SonarQube: Custom Java Rules Not Visible in UI

Question

I've been trying for quite some time to implement my own custom Java rule(s) on SonarQube. However, it seems like no matter what I try, I can't get the new rule to show up on the SonarQube UI.

I only have one rule at the moment, a security rule that checks to see if text output is sanitized. The rule extends BaseTreeVisitor and implements JavaFileScanner. It overrides visitMethodInvocation to do some checks on String arguments for the relevant methods. Here is the rule definition annotation:

@Rule(key = "Sanitize_HTML",
    name = "HTML Responses Should be Sanitized",
    tags = {"security", "owasp-a3"},
    priority = Priority.CRITICAL)
@ActivatedByDefault
@SqaleSubCharacteristic(RulesDefinition.SubCharacteristics.SECURITY_FEATURES)
@SqaleConstantRemediation("10min")
public class SanitizeHTMLCheck extends BaseTreeVisitor implements JavaFileScanner{...}

After writing the rule, I wanted to test it, but quickly realized I had to wrap it in a plugin in order to do so. I wrote three additional classes for this, based entirely on the provided example plugin. Here's the base class:

    public class SecurityPlugin extends SonarPlugin{

    public List getExtensions(){
        return Arrays.asList(
                JavaClasspath.class,
                JavaTestClasspath.class,
                Java.class,
                SecurityRulesDefinition.class,
                SonarComponents.class,
                DefaultJavaResourceLocator.class);
    }
}

The classes in the list are all irrelevant (added in desperation) except for SecurityRulesDefinition. It mirrors the structure of the MyJavaRulesDefinition class from the example:

public class SecurityRulesDefinition implements RulesDefinition{

    public void define(Context context){
        NewRepository repository = context
                .createRepository(RulesList.REPOSITORY_KEY, Java.KEY)
                .setName("Security Rules");

        AnnotationBasedRulesDefinition.load(repository, Java.KEY, RulesList.getChecks());

        for(NewRule rule : repository.rules()){
            rule.setInternalKey(rule.key());
        }

        repository.done();
    }
}

Finally, just like the example, here's RulesList, where all of my rule classes are supposed to go:

public class RulesList {

    public static final String REPOSITORY_KEY = "security_java";

    private RulesList(){}

    public static List<Class> getChecks(){
        return ImmutableList.<Class>builder().addAll(getJavaChecks()).addAll(getJavaTestChecks()).build();
    }

    //Add all checks to here...
    public static List<Class<? extends JavaCheck>> getJavaChecks(){
        return ImmutableList.<Class<? extends JavaCheck>>builder()
                .add(SanitizeHTMLCheck.class)
                .build();
    }

    //Put all test checks here
    public static List<Class<? extends JavaCheck>> getJavaTestChecks(){
        return ImmutableList.<Class<? extends JavaCheck>>builder()
                .build();
    }

}

Like I said, these are all pretty much ripped from the example plugin, so I have no idea what could be wrong with them.

I'm using Eclipse with M2E to try and build the plugin. As suggested by the documentation's Coding A Plugin page, I've added the following plugin tag to my POM.xml:

  <build>
    <plugins>
      <plugin>
        <groupId>org.codehaus.sonar</groupId>
        <artifactId>sonar-packaging-maven-plugin</artifactId>
        <version>1.13</version>
        <extensions>true</extensions>
          <configuration>
            <pluginKey>securityrules</pluginKey>
            <pluginClass>org.myOrg.sonar_analysis.security_rules_java.SecurityPlugin</pluginClass>
            <pluginName>Sonar Java Custom Security Rules</pluginName>
            <pluginDescription>Implements several checks against OWASP-Top-10 vulnerabilities.</pluginDescription>
          </configuration>
      </plugin>
    </plugins>
  </build>

Now, according to everything I've read, I should be able to build the project (right-click on the project > Run As > Maven Build (with goal "package") and drop the resulting .jar into SONAR_HOME/extensions/plugins, and when I restart the server, the rule (and repository) should be there. However, no matter what I try, it's never there. I've spent hours combing the internet and trying anything I find, but the rule never shows up in the UI.

Am I missing something? Have I done something wrong? Is my code incorrect or missing anything?

Thank you for reading this monster post. Any advice you have is valuable, as I'm out of ideas.

Answer 1

The structure of the code seems right for me (more or less). In the SecurityPlugin class, you return many classes (JavaClasspath.class, JavaTestClasspath.class and so on)... What are they for? What do they implement/extend? In my expirience you need to return there: - a "RulesDefinition" (to see the rule in SonarQube) and - a CheckRegistrar (to let the checks being used). Maybe my small rules project will give you some ideas (https://github.com/arxes-tolina/sonar-plugins ; one rule with two checks). If you are still struggling with the rules try to set the sonar.log.level-property (./conf/sonar.properties) to DEBUG and watch the start-up of SonarQube.