Our use case for Sonar creates new Sonar projects for each branch of our repository. How do we automatically associate the new branch project with a (non-default) Quality Profile and Quality Gate?
We're running this in a Maven project if that's relevant.
We had the same issue, within our company, and the only solution was to use the deprecated attribute sonar.profile (https://docs.sonarqube.org/display/SONAR/Analysis+Parameters).
Sidenote:
Generally there is also a interesting view on how to analyze branches. The general recommendation from sonarSource suggests to only use preview modes for short living branches. As a fact bitbucket-plugins with a richer featureset than just commenting issues, sadly need branch based analysis.
https://jira.sonarsource.com/browse/SONAR-5370 - the property will be removed in 4.5.1 based on the sonar task
Use the api/projects/create web service to provision your projects. You can then call api/qualityprofiles/add_project to assign your new project to the proper profiles. (You'll need to have first looked up the profile id's tho with api/qualityprofiles/search.)
Related
Is it possible for sonarqube to store the rules in git along with the source code of the project?
In other words, is it possible to versioned rules for different branches of the project?
Is it possible to store a profile in Git?
Yes. You can export a profile to file using the Back up feature. (Note that rule customizations aren't included)
Is it possible to have SonarQube store profiles in Git?
No. During analysis your SCM will be queried for blame information, but no part of the SonarQube ecosystem performs commits.
Is it possible to version your profiles and apply different versions to different branches of a project?
Yes, but why would you want to?
There's no point in re-analyzing branches that aren't changing. Which implies that if you improve/tighten your standards, you don't want to apply those higher standards to the new development that's going on in your branches.
"But new rules would raise all kinds of new issues in our branches & I don't want to have to address them because we're not doing new development there, just fixes." I can hear you saying.
Sure, but if you're using a recent version of SonarQube (>=6.3) then those new issues will be raised with a date that matches the blame date of the line. I.E. they won't be raised as leak period issues, but as old issues. Since you're presumably keeping the leak period clean on your branches, this should all work out.
But to answer your question, there's really no need to store old profiles in SCM, just peel off copies in SonarQube and assign them to the appropriate branch projects.
But if you insist on doing this via backups checked in to SCM be aware that you'll need to reconstitute (re-import) your profiles into SonarQube prior to analysis. You can't just point an analysis at a file containing a list of rules and expect it to work.
Q. How can I setup our config/transforms to get release management to work in the example way?
I'm trying to get release management to work in the way all the videos seem to show. The same build progressing through environments going through build --> Dev/Staging --> Production.
It's making me step back a little and question the way we do our configurations in Visual Studio solutions (and our git flow branch process). I think the way we use the configurations is making things more difficult further down the line with the build and then release.
Configurations
We currently use the two default configurations, debug & release.
We tend to use the debug build on our Dev (contains the dev database
connection string & other app settings transforms). This is what we deploy to 'dev'.
Then we also have the release configuration with the production transforms in. This is what we deploy to 'Production'.
How can I setup our config/transforms to get release management to work in the example way?
One option: Build both configurations. Publish both configurations as artifacts in your build.
In your release definition, deploy the appropriate configuration from the linked artifacts.
Another option: Don't do compile-time configuration transforms and instead do deployment-time configuration.
What you provide in the screenshot is a Overview of releases. Which is used to track a release in Microsoft Release Management. Based on a release name and links.
The Overview page shows a list of release definitions. Each one is shown as a series of environments, with the name of the release and the date or time it was started. The color of the heading and the icon in each environment indicate the current status of the release. The color scheme is the same as in the Releases page.
You just need to follow the provided starter deployment templates or you can also create your own templates for your project.
Back to the screenshot, there are just the environments in a release build definition. You can add the need environment in the definitions.
After that you will view the same thing in the overview just like the example:
For your situation, you can created two separate release definition with two build definition based on the both configurations. Moreover,there has been a very detailed document in MSDN, including setup, configurations, manage release, deploy, you can have a systematic understanding.
Having a look to our build logs, I can see this warning:
build 31-Dec-2015 10:37:39 [WARN] [10:37:39.896] Ability to set quality profile from command line using 'sonar.profile' is deprecated and will be dropped in a future SonarQube version. Please configure quality profile used by your project on SonarQube server.
Even if I can easily understand why it could be deprecated, I have an issue with that. We have a single SonarQube installation for all our teams. Each team must be compliant with a given Quality Gate but can define its own profile, depending on the needs. We are working with git branches. We have "static" branches such as master and develop, but also feature and bugfix branches which are also scanned (to insure code quality before merge). Entries in sonar are created also from command line
Dsonar.project.branch=${bamboo.planRepository.branch}
Which helps us to get one sonar entry per development branch.
Issue: Each time we create a feature, not having the command line will force us to go to Sonar and manually change the profile.
Do you have any suggestions, ideas, which may help us ?
Thanks
I have a similar problem with the potential deprecation of this feature. We have too many projects to be managing this administratively in sonarqube.
The best approach for our site is to allow the teams to select an approved profile using setting in the maven pom.xml.
We have just started using Sonarqube 5.1 integrated in TFS build as described on this page http://www.sonarqube.org/announcing-sonarqube-integration-with-msbuild-and-team-build/
We have one main branch, and two development branches for the same project.
What is the recommended strategy for handling this?
I want to be able to see analyze result trends over time and also let people working in different branches able to see analyze result for the branch they are working in. As far as I can see the Sonar msbuild runner (https://github.com/SonarSource/sonar-msbuild-runner) only supports projectkey, projectname and version, but not branch key.
Any advice and suggestions will be greatly appreciated!
Indeed Wangen, I do confirm that the MSBuild Runner 0.9 doesn't yet provide a way to inject some SonarQube properties and so including the "sonar.branch" property. This limitation is going to be dropped in version 1.0 of the MSBuild Runner. Nevertheless, you must be aware that the support of branches by SonarQube is really limited because at the end in your case you're going to have 3 different projects in SonarQube and for instance flagging an issue as false-positive won't lead to flag the same issue in another branch as false-positive.
I currently have a SonarQube instance setup with multiple projects. Currently I get multiple requests every few weeks to update the quality profile to include a new rule or to remove an old one. This is usually followed by me having to recreate the projects and then sequentially running analysis again so that I can have the differential view again starting from a baseline code. This is becoming a pain as the number of projects grow. Is there any alternative to this? For instance is there any way to tell Sonar to pick up the new rules from the quality profile and run the existing analysis again against these rules.
If I don't do that I get a spike in issues as new rules get added and a new analysis is run as the existing analysis wasn't run against those rules and doesn't have an accurate issue number.
Thanks for the help!
Once you have linked a profile to a project, you can change the rule set and it will be used during the next analysis. As you add or remove rules, spikes are normal. Propably what you want to ensure is that for example no new rules are introduced as you want to ensure the quality is not going down, but is always improved. You can do it using quality gates and build breaker plugin. Hopefully I could help.
I am not sure to understand very well what you want to do, if this is running again a new (changed) profile to all previous versions of a project, or to apply different profiles on different versions of a project.
Maybe this could help you ?
SonarQube - analyzing branches of the same project
How to configure Maven to run a SonarQube project analysis with two different quality profiles?