Wiki source code of SonarQube
Last modified by Boris Folgmann on 2025/02/25 14:44
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{toc/}} | ||
| 2 | |||
| 3 | = Introduction = | ||
| 4 | |||
| 5 | Since the management of projects, users and roles in SonarQube is supported. [[SonarQube>>url:https://www.sonarqube.org/||rel="nofollow" shape="rect" class="external-link"]] is offered as an additional optional tool with full integration into DevOps-as-a-Service. The latest version of SonarQube s offered. | ||
| 6 | |||
| 7 | {{info}} | ||
| 8 | Please note that SonarQube projects are different to projects in the DevOps portal and the existing tools. In Bitbucket a project can have multiple git repositories which all have their own build pipelines in Jenkins. In contrast SonarQube projects contain the scan results of just //one// git repository. | ||
| 9 | {{/info}} | ||
| 10 | |||
| 11 | To use SonarQube to perform source code quality and security analyses controlled by Jenkins, two components are required: | ||
| 12 | |||
| 13 | 1. SonarQube server to perform analysis, evaluation, data storage, generate reports, define quality gates etc. To order it create a Service Request at the [[Servicedesk DevOps-as-a-Service>>https://prd.sdc.t-systems.net/jira/||shape="rect"]]. To activate SonarQube it's required to save every project in the DevOps portal first. After this step SonarQube can be added to individual users just by editing them. | ||
| 14 | 1. Sonar Scanner in Jenkins to perform the actual scanning of source code. The scanner transfers the intermediate results to the SonarQube server for analysis and evaluation. Since v2.6 the [[doc:Jenkins.Jenkins Shared Library.WebHome]] offers the automated creation of new projects on SonarQube, running the analysis on Jenkins and uploading the intermediate result for further processing to the SonarQube server. | ||
| 15 | |||
| 16 | = Integration into Delivery Pipelines = | ||
| 17 | |||
| 18 | == Using [[doc:Jenkins.Jenkins Shared Library.WebHome]] == | ||
| 19 | |||
| 20 | Since v3.0.0 of the [[Jenkins Shared Library>>Jenkins.Jenkins Shared Library.WebHome]], not only scanning maven projects, but also scanning all other types of projects is supported. Just use a Jenkinsfile as usual like e.g.: | ||
| 21 | |||
| 22 | {{code language="none" title="**Standard invocation** | ||
| 23 | "}} | ||
| 24 | @Library('sdcloud') _ | ||
| 25 | |||
| 26 | sdcPipeline() | ||
| 27 | {{/code}} | ||
| 28 | |||
| 29 | The library will automatically detect if SonarQube was configured on the Jenkins controller or not. If SonarQube is available and the branch you are building is the default branch (usually master) the first analysis stage will be Sonar Scan. Additionally, at the end, the pipeline will wait for Sonar Results. If the build does not pass the Quality Gate, the build will be marked as unstable. | ||
| 30 | |||
| 31 | [[image:attach:image2022-12-6_18-17-14.png||height="227" width="1100"]] | ||
| 32 | |||
| 33 | It's possible to explicitly disable SonarQube for all branches by using a Jenkinsfile like: | ||
| 34 | |||
| 35 | {{code language="none" title="**Disable SonarQube scanning** | ||
| 36 | "}} | ||
| 37 | @Library('sdcloud') _ | ||
| 38 | |||
| 39 | sdcPipeline(sonarQube: false) | ||
| 40 | {{/code}} | ||
| 41 | |||
| 42 | If this is the case, Sonar Scan is skipped and Sonar Results not called at all. The same happens if no SonarQube was configured in the Jenkins controller. | ||
| 43 | |||
| 44 | [[image:attach:image2022-12-6_18-12-36.png||queryparams="effects=drop-shadow" height="260" width="1100"]] | ||
| 45 | |||
| 46 | The sonarQube switch of sdcPipeline is true by default for the default branch. If you want to scan another branch, e.g. 'main' then a Jenkinsfile like the following one will do the job. | ||
| 47 | |||
| 48 | {{code language="none" title="**Define an alternative default branch**"}} | ||
| 49 | @Library('sdcloud') _ | ||
| 50 | |||
| 51 | sdcPipeline(defaultBranch: 'main') | ||
| 52 | {{/code}} | ||
| 53 | |||
| 54 | Please note that SonarQube in the Community Edition supports only one branch per project. And this branch will always be called 'master' in the SonarQube UI even if the real name is a different one. | ||
| 55 | |||
| 56 | [[image:attach:image2022-12-6_18-27-41.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="36" width="92"]] | ||
| 57 | |||
| 58 | (% class="wikigeneratedid" %) | ||
| 59 | If you have the SonarQube Developer or Enterprise Edition, you can enable scanning all branches like this: | ||
| 60 | |||
| 61 | {{code language="none" title="**Scan all branches**"}} | ||
