For a few days, I’ve been working on a small project called
cargo-sonar and now is the time to
make it public.
Sonar  is a great tool for managing the quality of your software. Although, you might disagree if you’ve been using it 10 years ago!
However, our beloved language Rust has not been supported by Sonar (although there have been discussion about it).
In a company, Sonar is a great tool for centralizing all metrics about code quality. So not having Rust’s support is another reason a company could rule out Rust as a technical solution (a small one but still a valid one).
The community already provided a great plugin for
sonar-rust. Even if the
maintenance of the code has not been very active in the last few months, the
plugin just works fine. But there is one trick, it has to be installed
server-side. If you want to manage your own in-house instance of Sonar,
that’s the go-to solution. But sonarcloud.io
who provides hosted instances of Sonar doesn’t allow custom plugins to be
installed. So how do we do it?
Well, Sonar actually have an API to provide
How about we use the output from
clippy, transform it into this generic issue
format, then send it to Sonar? That’s exactly what
cargo-sonar is made for…
and a bit more.
First of all, you’ll have to generate
clippy output in JSON format. You can
clippy::pedantic in this case to have maximum feedback.
cargo clippy --all-features --all-targets --message-format=json -- --warn clippy::pedantic > clippy.json
Convert into Sonar generic issues
Here is where
cargo-sonar do its work.
cargo install cargo-sonar cargo sonar --clippy
This is going to produce a file
sonar.json from the
Push the generic issues to sonarcloud.io
You’ll need an account on sonarcloud.io and a existing project. To push the
generic issues, we’re going to use
Once you’ve installed
sonar-scanner, you’ll have to create a
sonar-project.properties file. I’ll take
cargo-sonar as an example.
sonar.organization=woshilapin sonar.projectKey=woshilapin_cargo-sonar sonar.projectName=cargo-sonar sonar.sources=. sonar.host.url=https://sonarcloud.io sonar.sourceEncoding=UTF-8 sonar.externalIssuesReportPaths=sonar.json sonar.login=the_token_of_the_project
Do not forget to replace the
sonar.login property with your project’s token.
Did you see the
sonar.externalIssuesReportPaths property refering to our
sonar.json file. Now, you can just run
sonar-scanner and go see on
clippy is nice but we have tons of tools in the Rust ecosystem. How
about seing CVE in Sonar? How about outdated dependencies? Or licenses incompatibilities?
With the same logic, I’ve been implementing conversion into generic issues for the following tools.
cargo audit --json > audit.json cargo sonar --audit
cargo deny --format json check 2> deny.json cargo sonar --deny
cargo outdated --depth 1 --format json --workspace > outdated.json cargo sonar --outdated
The project is pretty young. Not a lot of tests, the documentation can
definitely be better, the code is made of huge functions and could probably have
a better architecture… but it works. I’m hoping for some feedbacks to better
focus on the next steps. You can post on
issues, or on forums
like URLO or
woshilapin on both of them.