules using the same plugin library version that the SQ installation is using. And running sonar-scanner-debug and attaching to the running process shows my UseParentPOM rule is in fact in the visitors list XMLAnalyzer uses to search for candidate rules. But the specific condition of "visitor instanceof PomCheck" returns false. Ergo, my rule isn't added to the pom rules list and isn't fired when the pom.xml is scanned.

Clearly my rule class isn't the PomCheck that XMLAnalyzer is expecting, but what am I doing wrong to make it an instance of PomCheck?

UPDATE

Some further digging shows that the .jar file providing the class, java-frontend-4.9.0.9858.jar, is in both the base sonar-java-plugin-4.9.0.9858.jar and my custom-java-rules-1.0-SNAPSHOT.jar. My debugging runs show that SonarQube appears to spin up separate classloaders for each plugin .jar found in the extensions directory. So there are indeed, as far as SQ is concerned, 2 'org.sonar.java.xml.maven.PomCheck' classes. Hence my original issue.

I therefor attempted to remove java-frontend-4.9.0.9858.jar (and thus the PomCheck class) from my custom rules .jar by scoping all the sonar related dependencies as <provided>. My hope was the resulting SQ process would then have 1 PomCheck class to rule them all. However the actual result is SQ doesn't even start up, with the web server process failing when attempting to load my custom rule classes due to not being able to find (TA DA) class PomCheck.

I appear therefor to have reached an insoluble dilemma - if I include PomCheck in my custom .jar, SQ starts fine but doesn't recognize my custom rule as a "real" PomCheck. If I don't include PomCheck in my custom .jar, SQ won't start at all. So now I'm really in a quandary - pls help.

ADDITIONAL DETAILS

Re: Nicholas B's request, the code registering my custom rule is as follows

public final class MyRulesList {

...snip...

public static List<Class<? extends JavaCheck>> getChecks() {
   return ImmutableList.<Class<? extends JavaCheck>>builder().addAll(getJavaChecks()).addAll(getJavaTestChecks()).build();
}
public static List<Class<? extends JavaCheck>> getJavaChecks() {
    return ImmutableList.<Class<? extends JavaCheck>>builder()
        .add(PackageNaming.class)
        .add(LoggingLevels.class)
        .add(UseParentPOM.class)
        .build();
}
... snip ...

}

This code was copied straight from the Writing Custom Java Rules 101 site. All 3 custom classes are properly registered as far as I can see - I can see them in the web console UI and add them to a Quality Gate there. The only difference between rules PackageNaming/LoggingLevels and rule UseParentPOM is that UseParentPOM implements the PomCheck interface, not the JavaCheck. However since class PomCheck is nothing but a wrapper around class JavaCheck, this seemed to be the correct way to register the UseParentPom class, eg just like any other JavaCheck. But maybe not?

Answer 1

In short: SonarJava does not support custom checks for POM files (ie custom PomCheck ).

More details

Per Java custom rules tutorial , custom rules must be activated by feeding them to getJavaChecks (checked against source files) or getJavaTestChecks (checked against test files). The thing is that pom.xml files don't fall into any of those two categories, they rather belong to the 'XML files bucket' against which are checked specific rules.

A good way to visualize this is to glance at SonarJava's CheckList.java , note the dedicated getXmlChecks and getMavenChecks . Those are the checks that are actually ran against XML files indexed by the Scanner.

Concretely speaking

While you have freedom to add custom rules to getJavaChecks or getJavaTestChecks , SonarJava APIs do not support adding rules to getMavenChecks (you can try but it'll effectively do nothing). Your overall analysis is quite on spot, but the fact is that only packages containing api are accessible through the classloader ( example ), not the case of PomCheck .

I'm not aware of any plans for changes on this front.

'Outside the box thinking' suggestion

SonarXML supports custom rules using XPath expressions (see extension guide ). With a bit of XPath gymnastic, you could consider extending rule xml:XPathCheck - Track breaches of an XPath rule .