I have been experiencing one strange issue from past 2 days. I had to setup sonarqube for code analysis and so I did it firstly in my local and then after successfully configuring, I did the same on one remote server. We are using Gradle in between.
All the configuration of sonar on remote machine (where I finally have to setup sonar so everybody can see) are same as in my local sonar instance (Means MySQl DB, Java version, Sonar version ..everything). When I check any project in sonarqube, I can see a number of bugs for my localhost:9000 Sonar but 0 bugs for RemoteServerIP:9000 sonar.
One thing here is, % of Duplications are same on both the IPs, but the rest of the parameters are showing 0 on RemoteServerIP:9000 sonar.
Please check following images:
Sonar instance on my local system with same configuration:-
Sonar instance on my Remote system with same configuration:-
Please let me know what I can do here to resolve the issue.
Thanks in Advance :-)
Related
I have a project where I my sonarqube is in a remote server and the server has connection to SVN repository.
Now I wish to add a jacoco plugin to sonar qube which will checkout the project from SVN, build it and generate code coverage report and display it in my sonar report.
can anyone suggest what should I do for this.
Thanks in advance.
First of all you are missing an important step. SonarQube Server will only display your report and your data, and tell you if you passed the quality gate or not and it will show you your issues. But it will not do the analyzing part.
For that you need to use a SonarQube Scanner. There are multiple scanners available as you can see here. Those scanners can be executed locally, or ideally will be integrated in your Continous Integration pipeline, via Jenkins, Bamboo, TeamCity, etc. This Scanner will analyze your project based on the plugins/sensors on your Sonarqube server.
This scanner has to be configured to point to your server via sonar.host.url property, and ideally you will have some login setup. More details regarding that can be found in the SonarQube Documentation, which i highly suggest to read.
When I use this command on my local system the static code analysis report is generate perfectly on my local dashboard but when I am replacing it with the remote sonar url it always shows 0 bugs,0 vulnerabilities.
Sonar server version is different for the two ; can it be the reason for this?
sonar-scanner -Dsonar.projectKey=foo -Dsonar.sources=. -Dsonar.host.url=http://localhost:9000 -Dsonar.projectName=bar -Dsonar.projectVersion=1
Yes, if the version is different it can be definitely the reason for the analysis to show different results, as analyzers which are used to analyze the code are downloaded from the server. Also your quality profile (i.e which rules are enabled) is defined by the server.
I have configured IntelliJ with SonarLint to a connected SonarQube instance in AWS. I am able to run a code analysis in IntelliJ and I do get results back in IntelliJ.
But I want to have these results in Sonarqube. How to do this?
You should have a look on the documentation to see how to :
Install SonarQube : https://docs.sonarqube.org/display/SONAR/Installing+the+Server
Execute an analysis : https://docs.sonarqube.org/display/SCAN
If you have Jenkins you should have 2 jobs: one to build application from branch, another to run SonarQube analysis based on artifacts created by first job (build job). You can create a pipeline: when you push to git (or other repository) first job automatically will be started, when build is done and it’s successful it will trigger job to analyze code in sonar. Try to find configuration examples at https://docs.sonar.org/ or I can send you tomorrow details how we configured our pipeline. P.S. forgot to mention that you need to install SonarQube plugin in Jenkins too.
SonarLint: this tool only open connection to your Sonar server just to get rules for analysis, but analysis is done on your side (localhost) without sending results to Sonar server back. This is how SonarLint works.
I have a question that, how analysis happen in sonarqube. when I do mvn sonar:sonar -Dsonar.host.url=http://sonar.com what will happen in background. what I felt is like
Maven will use some plugins and communicate with sonarqube server
Load all the rules that it have in sonarqube server in location we run mvn sonar:sonar
Analyze source code using set of rules we loaded from sonarqube server
push it back to SonarQube database and results will be displayed on SonarQube server
Is this is the proper way that it works? or source code will go into sonarqube server and analysis will happen in sonarqube server itself?
Thanks for the help
You've got it mostly right:
Maven will use some plugins and communicate with SonarQube server
Load all the rules that it have in SonarQube server in location we run mvn sonar:sonar
Analyze source code using set of rules we loaded from SonarQube server
Calculate file-level metrics
Read coverage reports if any
Compile data into an analysis report and push it back to the SonarQube server
The server pops the uploaded report from the queue, and integrates it, storing issues and calculating high-level metrics
User sees updated project status on Project homepage
In the similar question Sonar-Runner talks to the local database "David RACODON - SonarSource" wrote:
The SonarQube Runner needs to talk to both the database and the web server.
I'm will try to understand why Sonar Runner talks do sonar database, because somebody who use sonar runner will known database user and password and do anything on it, for example change admin password and take control on Sonar instance.
On the other hand, at sonar runner docs (http://docs.sonarqube.org/display/SONAR/Installing+and+Configuring+SonarQube+Runner) I see info:
The SonarQube Runner is recommended as the default launcher to analyze a project with SonarQube.
So, it means that I should give database password to each developer of my team? This is inconsistent. Could somebody explain it?
SonarQube needs to talk to the database in order to save the results (metrics) of the analysis.
I will not talk about all the different possibilities that you can implement in order to avoid SonarQube's users to know the admin login, but here is the one I use:
SonarQube + Runner
Jenkins with Sonar plugin
This post (on my blog) is 1 year old http://qualilogy.com/en/install-sonarqube-the-sonarqub-jenkins-plugin/) but it will give you an idea.
You already have SonarQube + Runner installed.
Install Jenkins
Install SonarQube plugin for Jenkins
Configure the plugin:
Location of Runner
SonarQube dashboard URL
Connection to the DB : password is encrypted.
Then, when configuring and running an analysis from Jenkins, no need to use any DB login as a parameter.
Hope it helps.
As of version 5.2, this is no longer the case. Now, all DB credentials/connections are managed by Sonar itself, not the runner.