Browse by type
The Coverity Sonar Plugin automatically import issues from Coverity Connect into SonarQube.
Version 1.6.2
This guide is intended to assist you with the installation and configuration of the Coverity Sonar plug-in. Once completed, you will be able to view Coverity Analysis issues within the SonarQube environment.
The table below displays the software versions supported by the Coverity Sonar plug-in.
| Software | Supported versions |
|---|---|
| SonarQube | 5.6.6+ |
| SonarQube Scanner | 3.0+ |
| Coverity Connect | 8.0+ |
To install the Coverity Sonar plug-in, complete the following steps.
Ensure that you have SonarQube v5.6.6+ and SonarQube Scanner v3.0 installed. Sonar installation and setup instructions are located at http://docs.sonarqube.org/display/SONAR/Setup+and+Upgrade.
Download and unzip the Coverity Sonar plug-in to the Sonar plugins folder:
<SonarInstallDirectory>/extensions/plugins
Restart SonarQube.
Note: After upgrading SonarQube, reset the quality profile for the languages which use Coverity (in Quality Profiles, select Restore Built-in Profiles, and select the language.)
Once installed, you must configure the Coverity Sonar plug-in for general use.
Log in to SonarQube as an administrator.
Click on Administration.
Choose Configuration > General Settings.
Choose Coverity.
Enter the appropriate information in each of the fields for your Coverity Connect instance. Ensure that the Enable Coverity option is set to “True” to allow the import of Coverity data.
Click Save Coverity Settings to complete the basic configuration.
After configuring the general plug-in settings, you must select the correct Coverity Connect project to associate with each of your Sonar projects.
Log in to SonarQube as an administrator.
Ensure that you have uploaded your project at least once (with SonarQube Scanner), and select the project in SonarQube.
Click on Quality Profiles.
Change the Quality Profile option for your project to Coverity (<language>), and click Update.
Choose Configuration > General Settings.
Choose Coverity.
Ensure that the Enable Coverity option is set to “True” to allow the import of Coverity data.
Enter the name of the Coverity Connect project that corresponds to the current Sonar project.
Click **Save Coverity Settings. **
Once completed, SonarQube will pull the current Coverity Analysis data whenever you run SonarQube Scanner on the specified project. This configuration must be completed for each project you wish to link with Coverity Connect.
For the plug-in to successfully display Coverity defects, the correct source paths must be entered in the sonar-project.properties file at the root of the project you are scanning. The sonar.sources variable must contain the absolute path names of the source files. For example, on a Linux system, the variable’s setting might look like this:
sonar.sources=/home/gwen/source/ces-tools/src/main/java
On windows it might look like this:
sonar.sources=C:\\Users\\gwen\\source\\ces-tools\\src\\main\\java
See below for a complete example sonar-project.properties file.
# Required metadata
sonar.projectKey=My-Project-Key
sonar.projectName=My-Project-Name
sonar.login=admin
sonar.password=admin
sonar.host.url=http://localhost:9000
sonar.projectVersion=1.5.0
# Comma-separated paths to directories with sources (required)
sonar.sources=.
# The profile used by sonar can be specified either on the UI or by:
# sonar.profile=Coverity(cov-cpp)
# Encoding of the source files
sonar.sourceEncoding=UTF-8
sonar.coverity.connect.hostname=localhost
sonar.coverity.connect.port=8080
sonar.coverity.connect.username=user
sonar.coverity.connect.password=password
sonar.projectVersion=1.5.0
sonar.coverity.project=MyProject
sonar.coverity.enable=true
# sonar.coverity.prefix=MyOptionalPrefix
Note: When using the Coverity plug-in, use the language key "cov-cpp" instead of "c", "c++", or "cpp". This language key prevents conflicts with non_Coverity plug-ins.
To specify the language key: - Add "sonar.language=cov-cpp" (or another preferred language) to the properties file. - in Administration > Coverity > Languages, configure "C/C++ source files suffixes" appropriately. - Configure the source file suffixes for the other language plug-ins to avoid conflicts.
Note: The "sonar.coverity.prefix" property is used to help locate files when anlyzing with the sonar scanner. The prefix value will be removed from the "File path" value on the Coverity Connect issue. - the value must match exactly, if having trouble finding the source files look at the Coverity Connect issues "File" column - when running analysis on windows Coverity Connect returns values with linux path separators - by using --strip-path during analysis this property can be avoided
The Coverity plug-in includes a Coverity widget that displays Coverity-specific measures. The Coverity widget is available with SonarQube versions before version 6.2.
The Coverity logo and the Coverity Project are both clickable links that take you to the Coverity Connect instance. There, you can view the Coverity project that contributes data to your Sonar project.
The Outstanding Issues count is the number of outstanding Coverity issues found in the most recent scan.
The other three counts are the numbers of issues at each of Coverity’s three impact levels.
The Coverity widget is no longer supported as of SonarQube v6.2. The metrics that were displayed by the widget are shown in SonarQube under Measures.
The Coverity widget can be added to the Dashboard by two different routes: as Admin, go to Dashboards > Manage dashboards, or in a Project, go to Dashboard and add it there.
The Coverity Sonar plug-in has the following limitations, which may be addressed in future releases.
Cannot modify data in Coverity Connect (such as triage). Data from Coverity Connect is read-only in Sonar.
A Sonar instance can only work against a single Coverity Connect instance.
Does not distinguish between Quality, Test Advisor, and Security issues.
Interacts with Coverity Connect only through web services, meaning the plug-in will not interact with build or analysis, and source code is separately maintained between Coverity Connect and Sonar.
No parsing of source code – the plug-in is language agnostic.
No creation of related Coverity Connect projects in Sonar.
The file paths must match exactly in Sonar and Coverity Connect; otherwise issue data will not be imported. However, because Coverity Analysis may not be performed on the same directory as Sonar Analysis, you may remove the beginning of the filename to make it relative to Sonar’s project root.
To do so, navigate to the “Configuration -> General Settings -> Coverity” menu, and specify the prefix to be removed in the “Coverity Files Prefix” field.
If you have any questions or issues with the Coverity plugin, contact coverity-support@synopsys.com
The Coverity SonarQube plugin handles the multiple occurrences of Coverity defects where each occurrence has different file path. (BZ 108516)
1.6.1
Added logging to console on the progress of retrieving Coverity defects from Coverity Connect. (BZ 107598)
1.6.0
The Coverity SonarQube plugin will try to match the any "Parse Warnings" defects from Coverity Connect with the rules the plugin provides upfront to the SonarQube server. If none of the rules match, then it will create a general "Parse Warnings" rule so that there are corresponding SonarQube issues. (BZ 83997)
1.5.0
$ claude mcp add coverity-sonar-plugin \
-- python -m otcore.mcp_server <graph>