I am triggering a Sonar analysis from Jenkins whenever a user commits any change to any branch of my project. In SonarQube I see the project analysis result, and quality gate status, for the most recently run analysis. It only shows the most recently run analysis for a given project.
How can I see a 'history' of previous analyses that were run prior? Specifically I would like to see the coverage from before and the where in the codebase specific 'critical' issues triggered a quality gate failure. Basically I want a historical snapshot of the 'project overview' page for each time the analysis is run. Since I am triggering the analysis from different branches I need to be able to differentiate an analysis of Branch A vs. a previous analysis of Branch B.
If you use SonarQube up to version 5.6: Use the Sonar Timeline Plugin, which allows you to add a graph to your dashboard.
If you use SonarQube version 6.5 or later (to be released in August 2017): Get feature rich history graphs out of the box (no plugin required)!
It looks like you have to make a custom dashboard and add a history widget. It looks like it shows you just the times the gate changed (which i guess is what I should have expected) for example the project I tested with only changed status 3 times so even though I asked for 10 columns it only showed 3.
This is on the Sonar homepage for your project, not the sonar widget in jenkins fyi
Related
We have created a portfolio and added few applications to portfolio but when i choose portfolio in the sonar dashboard it shows the below message even though i have added few projects to it and there were no background tasks or analysis related data after sonar analysis on one of the project.
Message:
This portfolio is empty.
This portfolio has no projects, or none of associated projects has lines of code.
We have followed the below link to configure a portfolio.
https://docs.sonarqube.org/display/SONAR/Configuring+Portfolios+and+Applications
Created a Portfolio and few projects the portfolio
Project selection mode: Manual
Sonar Version: 6.7.4 LTS
Enterprise Edition
Issue: i Could not see the projects which i have added to portfolio under Sonar portfolio section
Can someone please point me to the right configuration steps or help me with the resolution.
Finally figured this out and wanted to share with anyone else who stumbles across this problem. The issue here is that the SonarQube version being used by the OP is 6.7 (similar to me) and the documentation he linked to is for the latest version of SonarQube (7.3 as of this writing).
The documentation for 6.7 is located here and navigating to the equivalent Configuring Portfolios and Applications page includes the following required command be run in order to execute the Portfolio Calculation task in previous versions of SonarQube:
Calculation Calculation must be triggered manually each time a
Portfolio structure is modified. Portfolios should also be recomputed
on a regular basis to keep them up to date with the most recent
project quality snapshots. Portfolio are computed with the SonarQube
Scanner.
To compute all your Portfolio, run the following command (credentials
from a user with "Administer System" or "Execute Analysis" permission
is required):
sonar-scanner views -Dsonar.login=<token>
or
sonar-scanner views -Dsonar.login=<login> -Dsonar.password=<pwd>
So when using SQ 6.7, without running that sonar-scanner views command in your build plan, only the Project Analysis task will run and your Portfolios will never be updated. Running this views command appears to run the Portfolio Calculation task for all Portfolios on the SQ Server which in turn will update the UI for each entry.
When I say "new code",I mean that compare two commits in master branch and get the new code.
I am confused about the new code coverage in sonarqube.I want to specify the comparison of two commitIDs
Check in the analysis parameters if the sonar.projectDate one can help:
Retrieve the oldest version of your application's source that you wish to populate into the history (from a specific tag, whatever).
Run a SonarQube analysis on this project by setting the sonar.projectDate property. Example: sonar-scanner -Dsonar.projectDate=2010-12-01
Retrieve the next version of the source code of your application, update the sonar.projectDate property, and run another analysis. And so on for all the versions of your application you're interested in.
If your commits are done on different days, that could work.
This is not as precise as two commits ID, but can still help here.
See "SonarQube - unity tests code coverage on new code not working" (if this has not changed since SonarQube 5.x)
We'd like to have code analysis results from SonarQube in Stash pull requests, more precisely only for the changed/added code.
