Magento 2 SonarQube plugin

Set of advanced rules for SonarQube, for Magento 2 CMS

A list of available rules is available at the bottom of the README. Implementation plans are described here

Compatibility

Specifies the SQ server versions on which the plugin was tested. Correctness of work on versions lower/higher is not excluded, but is not guaranteed at the moment. For example, version 1.3.0 was successfully installed on SQ Server v10.7, but was not fully tested

SonarQube Version	Plugin Version
24.12 - LATEST	1.3.0
24.12	1.2.0
10.6 - 10.7	1.0.0 - 1.1.0

Installation

Using the Marketplace

1. Go to the Administration -> Marketplace tab
2. In the list of available plugins, click “install” on the plugin “PHP Custom Rules for Magento 2 CMS”.
3. After confirm the restart of the SQ server
4. After restarting the SQ server instance the plugin is ready to work, you can proceed to customizing ruleset)

"Cold" Deploy

To install the plugin manually you can take either a compiled binary from the assets of the corresponding releases, or build from source. To build a plugin from source, execute this command from the project root directory:

mvn clean package

The plugin jar file is generated in the project's target/ directory.

The standard way to install the plugin for regular users is to copy the jar artifact, from the target/ directory to the extensions/plugins/ directory of your SonarQube Server installation, then start the server.

The file logs/web.log will then contain a log line similar to: Deploy plugin PHP Custom Rules for Magento 2 CMS / 0.1-SNAPSHOT Scanner extensions such as sensors are immediately retrieved and loaded when scanning source code.

Docker-based

version: "3.8"
services:
  sonarqube:
    image: sonarqube:10.7-community
    ports:
      - "9000:9000"
      - "9092:9092"
    depends_on:
      - db
    environment:
      SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
      SONAR_JDBC_USERNAME: sonar
      SONAR_JDBC_PASSWORD: sonar
    volumes:
      - sonarqube_conf:/opt/sonarqube/conf
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_logs:/opt/sonarqube/logs
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_bundled-plugins:/opt/sonarqube/lib/bundled-plugins
      - ./sonarqube-magento2-rules-1.0.0.jar:/opt/sonarqube/extensions/plugins/sonarqube-magento2-rules-1.0.0.jar
    networks:
      sonar_network:
  db:
    image: postgres:12
    ports:
      - "5432:5432"
    command: postgres -c 'max_connections=300'
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: sonar
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: sonar
    networks:
      sonar_network:
    restart: unless-stopped
volumes:
  sonarqube_conf:
  sonarqube_data:
  sonarqube_logs:
  sonarqube_extensions:
  sonarqube_bundled-plugins:
  postgresql:
  postgresql_data:
networks:
  sonar_network:

Configuration

Once the plugin is installed, there will be a number of rules available for use in rollsets. Rules from the plugin are available by Magento2 repository key

Available rules

CodeSniffer Rules, Ref

Exceptions

• ✅ TryProcessSystemResources ( Functions that use system resources should be properly wrapped in try-catch blocks )

PHP

• ✅ ReturnValue ( Explicit return types MUST BE declared on functions. )
• ✅ LiteralNamespaces ( Avoid Literal Namespace Strings. )
• ✅ ArrayAutovivification ( PHP 8.1+ has deprecated the automatic conversion of false to array )
• ✅ FinalImplementation
• ✅ ShortEchoSyntax
• ✔️ Goto ( As part of the standard PHP ruleset, php:S907 )
• ✔️ Var ( As part of the standard PHP ruleset, php:S1765 )

SQL

• ✅ RawQuery

Performance

• ✅ ForeachArrayMerge ( is called PerformanceArrayOperationsInLoop, essentially extended to other array operations )

Classes

• ✅ DiscouragedDependencies ( No explicit proxy/interceptor requests in constructors. )

Security

• ✅ XssTemplate ( All output that could contain user-supplied data must be properly escaped )
• ✅ LanguageConstruct ( exit & die statements usage covered by php:S1799 )
• ✅ IncludeFile

Templates

• ✅ ThisInTemplate ( The use of $this in templates is forbidden. Using $helper is discouraged )
• ✅ ObjectManager ( Direct use of objectManager is prohibited )

Methods

• ✅ DeprecatedModelMethod

Legacy

• ✅ InstallUpgrade ( ObsoleteInstallUpgradeScripts, Magento 2 has deprecated install and upgrade scripts )
• ✅ ObsoleteConnection
• ✅ AbstractBlock
• ✅ PhtmlTemplate

NamingConvention

• ✅ InterfaceName ( Interfaces should have names that end with the 'Interface' suffix )
• ✅ ReservedWords

CodeAnalysis

• ✔️ EmptyBlock ( As part of the standard PHP ruleset, php:S1116 )

Namespaces

• ✅ ImportsFromTestNamespace

Adobe's technical guideline rules, Ref.

• ✅ FunctionArgumentsShouldNotBeModified ( Function arguments should not be modified ).
• ✅ StrictTypesDeclaration ( All new PHP files MUST have strict type mode enabled by starting with declare(strict_types=1);. All updated PHP files SHOULD have strict type mode enabled. PHP interfaces MAY have this declaration. )

• ✅ ConstructorDependency ( Class constructor can have only dependency assignment operations and/or argument validation operations. No other operations are allowed. )
• ✅ EventsInConstructors ( Events MUST NOT be triggered in constructors. )

• ✅ StatelessPlugin ( Plugins MUST be stateless. )

• ✅ NoObjectInstantiationInTemplates ( Templates MUST NOT instantiate objects. All objects MUST be passed from the Block objects. )

Etc.

• ❌ UnusedFunctionParametersCheck ( fix plugins false-positives )

Additional

The plugin is under active development.

Before the release of the new version, files are analyzed on a “clean” M2 project, as well as on a number of custom real projects (including a set of different modules and themes) to avoid errors and false-positive.

If you encounter problems or false-positive during the analysis - please let me know, I will be grateful for more information.