I have a question that, how analysis happen in sonarqube. when I do mvn sonar:sonar -Dsonar.host.url=http://sonar.com what will happen in background. what I felt is like
Maven will use some plugins and communicate with sonarqube server
Load all the rules that it have in sonarqube server in location we run mvn sonar:sonar
Analyze source code using set of rules we loaded from sonarqube server
push it back to SonarQube database and results will be displayed on SonarQube server
Is this is the proper way that it works? or source code will go into sonarqube server and analysis will happen in sonarqube server itself?
Thanks for the help
You've got it mostly right:
Maven will use some plugins and communicate with SonarQube server
Load all the rules that it have in SonarQube server in location we run mvn sonar:sonar
Analyze source code using set of rules we loaded from SonarQube server
Calculate file-level metrics
Read coverage reports if any
Compile data into an analysis report and push it back to the SonarQube server
The server pops the uploaded report from the queue, and integrates it, storing issues and calculating high-level metrics
User sees updated project status on Project homepage
Related
Is there any way I can get any sonarqube api which can provide the build number of bamboo or any bamboo api which can give sonarqube info.This would really help.
I have so far tried both side but i am surprised both the system are quite clueless about each other. Why it is not possible that a build which ran sonarqube as as one of it's job doesn't have any information about that. Also neither in sonar it tell which build has actually triggered that sonar execution
(Not sure I understand what exactly you are looking for, perhaps this ...? )
I don't believe you can relate a specific Activity (SonarQube analysis) to a specific build (Bamboo), just project to job.
You must have SonarQube Server configured in Bamboo
When executing your job, you can add these sonar.links optional parameters to the analysis step:
sonar.links.homepage Project home page.
sonar.links.ci Continuous integration.
and
sonar.links.scm Project source repository.
sonar.links.issue Issue tracker.
Maybe also specify sonar.host.url=$SONAR_HOST_URL (where SONAR_HOST_URL is the global setting in Bamboo) in the analysis step parameters.
Those populate the Project Overview page sidebar:
That should provide the links from SonarQube back to the other systems of interest.
If you have properly configured Bamboo, you should see a link in Bamboo to the SonarQube project, post execution.
I have a project where I my sonarqube is in a remote server and the server has connection to SVN repository.
Now I wish to add a jacoco plugin to sonar qube which will checkout the project from SVN, build it and generate code coverage report and display it in my sonar report.
can anyone suggest what should I do for this.
Thanks in advance.
First of all you are missing an important step. SonarQube Server will only display your report and your data, and tell you if you passed the quality gate or not and it will show you your issues. But it will not do the analyzing part.
For that you need to use a SonarQube Scanner. There are multiple scanners available as you can see here. Those scanners can be executed locally, or ideally will be integrated in your Continous Integration pipeline, via Jenkins, Bamboo, TeamCity, etc. This Scanner will analyze your project based on the plugins/sensors on your Sonarqube server.
This scanner has to be configured to point to your server via sonar.host.url property, and ideally you will have some login setup. More details regarding that can be found in the SonarQube Documentation, which i highly suggest to read.
When I use this command on my local system the static code analysis report is generate perfectly on my local dashboard but when I am replacing it with the remote sonar url it always shows 0 bugs,0 vulnerabilities.
Sonar server version is different for the two ; can it be the reason for this?
sonar-scanner -Dsonar.projectKey=foo -Dsonar.sources=. -Dsonar.host.url=http://localhost:9000 -Dsonar.projectName=bar -Dsonar.projectVersion=1
Yes, if the version is different it can be definitely the reason for the analysis to show different results, as analyzers which are used to analyze the code are downloaded from the server. Also your quality profile (i.e which rules are enabled) is defined by the server.
I have configured IntelliJ with SonarLint to a connected SonarQube instance in AWS. I am able to run a code analysis in IntelliJ and I do get results back in IntelliJ.
But I want to have these results in Sonarqube. How to do this?
You should have a look on the documentation to see how to :
Install SonarQube : https://docs.sonarqube.org/display/SONAR/Installing+the+Server
Execute an analysis : https://docs.sonarqube.org/display/SCAN
If you have Jenkins you should have 2 jobs: one to build application from branch, another to run SonarQube analysis based on artifacts created by first job (build job). You can create a pipeline: when you push to git (or other repository) first job automatically will be started, when build is done and it’s successful it will trigger job to analyze code in sonar. Try to find configuration examples at https://docs.sonar.org/ or I can send you tomorrow details how we configured our pipeline. P.S. forgot to mention that you need to install SonarQube plugin in Jenkins too.
SonarLint: this tool only open connection to your Sonar server just to get rules for analysis, but analysis is done on your side (localhost) without sending results to Sonar server back. This is how SonarLint works.
I have the following setup:
Bamboo runs builds on every commit on feature branches, including
Bamboo SonarQube plugin
Analysis, including test code coverage
displays in SonarQube.
We installed SonarQube plugin on the Stash Server, and it mostly works (quality gate, etc), but code coverage does not show up in diff in pull requests. What needs to be enabled to that to work?
You could use Code Coverage plugin to integrate coverage information into stash pull-requests. In order to use it, you need to:
Install plugin on your Bitbucket server
Publish coverage information from your branch build. You could use maven client or nodejs client depending on your tech stack.
That doesn't require SonarQube at all, since all information stored on Bitbucket itself.
Pull Request analysis doesn't (yet?) handle code coverage; it only looks at new issues (other than, of course, issues for things that are calculated server-side like inadequate test coverage).