Openzeppelin with SonarQube check code

Hi everyone,

So, I was trying to use SonarQube as a check-code tool for my project. My project is a simple website, includes FE, BE (for particular purpose) and Blockchain. SonaQube was doing good with the FE and BE part, and at first, it was okay with the BC code, too.

Until now, I change a little bit of my contract's structure, and SonarQube stop reviewing my code! (The FE and BE part still good!).

The transformation of the contract's code, is that, rathan directly use openzeppelin in node_modules file, as the main contract file would import openzeppelin like this: "import "@openzeppelin/contracts/token/ERC721/ERC721.sol";", I decided to copy all needed files in @openzeppelin (in node_modules), directly into my contracts folder, and now I import openzeppelin like this: import "./token/ERC1155/extensions/ERC1155Burnable.sol";

My contract project's structure is in the picture below, the red part is my 2 main .sol file:

A reason for doing this re-struture thing is because, I think OpenZeppelin's code would change very fast, while my project need to maintain for, like at lease 2-4 years. And if I dont save the openzeppelin version I used when I code this contract, it would be a mess for people who will take over me and who will maintain thís project in the future.

The problem in here is that, after I have changed the structure, the SonarQube stopped reviewing my code. It kept warning some thing like this:

I have no idea about this. Have anyone faced this problem before? Can you propose some technique, some keyword or anything that would help me solve this problem?

Actually, I still can build and run the contract pretty normally. The only problem that the SonarQube is not working! Still wonder why this happended?

Thank for your help! :100: :100: :100:

:1234: Code to reproduce

I notice one thing, that the warning might because of Openzeppelin's .sol files (instead of my files).

:computer: Environment

  • Openzeppelin: v4.x
  • Solidity: v0.8.x
  • Hardhat: ^2.3.0
  • Others: hardhat-contract-sizer (^2.0.3), not sure if this is the problem?

It's complaining about the abstract keyword. This is really a SonarQube issue, since it doesn't seem to properly support this Solidity syntax. You should raise this issue to them.

There is no need to vendor OpenZeppelin into your contracts directory, though. If you want, you can pin @openzeppelin/contracts to a particular version in your package.json, and it's not going to become a mess like you mentioned. I would not recommend pinning, though, because if we release a security patch you would not get it.

1 Like