Add sonarqube output

[kmcrawford]

For Issue #287

[kmcrawford]

travis keeps failing for silly go get network issues.
The command "go get -u golang.org/x/lint/golint" failed and exited with 1 during .

[gcmurphy]

The latest travis-ci run fails on the tip: https://travis-ci.org/securego/gosec/jobs/504930446. gosec runs against itself, and on the tip it seems like a package is missing (which is triggering failure):

could not import golang.org/x/sys/cpu (cannot find package "golang.org/x/sys/cpu" in any of..

Likely introduced by golang/go#24843

So I'm ok with merging this with the ci job failure.

cc/ @MVrachev

[gcmurphy]

Thanks for submitting a PR! 🍺

There are a couple of things we might look at tweaking but looks fairly good.

/cc @ccojocar @MVrachev what are your thoughts around adding elapsed time and truncating file paths in issue output?

[gcmurphy]

I'm not sure modifying the interface to achieve a truncated file path is the best solution here. Is there any specific reason for it? Sonarqube only recognize relative paths?

This is certainly something we can look at fixing though.

[kmcrawford]

Yes, sonarqube reports from the root of the project. I needed a way to remove the full path. Happy to refactor, if you can think of a better way of doing this.

[kmcrawford]

Example of this working:

From:

                {
			"engineId": "gosec",
			"ruleId": "G505",
			"primaryLocation": {
				"message": "Blacklisted import crypto/sha1: weak cryptographic primitive",
				"filePath": "service/caching.go",
				"textRange": {
					"startLine": 5,
					"endLine": 5
				}
			},
			"type": "VULNERABILITY",
			"severity": "MAJOR",
			"effortMinutes": 5
		}

[gcmurphy]

Why hardcode a value here? We could potentially actually capture time elapsed here as part of the reporting process. (start_time, finish_time) to the stats area.

[kmcrawford]

No reason, I just didn’t want to change your project too much when I actually have no idea how long it will take to fix. Since this is used to calculate technical debt in sonarqube, as in how long will it take to fix. 5 minutes seems better than zero, but could be hours since I wouldn't know the impact of the change to the users code.

[kmcrawford]

[ccojocar]

My understanding is that this is an estimation for developers which indicates how long it would take to fix the issue. In this case, I don't see how we can measure it, therefore I am fine with a constant. Maybe in future, it can be defined per issue for a more granular estimation.

I would extract this in a constant with a clear meaning.

[kmcrawford]

done.

[codecov-io]

Codecov Report

Merging #288 into master will not change coverage.
The diff coverage is n/a.

@@          Coverage Diff           @@
##           master    #288   +/-   ##
======================================
  Coverage    56.3%   56.3%           
======================================
  Files           9       9           
  Lines         492     492           
======================================
  Hits          277     277           
  Misses        188     188           
  Partials       27      27

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2bd007e...ba566ec. Read the comment docs.

[kmcrawford]

All open requests have been updated.

[kmcrawford]

bump

[gcmurphy]

Looks like a good addition thanks!. I don't have access to sonarqube to make sure the integration works but have verified the output.