| 62 | @Library('sdcloud') _ | ||
| 63 | |||
| 64 | sdcPipeline(sonarQube: true) | ||
| 65 | {{/code}} | ||
| 66 | |||
| 67 | == Jenkins Plugin == | ||
| 68 | |||
| 69 | DevOps-as-a-Service includes the SonarQube plugin [[https:~~/~~/plugins.jenkins.io/sonar/>>url:https://plugins.jenkins.io/sonar/||rel="nofollow" shape="rect" class="external-link"]] in its Jenkins controller. Documentation is available at [[https:~~/~~/docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-jenkins/>>url:https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-jenkins/||rel="nofollow" shape="rect" class="external-link"]] | ||
| 70 | |||
| 71 | The SonarQube plugin provides these added values: | ||
| 72 | |||
| 73 | * Injection of globally defined parameters (URL, project name, token, options...) into the build. This is used and handled by the [[doc:Jenkins.Jenkins Shared Library.WebHome]]. | ||
| 74 | * Furthermore, decorations for the build, as shown below in the table. | ||
| 75 | |||
| 76 | (% class="relative-table wrapped" style="width:54.0479%" %) | ||
| 77 | |=((( | ||
| 78 | Screenshot from Jenkins | ||
| 79 | )))|=((( | ||
| 80 | Description | ||
| 81 | ))) | ||
| 82 | |((( | ||
| 83 | (% class="content-wrapper" %) | ||
| 84 | ((( | ||
| 85 | (% class="confluence-embedded-file-wrapper confluence-embedded-manual-size" %)[[image:attach:image2021-9-27_16-59-21.png||queryparams="effects=drop-shadow" thumbnail="true" width="250"]] | ||
| 86 | ))) | ||
| 87 | )))|((( | ||
| 88 | Integration of a SonarQube link at the repo/branch Jenkins page | ||
| 89 | ))) | ||
| 90 | |((( | ||
| 91 | (% class="content-wrapper" %) | ||
| 92 | ((( | ||
| 93 | (% class="confluence-embedded-file-wrapper confluence-embedded-manual-size" %)[[image:attach:image2021-9-27_12-33-33.png||queryparams="effects=drop-shadow" width="400"]] | ||
| 94 | ))) | ||
| 95 | )))|((( | ||
| 96 | Integration of a SonarQube link next to the build in the build list. The link forwards to the corresponding project/event in SonarQube server. | ||
| 97 | ))) | ||
| 98 | |((( | ||
| 99 | (% class="content-wrapper" %) | ||
| 100 | ((( | ||
| 101 | (% class="confluence-embedded-file-wrapper confluence-embedded-manual-size" %)[[image:attach:image2021-9-27_12-38-17.png||queryparams="effects=drop-shadow" width="350"]] | ||
| 102 | ))) | ||
| 103 | )))|((( | ||
| 104 | Jenkins can wait for analysis at SonarQube server and display the result of a quality gate in the pipeline view. The sonar result will be added to the repo/branch page below the Stage View. No further results or details will be available in the Jenkins UI. The SonarQube UI must be used to check results and define the quality gates. | ||
| 105 | ))) | ||
| 106 | |||
| 107 | = Using SonarQube = | ||
| 108 | |||
| 109 | == Browsing Projects == | ||
| 110 | |||
| 111 | The portal offers a link to SonarQube for each project on the Homepage in the Source Code Quality tile | ||
| 112 | |||
| 113 | [[image:1732883272804-687.png]] | ||
| 114 | |||
| 115 | and on the Projects page in the Tools column | ||
| 116 | |||
| 117 | [[image:attach:image2022-12-7_17-15-52.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="128"]] | ||
| 118 | |||
| 119 | Click on SonarQube. If you have no existing session on your SonarQube instance, you will see the login page. Click the "Log in with keycloak" button to use the single-sign-on provided by the DevOps portal. That means if you're currently logged in to the portal, you will not need to specify your credentials again. | ||
| 120 | |||
| 121 | [[image:attach:image2022-12-7_17-16-52.png||queryparams="effects=drop-shadow" height="131" width="222"]] | ||
| 122 | |||
| 123 | Now you are logged in to SonarQube. The search box was prefilled with the project name prefix. In the example it's DEVOPSAAS/. Therefore, you will see all SonarQube projects with results that originate from scans of git repositories. | ||
| 124 | |||
| 125 | [[image:attach:image2022-12-7_17-23-45.png||queryparams="effects=drop-shadow" height="400"]] | ||
| 126 | |||
| 127 | Instead of using the SonarQube links in the DevOps Portal you can also clear the search box and see all SonarQube projects in which you have at least a VIEWER role. | ||
| 128 | |||
| 129 | == Project Roles == | ||
| 130 | |||
| 131 | When a project is opened, different pages are available to work with it. | ||
| 132 | |||
| 133 | [[image:attach:image2022-12-7_18-7-16.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="83" width="542"]] | ||
| 134 | |||
| 135 | It depends on you role in the project which permissions you have. | ||
| 136 | |||
