SpotBugs
xml
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.9.6.0</version>
<configuration>
<outputDirectory>${project.build.directory}/spotbugs-reports</outputDirectory>
<htmlOutput>true</htmlOutput>
</configuration>
</plugin>mvn spotbugs:spotbugs
值得关注的 bug类型:
- Bad practice Warnings
- Correctness Warnings
- Experimental Warnings
- Internationalization Warnings
- Malicious code vulnerability Warnings
- Performance Warnings
- Dodgy code Warnings
- Details
比如:
- NP_NULL_ON_SOME_PATH: 某些路径下错误的NULL引用
- NP_DEREFERENCE_OF_NULLEABLE_VALUE: 解引用了一个可为 null 的值
- OS_OPEN_STREAM: 未关闭 I/O 流
SonarCube
运行 SonarQube Community Edition
docker run -d --name sonarqube-test -p 9000:9000 sonarqube:community
gitlib ci集成
yaml
before_script:
variables:
SOURCE_URI: "/home/gitlab-runner/demo"
GIT_STRATEGY: clone
GIT_DEPTH: 0
GIT_TIMEOUT: 600
stages:
- build
- sonarqube-check
build:
stage: build
tags:
- sonarRunner
only:
- dev
script:
- mvn clean package '-Dmaven.test.skip=true'
artifacts:
paths:
- app/target/classes
expire_in: 1 hour # 设置保留时间,避免过早过期
# SonarQube分析阶段
sonarqube-check:
stage: sonarqube-check
before_script:
- echo "===== 环境检查 ====="
- java -version
- export PATH="/home/gitlab-runner/sonar-scanner-7.1.0.4889-linux-x64/bin:$PATH"
- sonar-scanner -v || echo "sonar-scanner 未安装"
- echo "SONAR_HOST_URL=${SONAR_HOST_URL}"
- ls -l target/classes/ 2>/dev/null || echo "target/classes 不存在"
- node -v || echo "Node.js 未安装"
- which node || echo "Node.js 路径未找到"
- rm -rf .scannerwork/ # 删除扫描缓存
- rm -f sonar-project.properties # 删除可能冲突的配置文件
dependencies:
- build
#needs: ["build"] # 依赖构建阶段
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [ "" ]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
GIT_DEPTH: 0
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
#- apt-get update && apt-get install -y wget unzip # 安装依赖
#- wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
#- unzip sonar-scanner-cli-7.1.0.4889-linux-x64.zip -d /home/
- echo "检查类文件路径:"
- ls -la target/classes || echo "target/classes 不存在"
#- find ${CI_PROJECT_DIR} -name "*.class" | head -n 5 # 抽样检查class文件
#- echo "$SONAR_HOST_URL $CI_PROJECT_NAME $SONAR_TOKEN"
#- export PATH="/home/gitlab-runner/sonar-scanner-7.1.0.4889-linux-x64/bin:$PATH"
- echo "===== 开始扫描 ====="
- sonar-scanner
-Dsonar.javascript.enabled=false
-Dsonar.typescript.enabled=false
-Dsonar.exclusions=**/*.js,**/*.ts,**/*.jsx,**/*.tsx,**/node_modules/**,**/static/**
-Dsonar.language=java
-Dsonar.projectKey=${CI_PROJECT_NAME}
-Dsonar.sources=app/src/main
-Dsonar.java.binaries=app/target/classes
-Dsonar.host.url=${SONAR_HOST_URL}
-Dsonar.token=${SONAR_TOKEN}
-Dsonar.qualitygate.wait=true
-Dsonar.qualitygate.timeout=600
only:
- dev
- merge_requests
tags:
- sonarRunner
#rules:
# - if: $CI_PIPELINE_SOURCE == "merge_request_event" # 合并请求时触发
# - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # 主分支推送时触发
# - if: $CI_COMMIT_TAG # 打标签时触发Qodana
idea 自带的代码质量扫描工具,需要重点关注的
- 资源管理(流未关闭)
- null问题(npe)
- 性能(boxed/字符串+/list遍历等)
- 可能的bug(空语句/未使用的赋值/调用产生null)
- 控制流问题(重复的条件/多余的null检查)