cargo-sonar and cargo-codeclimate

cargo-sonar help you to use the tools of the Rust community and report the information to Sonarcloud (or Sonarqube).

[!note] Since April 2025, SonarQube supports Rust out-of-the-box (see the announcement). This is great news because it means a good and homogeneous integration of some clippy lints into Sonar ecosystem. However, it is not yet a full replacement for cargo-sonar because cargo-sonar supports more than just clippy.

cargo-codeclimate help you in the same way providing a CodeClimate output format. Note that Gitlab does also understand CodeClimate format.

You can even set it up in a Continuous Integration so this report is automatically forwarded to Sonar, CodeClimate or Gitlab.

Note that this project was first created for cargo-sonar. Therefore, most of the things are documented around cargo-sonar, but cargo-codeclimate as the exact same CLI API (only the output format is different). Note also that cargo- codeclimate is still part of cargo-sonar crate and docker images. So if you installed cargo-sonar, you did also installed cargo-codeclimate.

Table of contents

• Installation
  • From binary
  • From Docker/Podman
  • From crates.io
  • From source
• Use
• Supported tools
  • cargo-clippy
  • cargo-audit
  • cargo-deny
  • cargo-outdated
  • cargo-udeps
• Examples
• Release
  • Tagging
  • Package on crates.io
  • Docker image
• Alternatives
  • cargo-sarif
• Todo list

Installation

From binary

If you use cargo-binstall, you can install cargo-sonar with the following.

cargo binstall cargo-sonar
cargo sonar --help

You can also download the binary directly from the release page.

From Docker/Podman

The OCI images are hosted on the Gitlab container registry of the project.

export CONTAINER_ENGINE=docker # or CONTAINER_ENGINE=podman
${CONTAINER_ENGINE} pull registry.gitlab.com/woshilapin/cargo-sonar
${CONTAINER_ENGINE} run registry.gitlab.com/woshilapin/cargo-sonar --help

If you prefer DockerHub, you can also pull them from DockerHub.

export CONTAINER_ENGINE=docker # or CONTAINER_ENGINE=podman
${CONTAINER_ENGINE} pull docker.io/woshilapin/cargo-sonar
${CONTAINER_ENGINE} run docker.io/woshilapin/cargo-sonar --help

By default, the working directory in the container is /tmp.

Note that if you want to use cargo-codeclimate, you will need to change the entrypoint with --entrypoint '/cargo-codeclimate.

From crates.io

cargo install cargo-sonar
cargo sonar --help

From source

git clone https://gitlab.com/woshilapin/cargo-sonar.git
cd cargo-sonar/
cargo install -- path .
cargo sonar --help

Use

cargo-sonar is only a tool to convert reports from other tools into Sonar compatible report (see Supported tools). Once the Sonar report is generated, it can be sent to sonarcloud.io or any SonarQube instance with sonar-scanner.

First generate a report from any supported tool, for example clippy.

cargo clippy --message-format=json > my-clippy-report.json

Then convert this report.

cargo sonar --clippy --clippy-path my-clippy-report.json

This creates a file sonar-issues.json. You can now configure sonar-scanner with sonar.externalIssuesReportPaths=sonar-issues.json in your sonar- project.properties file.

Supported tools

cargo-clippy

cargo clippy --message-format=json > clippy.json

[!caution] clippy may report the duplicate errors. Usually, cargo clippy will remove the duplicate automatically... except when using --message-format=json. You can use cargo deduplicate-warnings to trim the JSON output.

cargo clippy --message-format json | cargo deduplicate-warnings | my-clippy-report.json

cargo-audit

cargo audit --json > audit.json

cargo-deny

cargo deny --format json check 2> deny.json

Note that only advisories and licenses are supported at the moment.

cargo-outdated

cargo outdated --workspace --depth 1 --format json > outdated.json

--depth 1 is useful here since the conversion will not work on any dependency of greater depth.

cargo-udeps

cargo +nightly udeps --quiet --workspace --all-features --all-targets --output json > udeps.json

Examples

The best example out there at the moment is the project cargo-sonar itself. In the CI, take a look at .gitlab-ci.yml and especially the use of cargo sonar in executed followed by the use of sonar-scanner configured with sonar-project.properties configuration file. The final result can be seen on sonarcloud.io.

Release

All the release process is automated: each time you push a commit on main branch, the next version is automatically deduce from the conventional commit standard since last tag.

You can find the release in different places and forms:

• crates.io
• Docker container
• Binary

Sometimes, the CI might get into a problem. If you need to switch to manual release, here are the steps. Below, 1.2.3 is used as an example, please replace with the correct version.

Tagging

cog bump --auto

Package on crates.io

git checkout 1.2.3
cargo publish

Docker image

git checkout 1.2.3
buildah bud --layers --tag woshilapin/cargo-sonar:1.2.3
buildah push woshilapin/cargo-sonar:1.2.3

Alternatives

cargo-sarif

SARIF stands for Static Analysis Results Interchange Format. It's typically a standard format to express what a tool like clippy would report. Sonar can consume SARIF.

cargo-sarif is a similar tool to cargo-sonar, which takes the output of cargo clippy to generate SARIF format. For the moment, cargo-sonar doesn't rely on a standard format of exchange, but directly talks to Sonar or CodeClimate. However, both cargo-sonar and cargo-sarif also consumes from other tools than clippy, each providing support for different kind of tools (see above for the one supported in cargo-sonar).

Todo list

• add cargo-geiger parsing
• create a Github Action (see Docker Github Action)