Which versions am I using (SonarQube, Scanner, Plugin, and any relevant extension):
SonarQube 7.9.1 (on a remote server)
Sonar maven plugin 3.7.0.1746 (in my pom.xml file)
Jenkins 2.222.1 (local server)
Maven 3.6.0
What am I trying to achieve:
I want to perform an analysis with a Jenkins Pipeline with my remote server
What have I tried so far to achieve this :
I have succeed to do an analysis with my IDE (intelliJ) and it works with the command :
mvn -B sonar:sonar
After that, the server note the last analysis with the Quality Gate.
Nevertheless, it does not work with my Jenkins Pipeline.
I do not understand why it works with the IDE and not with Jenkins.
I have put in my pom.xml a sonar.login which is a specific user token. This user has the right to execute an analysis on this particular project. In my ~/.m2/settings.xml, I have put the sonar.host.url.
I also tried to set up manually a SonarQube server in Jenkins (in system configuration). I put there the url and my token thanks to a secret text but it does not work to.
I have also generated a Webhook but this is for the qualitygate variable in the pipeline and I don’t think it matters here.
I don’t know what to test now…
Any idea ?
Thanks
It is ok now : I have added on a sonar installer in the settings. In addition I move the sonar.host.url from ~/.m2/settings.xml to my pom.xml file.
Related
I am using SonarQube version 6.7 for running analysis of Maven projects using the command mvn clean verify sonar:sonar from the project directory using command prompt and get the results. The sonar configurations in settings.xml for maven (v3.5.3) are added respectively.
In Jenkins (version 2.161), I have installed SonarQube Scanner for Jenkins (v2.8.1) plugin. The SonarQube Server configuration is configured as below.
In the Jenkins maven project, I have configured the post steps as below.
I have checked the Prepare SonarQube Scanner environment in the Build Environment section and the Build goal is -e clean verify sonar:sonar.
My issue is, when the SonarQube analysis for a maven project is triggered through command prompt using the command mvn clean verify sonar:sonar, I am getting the results as expected. But when the Jenkins job is triggered with the configurations above for the same maven project, the results are different and incorrect. What am I missing?
P.S- In the Post-build Actions, I can see the SonarQube analysis with maven is deprecated.
Thanks in advance.
You use different scanners. First you used SonarScanner for Maven (mvn sonar:sonar). Next you used Basi SonarScanner, which requires manual configuration of all options.
The best option to sole it is always use the same scanner. You have Maven project, so you can enable Prepare SonarQube Scanner environment in Build Environment, and next execute Sonar goal $SONAR_MAVEN_GOAL in Build.
I have a hudson server.
Everytime I build my project on Hudson, It triggers Sonar on other server to building too.
I checked the configuration on Hudson.
I am following some instructions in here , but seems it is not enough.
I have my setting.xml
And I have this issue:
What is wrong with my configuration or I missing something?
Thank.
I have scoured the forums and cannot seem to quite understand the config for the fortify plug-in with Sonar.
I understand it simply builds a widget based on data from a previously generated .fpr file.
My setup:
Maven 3 project
Jenkins 1.606
SonarQube 5.0.1
Sonar-Fortify plug-in 2.0
Prerequisites:
.fpr file is in Jenkins workspace
Sonar is added to pom.xml
sonar-fortify-plug-in v2.0 added to pom.xml - (wasn’t sure this was needed or not)
Sonar server configured in Jenkins
sonar fortify plug-in v2.0 added to Sonar – (only see a dropdown to ‘enableReportLink’ under ‘Configure widgets’
should there be more config somewhere?
Questions:
Where should this property be set? Jenkins Sonar config, Sonar, pom file?
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
Is that path to the .fpr file where it is within the Jenkins workspace?
The setup instructions on Github seem short and I feel I am missing something specific in my understanding.
Any help or direction to additional documentation is great appreciated.
