Solutions Delivery Platform

SonarQube

SonarQube is a tool used for static code analysis. Static code analysis is validating code as-written against industry standard practices. It will help you find best practice violations and potential security vulnerabilities.

Organizations can define Quality Profiles which are custom rule profiles that projects must use. Quality Gates are then rules defining the organizational policies for code quality. SDP will, by default, fail the build if the Quality Gate fails.

Steps Contributed

Table 1. Steps
Step	Description
`static_code_analysis()`	Leverages the sonar-scanner cli to perform static code analysis and sends results to the configured SonarQube server

Library Configuration Options

Table 2. SonarQube Library Configuration Options
Field	Description	Default Value
`installation_name`	The name of the SonarQube installation configured in `Manage Jenkins > Configure System`	"SonarQube"
`credential_id`	The Jenkins credential ID to use when authenticating to SonarQube. Can either be a valid username/password or an API Token stored in a Secret Text credential type.	If unset, the library will check if the installation defined via `installation_name` has a server authorization token configured. If a server authorization token has been provided in the plugin configuration, then that will be the default. If unset, then a credential id of "sonarqube" will be assumed.
`wait_for_quality_gate`	Whether or not to wait for SonarQube to send a webhook back to Jenkins notifying with the Quality Gate result	true
`enforce_quality_gate`	Determine whether the build will fail if the code does not pass the quality gate	true
`stage_display_name`	Purely aesthetic. The name of the stage block during analysis for pipeline visualization in the Jenkins console.	"SonarQube Analysis"
`timeout_duration`	The number representing how long to wait for the Quality Gate response before timing out	1
`timeout_unit`	One of [ "NANOSECONDS", "MICROSECONDS", "MILLISECONDS", "SECONDS", "MINUTES", "HOURS", "DAYS" ]	"HOURS"
`cli_parameters`	a list of additional CLI analysis parameters to pass the `sonar-scanner` cli.	[ ]
`unstash`	a list of pre-existing stashes to try to unstash. Useful if a previous step creates compiled classes or test results for SonarQube to inspect.	[ ]

Analysis Parameters

In SonarQube, project analysis settings can be provied to the SonarScanner cli in multiple ways.

The SonarScanner will look for the presence of a sonar-project.properties file in the current working directory.

Alternatively, users can use this library’s cli_parameters configuration to pass an array of cli analysis parameters to SonarScanner.

For example,

libraries{
    sonarqube{
        cli_parameters = [
            "-Dsonar.projectKey=myCoolProject",
            "-Dsonar.projectName='My Cool Project'"
        ]
    }
}

Environment Variables

It’s possible to use pipeline environment variables to populate the analysis parameters. This is especially useful when used with one of the source code management libraries to reference the branch name.

Configuration File

sonar-project.properties

sonar.projectName=My Cool Project: ${env.BRANCH_NAME}

CLI Parameters

pipeline_config.groovy

libraries{
    sonarqube{
        cli_parameters = [
            "-Dsonar.projectName=\"My Cool Project: \$BRANCH_NAME\""
        ]
    }
}

External Dependencies

A SonarQube server should be deployed
The SonarQube Scanner plugin should be installed
The SonarQube Installation must be configured in Manage Jenkins > Configure System > SonarQube servers
- The "Enable injection of SonarQube server configuration as build environment variables" checkbox should be checked

Authentication

This library supports both username/password and API Token authentication to SonarQube.

If anonymous access is disabled for the SonarQube Server (it probably should be), then you will need to create an API Token and store it as a Secret Text credential in the Jenkins Credential Store for reference in Manage Jenkins > Configure System > Sonarqube servers as the Server authentication token.

Troubleshooting

FAQ

Slack

Sysdig Secure