使用SonarLint一次性分析完整的项目 - 通过fiel分析文件会产生不完整的结果 [英] Analyse complete project at once with SonarLint - Analysis file by fiel yields incomplete results

问题描述

我正在用SonarLint eclipse插件评估SonarQube 5.4。

SonarQube以及插件都已经设置并正在运行。但是现在我很惊讶SonarLint应该以连接模式运行：

• SonarLint与SonarQube相连，相应的项目。但是一些问题仅在SonarQube中显示。这是我的理解SonarLint应该能够识别问题，如恶意代码漏洞 - 可能通过引用可变对象来引用内部表示。但是没有。 SonarQube确实。


• 当使用SonarLint分析单个文件时，SonarLint控制台中有很多调试消息，如在资源缓存中找不到类：org / company /项目/ CommonSuperClass 。但更糟糕的是：$ code>资源缓存中找不到类：java / lang / Class 。是否应该这样做？


• 我们特别有兴趣强调开发人员介绍的问题。 SonarQube连接我们的repo，并在责怪提交者方面做了不错的工作。但是，似乎没有办法在sonarlint中显示我自己的问题。


• 我想在我选择的时候运行SonarLint分析，所以我决定停用自动运行SonarLint。但似乎我只能手动分析文件，而不是包或项目。我再次错过了吗？我不想点击我的每个〜2000文件，并手动分析。

解决方案

SonarLint和SonarQube是两种不同的产品：

• 您希望对您正在开发的代码进行非常快速的反馈，以确保不会注入问题=> SonarLint在打开文件时分​​析文件以编写或查看代码


• 你想要一个360度的视觉质量的代码=> SonarQube分析你的项目的所有文件

连接模式是2个世界之间的桥梁，其发展仍在进行中。例如，我们计划让SonarLint内的所有可能的SonarQube项目中发现的问题都可以看到（参见并投票支持 SLE-54 ）。

I'm evaluating SonarQube 5.4 with SonarLint eclipse plugin.

SonarQube as well as the plugin are set up and are running. But now I'm pretty confused how SonarLint is supposed to run in 'connected mode':

• SonarLint is connected with SonarQube and is bound the corresponding project. But some issues are only shown in SonarQube. It was my understanding SonarLint should be able to identify issues like Malicious code vulnerability - May expose internal representation by incorporating reference to mutable object. But it does not. SonarQube does.
• When analysing a single file with SonarLint, there are a lot of debug message in the SonarLint Console like Class not found in resource cache : org/company/project/CommonSuperClass. But even worse: Class not found in resource cache : java/lang/Class. Is it supposed to do that?
• We are specifically interested in highlighting the issues introduced by developer. SonarQube is connected our repo and does a nice job in blaming the committer. But it seems there is no way of showing my own issues in sonarlint.
• I'd like to run the SonarLint analysis at a time of my choice, so i decided to deactivated "Run SonarLint automatically". But it seems I can only analyze files manually, not packages or projects. Am I missing something again? I would not want to click every of my ~2000 files and analyze it by hand.

解决方案

SonarLint and SonarQube are 2 different products:

• You want very fast feedback on the code you are working on to make sure you don't inject issues => SonarLint analyses the files as you open them to write or review code
• You want a 360° vision of the quality of your code => SonarQube analyses all the files of your project

The "connected mode" is the bridge between the 2 worlds, and its development is still underway. For instance, we plan to make it possible to see inside SonarLint all the issues found on the project by SonarQube (see and vote for SLE-54).

这篇关于使用SonarLint一次性分析完整的项目 - 通过fiel分析文件会产生不完整的结果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！