sonar swift
v1.8
Static code scanning is a way to detect project code. It can scan the code without running the code. It can scan code bugs (such as null pointers), vulnerabilities, bad taste (such as too many lines of code in the method), etc. In addition, it can detect the repetition rate, comment rate, comment lines, number of lines of code, complexity and other information in the warehouse. Static code scanning can be executed before the code goes online, and has the characteristics of low execution cost, and is widely used in CI pipelines.
SonarQube is a static code scanning service, https://www.sonarqube.org/ , which supports code scanning in mainstream languages. Its community version is open source on GitHub, address: https://github.com/SonarSource/sonarqube. However, for some languages, the community version does not support it, such as Objective-C and Swift. What this repository hopes to solve is static code scanning analysis of these two languages.
As a mature code scanning service, SonarQube provides plug-in functions to the outside world, supporting the import of third-party scanning tools into SonarQube for display. This repository is based on the secondary development of https://github.com/Idean/sonar-swift. It has added the import of Facebook Infer scan results based on the original functions.
This repository is a iOS code scanning plug-in for SonarQube. It supports Objective-C and Swift languages, and supports importing scan and analysis results of SwiftLint, Infer, OCLint, Lizard, and Fauxpas tools.
Minimum requirements for SonarQube 7.9 after version 1.6
We invited other colleagues to review the existing Infer rules within the company and filtered out some rules for scanning for your reference.
Infer is a static code scanning tool launched by Facebook, which supports scanning in C/C++/Java/Objective-C language.
Link: https://github.com/facebook/infer
Swiftlint is a static code analysis tool that checks Swift code style and regulations. Basically based on the GitHub's Swift code style guide, the reported problems are supported on XCode and can generate a report file. We will read the generated report file and upload it to SonarQube.
Link: https://github.com/realm/SwiftLint
lizard can analyze the circle complexity of the Objective-C language, generate an XML file, and import it into the results of SonarQube.
Link: https://github.com/terryyin/lizard
OCLint is a static code analysis tool for the C/C++/Objective-C language. Unlike Infer, it prefers to scan problems such as code specifications, so we classify the problems in the OCLint part into坏味道.
Link: https://github.com/oclint/oclint
Faux Pas is a commercial software that supports scanning and analysis of Objective-C language.
Link: http://fauxpasapp.com/
https://github.com/tal-tech/sonar-swift/releases
Place the jar file in extensions/plugins/ directory of SonarQube installation directory, and then restart SonarQube
Refer to the following script to use
xcodebuild and output logs to filexcodebuild clean build -workspace app.xcworkspace -scheme scheme -destination ' generic/platform=iOS ' COMPILER_INDEX_STORE_ENABLE=NO | tee xcodebuild.log > /dev/null
xcpretty -r json-compilation-database -o compile_commands.json < xcodebuild.log > /dev/null
# --skip-analysis-in-path 是忽略扫描目录
infer run --skip-analysis-in-path Pods --compilation-database compile_commands.json
# 可选,如果有 swift 语言使用
# swiftlint lint > swiftlint.txt
# 可选,Java 语言
# infer run -- ./gradlew build
# 在命令后添加 -Dsonar.java.infer.report=infer-out/report.json
# 可选,如果想计算 复杂度 使用
# lizard --xml > lizard-report.xml
# 在命令后添加 -Dsonar.swift.lizard.report=lizard-report.xml
sonar-scanner -Dsonar.host.url=http://sonarqube -Dsonar.projectKey=app -Dsonar.sources=. -Dsonar.swift.swiftlint.report=swiftlint.txt -Dsonar.swift.infer.report=infer-out/report.json
# oclint example
-Dsonar.swift.oclint.report=oclint_report.xmlIt must run on the macOS operating system while scanning.
You can enter the WeChat group by scanning the code
Users are welcome to register their company name in #9 (for user reference only)
