I am trying to add SonarQube analysis to our OSS Project with travis on Github.
I performed the following steps:
Create a organization and project on sonarcloud.io
Add the sonarcloud definition in .travis.yml
Create a sonar-project.properties file
Push everything to a feature branch called feature/sonarcloud
Add this branch to travis.yml and properties file.
The final result can be seen here:
https://github.com/open62541/open62541/tree/feature/sonarcloud
Unfortunately Travis does not submit the sonar analysis:
INFO: Scanner configuration file:
/home/travis/.sonarscanner/sonar-scanner-2.8/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarQube Scanner analysis skipped
(See also https://travis-ci.org/open62541/open62541/jobs/287631673)
I already tried to forcefully set export SONARQUBE_SKIPPED=false but it is still skipped. How can I find out why the scanner analysis is skipped?
Related questions:
SonarQube Scanner analysis skipped in travis CI
Travis CI skipping SonarQube analysis
As you can read in the Travis CI logs, at line 556:
Skipping SonarCloud Scan because this branch is not master or it does not match declared branches
This is because you haven't activated analysis on that "feature/sonarcloud" branch. As described in the official documentation, you can achieve that like this:
addons:
sonarcloud:
organization: open62541
token:
secure: "..."
branches:
- master
- feature/sonarcloud
Related
OWASP dependency check it's a great way of automating vulnerability discovery in our projects, though when running it as part of a CI pipeline per project it adds 3-4 minutes just to download the NVD database.
How can we cache this DB when running it with maven / gradle on a CI pipeline?
After a bit of research I found the way!
Basically, the files containing the NVM db are called: nvdcve-1.1-[YYYY].json.gz i.e. nvdcve-1.1-2022.json.gz which are later added to a Lucene index.
When running Dependency-Check with the Gradle plugin the files are created on:
$GRADLE_USER_HOME/.gradle/dependency-check-data/7.0/nvdcache/
When running it with Maven they are created on:
$MAVEN_HOME/.m2/repository/org/owasp/dependency-check-data/7.0/nvdcache/
So to cache this the DB on Gitlab CI you just have to add the following to your .gitlab-ci.yaml (Gradle):
before_script:
- export GRADLE_USER_HOME=`pwd`/.gradle
cache:
key: "$CI_PROJECT_NAME"
paths:
- .gradle/dependency-check-data
The first CI job run will create the cache and the consecutive (from same or different pipelines) will fetch it!
I have an existing teamcity pipeline which is running fine.
We use teamcity dsl to define the same.
I want to replace this with a new pipeline. I am experimenting with this pipeline in my own branch. When I try and push my change, I see this error
[Retrieve settings, revision: f16566918ecccbe079d02bd3c3689575408a0957] Read build settings from revision f16566918ecccbe079d02bd3c3689575408a0957
[10:01:05] [Read build settings from revision f16566918ecccbe079d02bd3c3689575408a0957] Failed to load build configuration settings from VCS: build configuration config is not found, use current settings from TeamCity server
Internal teamcity experts are asking me to do my development on a test teamcity environment we have.
Is this the only option?
Is there a way I can force teamcity to pick a new dsl based pipeline defined in a branch?
I have an application in springboot which uses gradle to build the code.
I have setup https://github.com/gabrie-allaigre/sonar-gitlab-plugin on SonarQube and have integrated gitlab CI
to analyse code on every push/commit. What I want to achieve is to break the push/commit if the analysis fails.
Below is my .gitlab-ci.yml
image: XXXXXX:oraclejdk:1.8.0_121
before_script:
- export GRADLE_USER_HOME=`pwd`/.gradle
sonarqube_master_job:
stage: test
only:
- master
- release2.0
script:
- ./gradlew assemble
- ./gradlew -x test sonarqube -Dsonar.host.url=http://sonarqube.XXX.XXX.XXX:9000/sonarqube -Dsonar.login=xxxxxxxxxxxxxxxxxxxx
sonarqube_preview_feature_job:
stage: test
only:
- /^feature\/*/
- development
script:
- git checkout $CI_COMMIT_REF_NAME
- git merge --no-commit --no-ff
- ./gradlew assemble
- ./gradlew -x test sonarqube -Dsonar.host.url=http://XXXX.XXXXX.com:9000/sonarqube -Dsonar.login=xxxxxxxxxxxxxxxxxxxxx -Dsonar.analysis.mode=preview -Dsonar.gitlab.commit_sha=$CI_COMMIT_REF -Dsonar.gitlab.ref_name=$CI_COMMIT_REF_NAME -Dsonar.gitlab.project_id=$CI_PROJECT_ID --stacktrace
How do I make sure the push fails if the analysis fails? Do I need to use webhooks. Is there a sample CI file?
#jibsonline, You can refer to my answer provided in the below link.
However the script answers only how to break the build on sonar analysis and display the results.
How to integrate Sonar Quality Gates with Gitlab-CI
Since gitlab triggers the build, once the changes were pushed, it is not advisable to set up an automated tool to revert the code changes on your behalf. Whenever a build fails, write script (dependencies) such that the code will not be deployed. Since the code is not deployed, your environment will not be effected. Also,set up an email configuration whenever build fails.
We are using s4sdk pipeline from:
https://github.com/SAP/cloud-s4-sdk-pipeline
When I work on my feature branch, in order to skip the production deployment, usually I remove the configuration below:
productionDeployment:
appUrls:
- 'myUrl'
cfTargets:
- org: 'myOrg'
space: 'mySpace'
apiEndpoint: 'myEndpoint'
appName: 'myAppname'
manifest: 'myManifest.yml'
credentialsId: 'myCredentialsId'
Is there any existing mechanism/configuration to help distinguish my testing branch and productive branch, so that the deployment happens only for the productive branch build?
Thanks in advance.
You can always mention your productive branch in the general configuration of pipeline_config.yml. When you mention that, pipeline will always check the current branch name with that of value mentioned, deployment is carried out by pipeline only if these values are same.
#Project Setup
general:
productiveBranch: 'master'
projectName: 'my_project'
I am creating a GoCD pipeline to run sonar analysis for my project. Up to now, I have successfully configured sonar properties on my local file and it successfully pushes the metrics to the sonar server.
The problem occurs when creating a GoCD pipeline to run the analysis. I am unable to successfully install sonar scanner on GoCD agents. The error that I get when executing command sonar scanner from the pipeline is "SONAR_RUNNER_HOME does not point to a valid installation directory".
Currently We are running sonar-scanner from GoCD pipeline and checking SonarQube Quality Gates correctly.
What we do was the following: I created a bash script that launch the sonar-scanner. This script (and other ones used by our GoCD configuation) is inside a second Git Material (the first one is the Project source code). We have installed the 'SonarQube Quality Gates Task Plugin' to evaluate our SonarQube quality gates.
So we have a Job in our Pipeline with the following tasks:
Type: Custom Command --- Run if: Passed --- Command: /bin/bash
--- Arguments: path_to_sonar_scanner_bash_script_launcher.sh --- Working Directory: your_working_dir
Type: SonarQube - Quality Gate --- Run if:
Passed --- Key of the SonarQube project: sonar_qube_project_id ---
Fail Quality Gate result: error Sonar --- Api Url:
http://your_sonar:9000/api
We have GoCD agent and sonarqube installed in the same machine.
I expect this help you.