Solutions Delivery Platform

SonarQube

SonarQube is a tool used for static code analysis. Static code analysis is validating code as-written against industry standard practices. It will help you find best practice violations and potential security vulnerabilities.

Organizations can define Quality Profiles which are custom rule profiles that projects must use. Quality Gates are then rules defining the organizational policies for code quality. SDP will, by default, fail the build if the Quality Gate fails.

Steps Contributed

Table 1. Steps
Step Description

static_code_analysis()

Leverages the sonar-scanner cli to perform static code analysis and sends results to the configured SonarQube server

Library Configuration Options

Table 2. SonarQube Library Configuration Options
Field Description Default Value

credential_id

The Jenkins credential ID corresponding to a username/password credential to authenticate to the configured SonarQube server

"sonarqube"

enforce_quality_gate

Determine whether the build will fail if the code does not pass the quality gate

true

Example Configuration Snippet

libraries{
  sonarqube{
    credential_id = sonarqube
  }
}

Sonar Scanner Configurations

Extra configuration options are available by leveraging SonarQube’s sonar-project.properties file. the sonar-project.properties file should be added to root of the source repositoy.

External Dependencies

  • SonarQube must already be deployed. Reference the deployment script for SDP.

  • Jenkins must have a credential to access SonarQube, this is done by default when using the deployment script.

  • The SonarQube URL must be configured in Manage Jenkins > Configure System

Troubleshooting

FAQ