2

I'm trying to create a custom SonarQube rule in VisualStudio 2015, using the Roslyn SDK Generator.

The generator works fine and I'm able to publish the .jar file to SonarQube server and use my custom rule in daily builds. Now I would like to categorize the rule as "Vulnerabilty", but it always appear as "Code Smell".

I tried a couple of approaches:

  1. Changed the "Category" of the DiagnosticDescriptor class to "Security"

    private const string Category = "Security";

private static DiagnosticDescriptor Rule = new DiagnosticDescriptor(DiagnosticId, Title, MessageFormat, Category, DiagnosticSeverity.Warning, isEnabledByDefault: true, description: Description);

public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get { return ImmutableArray.Create(Rule); } }

  2. Changed the xml template provided by the generator and regenerated the plugin using the new xml (I tried "SECURITY" and "SECURITY_COMPLIANCE" in place of the generated "MAINTENABILITY_COMPLIANCE")

     <sqale xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <chc>
    <key>SECURITY</key>
    <chc>
      <rule-key>MyRule</rule-key>
      <prop>
        <key>remediationFunction</key>
        <txt>CONSTANT_ISSUE</txt>
      </prop>
      <prop>
        <key>offset</key>
        <txt />
        <val>15min</val>
      </prop>
    </chc>
  </chc>
</sqale>

Nothing worked so far.

I'm using the following configuration:

  • VS2015 Update 3
  • SonarQube v. 6.1
  • SonarLint v. 2.8
  • Custom C# analyzer developed with SonarQube.Roslyn.SDK v. 1.0
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
Marco Franzé
  • 57
  • 7

1 Answers1

1

Unfortunately seems that ability to explicitly set category is not yet implemented - see https://jira.sonarsource.com/browse/SFSRAP-48

As a workaround you can add tag security to a rule and rule will be categorized as Vulnerabilty thanks to automatic conversion of tag into category in SonarQube. However it seems that SonarQube.Plugins.Roslyn.RuleGenerator is not considering the CustomTags property when building the SonarQube rule, but addition of newRule.Tags = diagnostic.CustomTags?.ToArray(); to the method SonarQube.Plugins.Roslyn.RuleGenerator.GetAnalyzerRules and rebuild of sonarqube-roslyn-sdk will do the job.

Godin
  • 9,801
  • 2
  • 39
  • 76
  • Thank you for your suggestion. I tried adding custom tag `security`, but it seems that the plugin generator is ignoring the custom tag when generating the SonarQube plugin. Checking the current implementation in SonarQube.Roslyn.SDK v. 1.0, I actually found that the class SonarQube.Plugins.Roslyn.RuleGenerator is not considering the CustomTags property when building the SonarQube rule. Adding this line of code `newRule.Tags = diagnostic.CustomTags?.ToArray();` in method SonarQube.Plugins.Roslyn.RuleGenerator.GetAnalyzerRules and rebuilding locally, worked perfectly – Marco Franzé Nov 18 '16 at 16:05
  • @MarcoFranzé wasn't aware that custom tags are ignored, so updated an answer in case you wanna accept it as correct one. – Godin Nov 18 '16 at 18:56
  • @tamas-sonarsource-team could you please have a look at this - this seems to be a common difficulty in usage of SDK ? – Godin Nov 18 '16 at 18:56