Expand my Community achievements bar.

Sonar's Code Scanning configuration

Avatar

Level 2

Hello,

 

I'm setting up Sonar's Code Scanning in the AEM pipeline, and I would like to exclude specific issues that do not provide value to us. I've tried configuring the exclusions in the parent pom using:

  • sonar.issue.ignore.multicriteria with value e1,
  • sonar.issue.ignore.multicriteria.e1.ruleKey,
  • sonar.issue.ignore.multicriteria.e1.resourceKey,
  • sonar.exclusions.

It seems that this configuration is being ignored.

 

I've also attempted to create a sonar-project.properties file at the root of the project with the same content as described above. However, this also didn't work.

 

Lastly, I tried using @SuppressWarnings annotations, and in this case, it worked. But I find this to be a rather messy option, and I would prefer not to use it to promote project maintainability.

 

Could anyone provide guidance on how to manage these exclusions cleanly and centrally?

 

Thank you!

4 Replies

Avatar

Community Advisor

@sgarciad , Can you try the below in the parent pom?

 

<properties>

<sonar.exclusions>

*.html,

*.xml

</sonar.exclusions>

 

<sonar.coverage.exclusions>

*.html,

*.xml

</sonar.coverage.exclusions>

 

</properties>

Avatar

Level 2

Hello,

 

First of all, thank you very much for the response.

 

As I mentioned earlier, I tried including those instructions in the parent pom, within the properties block, and they didn't take effect. I also tried isolating the exclusions to just one, without issue exclusions, and the result is the same. In AEM's code scanning, file exclusions are not being considered.

 

I've also tried these configurations in the different child poms, and it's not working.

 

We have a cloud-based SonarQube instance that operates simultaneously and independently from AEM, and the exclusion configuration is working correctly there, on the same AEM repository.

 

Does anyone have any idea what might be happening?

 

Greetings and thank you!

Avatar

Community Advisor

Hi @sgarciad ,

 

I am assuming you are doing this set-up for local AEM since you mentioned SonarQube cloud instance running with no issue. Is it possible you check the settings in the sonar cloud UI where it is working against the one where it is not . For example for source file exclusions below is the navigation as per documentation-

 

I hope you have admin access for both Sonar servers.

 

Your Organization > Your Project Administration - General Settings > Analysis Scope > Files

 

https://docs.sonarcloud.io/advanced-setup/analysis-scope/#restrict-the-scope-of-coverage-detection

 

Thanks,

Ritesh Mittal

Avatar

Level 2

Hello!

 

First of all, thank you for the response.

 

I'm working in AEM cloud, not locally, and the issues I'm trying to address are in the AEM cloud pipeline, specifically in the code scanning step. I'm attempting to exclude certain files that don't contribute value in the generated report, which I download as a CSV.

 

These exclusions have indeed been set up in my SonarQube cloud instance. However, in this case, the configuration is not done through a pom or properties file, but rather within the project's own options under "analysis scope."

 

I believe the default settings for sonar.source and sonar.tests are suitable, because the project is being analyzed correctly and the coverage of implemented tests is ok, as shown in the screenshot I've attached.

 

Best regards!

 

sgarciad_0-1692703598722.png