java - Cobertura changes Sonar violations -
my co-worker found morning compiling project cobertura enabled changes sonar results on same project.
on particular project ran build sonar:sonar
, ran again cobertura:cobertura sonar:sonar
.
the sonar results in comparison showing without cobertura have 7/78/153/24/0
violations of 5 severities, cobertura changes 7/81/94/24/0
, , in particular finds 3 new critical violations , 15 new major violations aren't found without cobertura.
one of biggest changes without cobertura there 60 violations of rule against empty methods (many of them constructors) , cobertura 3 of reported.
if cobertura prevented violations being found run 2 independently, since violations found cobertura enabled seems have 2 separate sonar analyses.
is known interaction? there workaround other doing cobertura , sonar in separate builds? , using both sets of results best data?
based on comment made let me explain seems happening: using findbugs via sonarqube (rules mentioning findbugs rules)
first let's think 2 tools involved here , how work (roughly) :
findbugs : static analysis tool based on bytecode : read bytecode , raise issue when detects bad pattern.
cobertura : coverage tool : how work ? instruments bytecode place probes , when tests run keep track of probes hit or not.
then can understand issue might : findbugs ends analyzing bytecode instrumented cobertura. explain why have new issues , why of empty methods issues removed when analyzing cobertura.
to avoid issue have sure bytecode files not instrumented when analyze them findbugs (disclaimer, develop sonar java plugin might little biased here ;) ) recommend stop using findbugs in favor of sonarqube java analyzer won't have issue analyzer approach things differently (see blog post that)
Comments
Post a Comment