First of all as documented version 2.0 can not be used anymore. Version 2.1 is going to be released soon. Vote for release will be started this week. Meanwhile you can:
download 2.1-SNAPSHOT version and copy it in extensions/plugins of your SonarQube server installation
restart server. The Fortify rules should be available in the page "Rules".
execute Fortify command "sourceanalyzer", independently from SonarQube. It generates a report file suffixed by .fpr.
execute a standard SonarQube analysis of your project by adding the property sonar.fortify.reportPath, for example:
mvn sonar:sonar -Dsonar.fortify.reportPath=/path/to/project.fpr
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
If everything works, then you can automate these steps in Jenkins.
I am tying to set up a Jenkins Pipeline.
The first stage is done, the code compiles, is tested, inspected and deployed to Nexus.
I would like now to make a second stage on the pipeline where the war is checked out from Nexus and deployed on tomcat.
Actually I already integrated the maven-tomcat plugin to deploy on Tomcat.
My question is how can I check out the latest build of the war ?
Is there any maven or jenkins plugin for that ?
Many thanks,
Patrick
Your binary repository manager (Nexus) should ideally occupy the following position in you overall architecture:
You can use Jenkins as your provisioning tool, but ideally it should launch some sort of process which pulls the artifact to be deployed directly from Nexus (If nothing else it's more efficient).
This is a lot easier than it sounds. For example the Nexus REST API could be called from a shell script to download any desired revision of an artifact. For example:
$CATALINA_HOME/bin/shutdown.sh
curl -o $CATALINA_HOME/webapps/myfile.war http://myrepo.com/service/local/artifact/maven/redirect?r=releases&g=com.myorg&a=myfile&v=1.1.1&e=war
$CATALINA_HOME/bin/startup.sh
Finally, perhaps you might wish to consider a dedicated system for managing your deployments? An interesting solution I've been playing with is rundeck, which has a plugin for Jenkins. I really like rundeck, due to it's simplicity a trait it shares with Jenkins. There is also a plugin for Nexus that enables rundeck to provide a pull down list of artfacts eligible for deployment.
See download-artifact-from-nexus.sh script at https://github.com/cescoffier/puppet-nexus/tree/master/files
In my case, I modified it to use wget instead of curl. For some reason, curl wouldn't work for me.
I suggest you create a new pom for this. That way you are not bound to jenkins.
You need not explicitly checkout the artifact from nexus (note that this is called downloading from the repository in maven speech). You can specify a different war file location in the tomcat maven plugin. See the documentation. For downloading the latest version from the repository see the answers to this question.
i get the same problem with curl, i solved it buy adding the parameter -L, so that curl will follow the redirection to download the artifact, wget follows the redirection by default.
Below syntax has worked for me.
wget --user=admin --password=admin http://192.168.0.3:8081/repository/simpleapp-snapshot/in/javahome/simple-app/3.0.0-SNAPSHOT/simple-app-3.0.0-20210513.143540-1.war
I´m working with Maven 3, eclipse Helios and Jenkins e Artifactory. During the execution of release plugin one of the steps that this plugin is doing, is publish in artifactory the generated release. In my organization, we have the following issue:
Only the manage of configuration can run the release through Jenkins with release-plugin, but any developer can run the release plugin through console and this execution will overwrite the release published in artifactory.
I´m looking around artifactory configurations and all developer users are with read permissions but they can update release local in artifactory.
There are any solution to block or disable the execution of local release from eclipse through Jenkins?
Thanks if anyone can help me!
I would suggets using Artifactory's release management for Jenkins, which is part of the Jenkins Artifactory plugin.
This will allow you to run release management purely from Jenkins, possibly with a dedicated user, and also run staging and promotion on releases.
Releasing/staging would typically be done to a dedicated repo in Artifactory which only the Jenkins release user has write permissions for.
The release management functionality in the Jenkins Artifactory plugin is a complete replacement for the maven release plugin (and for the Jenkins m2release plugin which is based on the latter), that is:
Faster and involves less (unnecessary) rebuild cycles
Integrates your existing Maven and SCM Jenkins configs
More flexible in how versions can be applied
Offers robust rollbacks
Also works for non-Maven build types
Move release plugin to profile (it should not be activate by default). Activate profile only when you run build on jenkins. (for profile name jenkins use mvn <goals> -Pjenkins)
http://wiki.jfrog.org/confluence/display/RTF/Managing+Permissions