Sonar offers to “basic” profiles to analyze a project. Sonar uses Findbugs to analyze not only the source code, but the binary version for violations and possible bugs too.

• “Sonar way” is looking at the source code. This allows for finding the most common violations with minimum effort.
• “Sonar way with Findbugs” also takes the CLASS files into consideration.

As a binary comparison adds additional checks compared to looking at the source code alone, the number of violations found naturally tends to be higher. Taking a simple Web Dynpro Java 7.3 application with one view as an example, how does Findbugs influences the result?

Without Findbugs

This project looks very good. Rules compliance is very high, only 5 major issues.

With Findbugs:

9 violations added, all part of the category major.

Configuration

To make use of the binary comparison feature, the class and JAR files have to be provided to Findbugs. Depending if you use Sonar runner, maven or the ant task you`ll have to define the location of the binaries using a different configuration file. WDJ projects create a lib directory, let`s just use this directory. That`s not a problem in “normal” Java projects with a dependency resolver handling the dependencies.

In build.xml for ant, the property to set the directory with the binaries is sonar.libraries

Example:

<property name="sonar.libraries" value="${liblist}" />

The variable lib needs to be a comma separated list of JAR files.

<target name="sonar" xmlns:sonar="antlib:org.sonar.ant">

     <pathconvert property="list">

           <path>

           <fileset dir="lib"><include name="**/*.jar" />  </fileset>

           </path>

     </pathconvert>

<echo message="${list}" file="file.tmp" />

     <loadfile property="liblist" srcFile="file.tmp">

         <filterchain>

             <tokenfilter>

                 <replaceregex pattern=";" replace="," flags="g"/>

             </tokenfilter>

         </filterchain>

     </loadfile>

     <property name="sonar.libraries" value="${liblist}" />

     <sonar:sonar />

</target>

A problem is now is to find the JAR files needed. Findbugs is nice enough to tell you which classes are missing when the analysis running.

The list goes on and on, and that is without consuming any BAPI, Web Service or EJB.

How to find the needed JARs?

Easiest way is to put all the JARs you find from SAP NetWeaver into the lib dir. The biggest problem here is that it will take Findbugs minutes to load all JARs and you will waste quite some space on your HD as the actual size needed by the minimum JAR files isn`t large.

Findbugs shows the whole class path. It is possible to use a tool like tattletale (blog to come) to index the JARs and then find them in the generated reports. Another way is to use common sense when searching (or tattletale). Here is a list of JARs I came up with for making Findbugs find all dependencies (<5MB):

Of course, depending on the WDJ application, this list is due to change. Adding these files to the lib directory makes Findbugs work just fine:

Result

Now you can analyze Web Dynpro Java project with Sonar using Findbugs.