I understand that it is possible to perform the analysis of the master branch with the Community version.
How can this be done? Since the only way I've found is using the sonar-scanner.
Thanks.
Sonarqube supports scanning of a branch per project in the Community Edition without any additional plugins installed. You typically do this using the scanner that fits into your build tool, e.g. Sonar Maven Scanner, Sonar Gradle Scanner, Sonar MSBuild Scanner plus some other scanners. You'll need to have a SonarQube server running somewhere (locally, or potentially Sonar Cloud) for the Scanner to communicate with.
The terminology may be what's misleading you here - SonarQube is split into 3 main parts:
Sonar Server: the user interface and API, typically run on a remote server
Sonar Scanner: the part that runs on your local/build machine, gathers details about your source code, libraries, test results, coverage etc and submits them to the Compute Engine
Sonar Compute Engine: the part that does all the work of analysing source and byte code, coverage, and test results to calculate any issues and produce quality metrics which Sonar Server then presents back as the result of a scan. This part is normally run as part of you launching Sonar Server so you wont typically have to do anything special to get this working.
You wont be able to get any results without having used all 3 of these parts, normally by downloading and running SonarQube, and then running the scanner using your build tool.
If you're wanting to scan more than a single branch in newer editions of SonarQube (7.3 and above) then you'll need to consider updating to SonarQube Developer Edition, or installing a plugin that support Community Edition Branch Analysis
Related
We have Artifactory and Xray for our developers and we have Azure DevOps pipelines integrated with these tools where the builds are scanned for each pipeline execution.
But when developers are doing local builds from their development workstations they also need to be scanned before merging to the repos in ADO.
So we are looking for some possibility where the developers are able to connect to Xray from their IDE client itself.
They are using IDEs like, Visual Studio and Visual Studio Code
need to Run the local builds of - NuGet, Maven, Gradle, Android, IOS, Nodes..
Can anyone suggest how this can be achieved from IDEs or CLIs like (jFrog CLI, or git bash, etc...)
You can use the JFrog VS Code Extension which allows you to scan project dependencies using JFrog Xray in VS Code.
It allows developers to view panels displaying vulnerability information about the components and their dependencies directly in their VS Code IDE. The extension also allows developers to track the status of the code while it is being built, tested and scanned on the CI server.
I have a PR analysis done on a project in Azure pipeline and the analysis doesnt show up any issues in sonarUI for the code.
But when the PR is merged in to the branch and analysis is performed then the issues are generated for the same piece of code.
using SonarQube 8.5
Could someone explain the reason??
What type of Azure DevOps are you using? The cloud offering, Azure DevOps Services (VSTS)? Or the on-premises offering, Azure DevOps Server (TFS)?
According to the introduction from the docs about Pull Request Analysis in SonarQube, it seems that Azure DevOps Services is not supported for Pull Request Analysis in SonarQube.
If you are using Azure DevOps Services, you can try the method below to see if it can work:
Install a Self-hosted agent on the machine your SonarQube server is hosting. And use this agent to run your pipeline. Before analyzing your Pull Requests, make sure the Pull Request branch is checked out.
[UPDATE]
According to your comments,
I have a PR analysis done on a project in Azure pipeline and the analysis doesnt show up any issues in sonarUI for the code. But when the PR is merged in to the branch and analysis is performed then the issues are generated for the same piece of code.
The PR build and the CI build have the same configuration, and the only difference is the trigger type. Due to the CI build can work as expected, the configuration you set in the Azure pipeline should be correct.
I see this happenning intermittently...previously with 8.0 version this issue never happened..after the upgradation to 8.5..I can see this issue happening
You can try the build pipeline with version 8.0 to see if it still works as expected. And compare the output logs in the build pipeline between version 8.0 and 8.5.
If it works fine on version 8.0, it means the Azure pipeline can work normally, and the issue should occur on the version 8.5 itself. If so, I recommend that you can open a topic on the SonarSource Community to get more help.
I have installed Sonar Scanner and Sonar Qube and i am running code analysis with Sonar Scanner and i can see the results on Sonar Qube server in bowser. Also,I have SonarLint added in my VS2015 and i am using connected mode with my sonar qube server. And i run analysis with sonar lint also locally.
Sonar Scanner is a program that connects to a SonarQube server, downloads analyzers and active rules, runs the analyzers locally on your source code, and finally pushes the analysis results to SonarQube, so that you can manage the quality of your source code on SonarQube.
SonarLint is designed to analyze files as you work on them in your IDE (VS2015 in your case). It does not produce analysis reports and does not push them to SonarQube server. Not even in connected mode. The purpose of connected mode is to use the same analyzers and same rules as configured on SonarQube. Pushing analysis reports to the server is out of the scope of SonarLint.
In short, if you want to see analysis results on SonarQube and manage the quality of your software, you cannot skip the Sonar Scanner.
I have installed the SonarQube extension in VSTS, configured it with my SonarQube server, username, and token, and created a task to perform a sonarqube cli analysis. However, when I get to the task in my build, I get the error message that it is not compatible with my operating system. Is this due to my build agent being Linux? Is there a way to get the SonarQube cli extension to use the SonarQube scanner for Linux rather than SonarQube scanner for windows?
The incompatibility is indeed that you're trying to analyze .NET from Linux. The SonarQube Scanners are not yet compatible with that combination.
I want to run sonarqube testing on my sonarqube server and want to see test result (test report) from my client machine without touching server.
How can I do that in case of multiple developers will push their code to test on sonar server and need to see test result from their local machine?
There is the http://www.sonarlint.org/ plugin available for eclipse, IntelliJ IDEA and Visual Studio. The plugins for first two IDEs support Java, JavaScript and PHP, the plugin for Visual Studio supports .NET code.
All three offer the Connected Mode which can "establish a connection to a SonarQube server (4.5.4+) and bind your [...] project to a SonarQube project."
This might help you depending on your development environment.