Solutions Delivery Platform

SonarQube

SonarQube is a tool used for static code analysis. Static code analysis is validating code as-written against industry standard practices. It will help you find best practice violations and potential security vulnerabilities.

Organizations can define Quality Profiles which are custom rule profiles that projects must use. Quality Gates are then rules defining the organizational policies for code quality. SDP will, by default, fail the build if the Quality Gate fails.

Steps Contributed

Table 1. Steps
Step Description

static_code_analysis()

Leverages the sonar-scanner cli to perform static code analysis and sends results to the configured SonarQube server

Library Configuration Options

Table 2. SonarQube Library Configuration Options
Field Description Default Value

installation_name

The name of the SonarQube installation configured in Manage Jenkins > Configure System

"SonarQube"

credential_id

The Jenkins credential ID to use when authenticating to SonarQube. Can either be a valid username/password or an API Token stored in a Secret Text credential type.

If unset, the library will check if the installation defined via installation_name has a server authorization token configured. If a server authorization token has been provided in the plugin configuration, then that will be the default. If unset, then a credential id of "sonarqube" will be assumed.

wait_for_quality_gate

Whether or not to wait for SonarQube to send a webhook back to Jenkins notifying with the Quality Gate result

true

enforce_quality_gate

Determine whether the build will fail if the code does not pass the quality gate

true

stage_display_name

Purely aesthetic. The name of the stage block during analysis for pipeline visualization in the Jenkins console.

"SonarQube Analysis"

timeout_duration

The number representing how long to wait for the Quality Gate response before timing out

1

timeout_unit

One of [ "NANOSECONDS", "MICROSECONDS", "MILLISECONDS", "SECONDS", "MINUTES", "HOURS", "DAYS" ]

"HOURS"

cli_parameters

a list of additional CLI analysis parameters to pass the sonar-scanner cli.

[ ]

unstash

a list of pre-existing stashes to try to unstash. Useful if a previous step creates compiled classes or test results for SonarQube to inspect.

[ ]

Analysis Parameters

In SonarQube, project analysis settings can be provied to the SonarScanner cli in multiple ways.

The SonarScanner will look for the presence of a sonar-project.properties file in the current working directory.

Alternatively, users can use this library’s cli_parameters configuration to pass an array of cli analysis parameters to SonarScanner.

For example,

libraries{
    sonarqube{
        cli_parameters = [
            "-Dsonar.projectKey=myCoolProject",
            "-Dsonar.projectName='My Cool Project'"
        ]
    }
}

Environment Variables

It’s possible to use pipeline environment variables to populate the analysis parameters. This is especially useful when used with one of the source code management libraries to reference the branch name.

Configuration File

sonar-project.properties
sonar.projectName=My Cool Project: ${env.BRANCH_NAME}

CLI Parameters

pipeline_config.groovy
libraries{
    sonarqube{
        cli_parameters = [
            "-Dsonar.projectName=\"My Cool Project: \$BRANCH_NAME\""
        ]
    }
}

External Dependencies

  • A SonarQube server should be deployed

  • The SonarQube Scanner plugin should be installed

  • The SonarQube Installation must be configured in Manage Jenkins > Configure System > SonarQube servers

    • The "Enable injection of SonarQube server configuration as build environment variables" checkbox should be checked

Authentication

This library supports both username/password and API Token authentication to SonarQube.

If anonymous access is disabled for the SonarQube Server (it probably should be), then you will need to create an API Token and store it as a Secret Text credential in the Jenkins Credential Store for reference in Manage Jenkins > Configure System > Sonarqube servers as the Server authentication token.

Troubleshooting

FAQ