The setup looks like this:
Atlassian Bitbucket v4.14.4
Jenkins ver. 2.69
SonarQube Version 6.4 (with sonar-stash plugin from https://github.com/AmadeusITGroup/sonar-stash)
Jenkins fetches changes in branches and builds them. Depending on the branch it will then (for the development branch) call SonarQube to (per default) publish its analysis. For pull requests we want a preview, so SonarQube is called with the parameter -Dsonar.analysis.mode=preview. Additional parameters for the sonar-stash plugin are working so that the analysis result is sent to Stash (Bitbucket) from SonarQube. The problem is, that the results contain all issues/bugs/violations based on the complete source code, not on the changes.
Narrowed this issue down to a problem that the sonar-stash plugin uses a list of issues which are filtered to contain only those issues that are new and linked to a file. So it looks like all issues are marked as new which is strange because in SonarQube we have a baseline for our known (legacy) issues.
Thanks for your time and feedback!
I had a pretty similar issue, my resolution is outlined in the answers below.
My SonarQube Pull Request Issues only question
I'm trying to run a preview analysis for a (Java) project of ours with SonarQube 5.1.1. I am able to get a local report generated, however I get no coverage data, and I also get the message [INFO] [XX:YY:ZZ.ZZZ] Build Breaker plugin is no more supported in preview/incremental mode.
If I check here, the page says that Starting with SonarQube 5.1, the Build Breaker plugin does not work any longer in the preview & incremental modes..
I'm confused - I thought that for continuous inspection one needs the build breaker plugin. Is that no longer so? Has the concept in SonarQube changed?
Why am I not getting coverage data when running a preview analysis?
I don't know where you've read this, but continuous inspection is not specifically related to the preview/incremental mode nor to the build breaker plugin - it's not even related to SonarQube (even though it has been pushed by SonarSource from the very beginning).
Here are the key points:
Continuous inspection is about analyzing your code as often as you can in order to monitor (and eventually improve) the quality of your code. Whatever the tool.
On SonarQube, this means running analyses that will push information on the server so that you can monitor what's going on and take the required actions for your application portfolio.
Obviously, when you are a developer, you'd like to manage those issues early, before they even get pushed to the source code repository. But experience tells us that preventing any code push because of issues is a bad pattern - because some issues might be false-positive or not relevant in the context (and still you want - and have the right, to push your code). This is why we feel that the build breaker plugin is not aligned with all this, and it will be replaced in upcoming versions of SQ by native features that match better these concepts:
Very efficient code analysis to display issues in the IDE at the speed of light - but without computing metrics
Preview mode that will compute everything and make it possible to check quality gate before pushing code to the source code repository - without impacting the results on the server
and in this case, using some specific information found in the logs, it will be possible for a CI to fail a build
I have configured one project in sonar and integrated sonar with maven for build time analysis of the project.
After analysis, report is generated and uploaded to Sonar for browsing. But once another user compiles the same project their report overwrites mine.
Basically I want that one user's report on one project is not overwritten by report from other user. A user must be able to see their current violations independently. Is it possible in Sonar?
Sonar stores it's analysis on a daily basis, which explains why it's kind of pointless to run analysis several times in a day. Each analysis run will overwrite that day's existing results, which in turn spoils ongoing statistical analysis.
I would suggest running Sonar, from a dedicated build server like Jenkins (which has a Sonar plug-in). This daily analysis will populate the Sonar database and keep the project dashboard current. This architecture also enables you to keep the database credentials confidential.
Obviously developers would like to see the results of their bug fixing. For that I'd recommend running the Sonar Eclipse plug-in. The latest version will run the same Sonar analysis locally. Recent versions of Sonar also enable you to assign violations to developers for resolution.
This is not possible, last performed analysis will always be the one you browse in the interface. However, I guess what you need is the Issue Report Plugin which will enable analysis to store results locally, with the dry-run option.
This way your developers will be able to run an analysis on their code and see the violation delta without pushing the results.
You can do it by explicitly setting the below properties in pom.xml
<properties>
<sonar.projectKey>Test</sonar.projectKey>
<sonar.projectName>Test</sonar.projectName>
</properties>
Every user should set different projectKey and projectName, if you want that one user's report on one project is not overwritten by report from other user.