| 137 | (% class="table-bordered" %) | ||
| 138 | (% class="active" %)|=(% colspan="1" %)((( | ||
| 139 | Project Role | ||
| 140 | )))|=((( | ||
| 141 | Browse | ||
| 142 | )))|=(% colspan="1" %)((( | ||
| 143 | See Source Code | ||
| 144 | )))|=(% colspan="1" %)((( | ||
| 145 | Administer Issues | ||
| 146 | )))|=(% colspan="1" %)((( | ||
| 147 | Administer Security Hotspots | ||
| 148 | )))|=(% colspan="1" %)((( | ||
| 149 | Administer | ||
| 150 | )))|=(% colspan="1" %)((( | ||
| 151 | Execute Analysis | ||
| 152 | ))) | ||
| 153 | |(% colspan="1" %)Admin|(%%)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]] | ||
| 154 | |(% colspan="1" %)Master|(%%)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]] | ||
| 155 | |(% colspan="1" %)Developer|(%%)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]] | ||
| 156 | |(% colspan="1" %)Viewer|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/check.svg||alt="(tick)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]]|(% colspan="1" %)(% contenteditable="false" tabindex="-1" %)[[image:https://prd.sdc.t-systems.net/confluence/s/hxukxw/8804/pkry9k/_/images/icons/emoticons/error.svg||alt="(error)"]] | ||
| 157 | |||
| 158 | Please note that "Execute Analysis" is usually performed in Jenkins. For more information, see above. | ||
| 159 | |||
| 160 | Due to security considerations, no user is allowed to directly administer a project in SonarQube. For more information, see below. | ||
| 161 | |||
| 162 | == Managing Quality Profiles and Gates == | ||
| 163 | |||
| 164 | There are two sections in SonarQube which are accessibly read-only for all logged-in users: | ||
| 165 | |||
| 166 | 1. Quality Profiles for each programming language. | ||
| 167 | [[image:attach:image2022-12-7_17-31-20.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="122" width="609"]] | ||
| 168 | 1. Quality gates, which decide if a build is ok or failed. | ||
| 169 | [[image:attach:image2022-12-7_17-32-8.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="410" width="893"]] | ||
| 170 | |||
| 171 | If the default settings do not fit for your instance, create a Service Request at the [[Servicedesk DevOps-as-a-Service>>https://prd.sdc.t-systems.net/jira||shape="rect"]] providing a list of users that should be part of the {{code language="none"}}sonar-quality-admins{{/code}} group. | ||
| 172 | |||
| 173 | The members of this group have read-write access to Quality Profiles and Quality Gates. It should be clear that you will need an internal governance so that {{code language="none"}}sonar-quality-admins{{/code}} coordinate their work and communicate with the project admins. | ||
| 174 | |||
| 175 | To find out which Quality Profiles and Gate are used by a project, open the project and click on Project Information on the right-hand side. | ||
| 176 | |||
| 177 | [[image:attach:image2022-12-7_17-39-50.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="362" width="203"]] | ||
| 178 | |||
| 179 | Members of {{code language="none"}}sonar-quality-admins{{/code}} can associate projects with other alternative quality gates that they have created themselves. The screenshot shows an alternative non-default quality gate. As you can see, the search box at the bottom can be used to find specific projects. Then simply use the checkmark to associate the project with the quality gate. | ||
| 180 | |||
| 181 | [[image:attach:image2022-12-13_15-21-21.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="431" width="460"]] | ||
| 182 | |||
| 183 | == Plugins == | ||
| 184 | |||
| 185 | By default, your SonarQube instance will have these plugins installed: | ||
| 186 | |||
| 187 | * Checkstyle | ||
| 188 | * Dependency-Check | ||
| 189 | * Findbugs (in fact, it's for SpotBugs) | ||
| 190 | * Groovy | ||
| 191 | * PMD | ||
| 192 | * SoftVis3D Sonar plugin | ||
| 193 | |||
| 194 | = Commercial licences = | ||
| 195 | |||
| 196 | To scan more than one branch per project and to get scan results shown in Pull-Requests in Bitbucket, the Developer Edition of SonarQube is required. The Enterprise Edition offers even more features, like e.g. additional programming languages or parallel processing of analysis reports. For more details, see [[https:~~/~~/www.sonarsource.com/plans-and-pricing/>>url:https://www.sonarsource.com/plans-and-pricing/||shape="rect"]] | ||
| 197 | |||
| 198 | Customers inside Deutsche Telekom can order commercial licenses at the [[Servicedesk DevOps-as-a-Service>>https://prd.sdc.t-systems.net/jira/||shape="rect"]]. External customers can bring their own self-managed SonarQube license. | ||
| 199 | |||
| 200 |