SonarQube¶
SonarQube is a tool used for static code analysis. Static code analysis is validating code as-written against industry standard practices. It will help you find best practice violations and potential security vulnerabilities.
Organizations can define Quality Profiles which are custom rule profiles that projects must use. Quality Gates are then rules defining the organizational policies for code quality. SDP will, by default, fail the build if the Quality Gate fails.
Steps¶
| Step | Description |
|---|---|
static_code_analysis() |
Leverages the sonar-scanner CLI to perform static code analysis and sends results to the configured SonarQube server |
Configuration¶
SonarQube Library Configuration Options
| Field | Description | Default Value |
|---|---|---|
installation_name |
The name of the SonarQube installation configured in Manage Jenkins > Configure System |
"SonarQube" |
credential_id |
The Jenkins credential ID to use when authenticating to SonarQube. Can either be a valid username/password or an API Token stored in a Secret Text credential type. | If unset, the library will check if the installation defined via installation_name has a server authorization token configured. If a server authorization token has been provided in the plugin configuration, then that will be the default. If unset, then a credential id of "sonarqube" will be assumed. |
wait_for_quality_gate |
Whether to wait for SonarQube to send a webhook back to Jenkins notifying with the Quality Gate result | true |
enforce_quality_gate |
Determine whether the build will fail if the code doesn't pass the quality gate | true |
stage_display_name |
Purely aesthetic. The name of the stage block during analysis for pipeline visualization in the Jenkins console. | "SonarQube Analysis" |
timeout_duration |
The number representing how long to wait for the Quality Gate response before timing out | 1 |
timeout_unit |
One of [ "NANOSECONDS", "MICROSECONDS", "MILLISECONDS", "SECONDS", "MINUTES", "HOURS", "DAYS" ] |
"HOURS" |
cli_parameters |
a list of additional CLI analysis parameters to pass the sonar-scanner CLI |
[ ] |
unstash |
a list of pre-existing stashes to try to unstash. Useful if a previous step creates compiled classes or test results for SonarQube to inspect. | [ ] |
Analysis Parameters¶
In SonarQube, project analysis settings can be provided to the SonarScanner CLI in multiple ways.
The SonarScanner will look for the presence of a sonar-project.properties file in the current working directory.
Alternatively, users can use this library's cli_parameters configuration to pass an array of CLI analysis parameters to SonarScanner.
For example,
libraries{
sonarqube{
cli_parameters = [
"-Dsonar.projectKey=myCoolProject",
"-Dsonar.projectName='My Cool Project'"
]
}
}
Environment Variables¶
It's possible to use pipeline environment variables to populate the analysis parameters. This is especially useful when used with one of the source code management libraries to reference the branch name.
Configuration File¶
.sonar-project.properties
sonar.projectName=My Cool Project: ${env.BRANCH_NAME}
Parameters¶
.pipeline_config.groovy
libraries{
sonarqube{
cli_parameters = [
"-Dsonar.projectName=\"My Cool Project: \$BRANCH_NAME\""
]
}
}
Dependencies¶
- A SonarQube server should be deployed
- The SonarQube Scanner plugin should be installed
- The SonarQube Installation must be configured in
Manage Jenkins > Configure System > SonarQube servers - The "Enable injection of SonarQube server configuration as build environment variables" checkbox should be checked
Authentication¶
This library supports both username/password and API Token authentication to SonarQube.
If anonymous access is disabled for the SonarQube Server (it probably should be),
then you will need to create an API Token and store it as a Secret Text credential in the Jenkins Credential Store
for reference in Manage Jenkins > Configure System > Sonarqube servers as the Server authentication token.