I'm trying to configure SonarQube analysis in a github project. I've followed the official travis ci documentation but SonarQube analysis is not performed.
I'm getting the following message: "Skipping SonarQube Scan because it is not running in a secure environment"
pull request link: https://github.com/zakshya/cronos/pull/4
Full build log: https://s3.amazonaws.com/archive.travis-ci.org/jobs/216125526/log.txt
Does some one encountered this problem ?
I'm i missing some config ?
As mentioned in the official documentation of the SonarQube Travis Add-on about analysing pull requests:
For security reasons, this advanced feature
[i.e. pull request analysis]
works only for internal pull requests. In other words, pull requests
built from forks won’t be inspected.
Related
Is there any way I can get any sonarqube api which can provide the build number of bamboo or any bamboo api which can give sonarqube info.This would really help.
I have so far tried both side but i am surprised both the system are quite clueless about each other. Why it is not possible that a build which ran sonarqube as as one of it's job doesn't have any information about that. Also neither in sonar it tell which build has actually triggered that sonar execution
(Not sure I understand what exactly you are looking for, perhaps this ...? )
I don't believe you can relate a specific Activity (SonarQube analysis) to a specific build (Bamboo), just project to job.
You must have SonarQube Server configured in Bamboo
When executing your job, you can add these sonar.links optional parameters to the analysis step:
sonar.links.homepage Project home page.
sonar.links.ci Continuous integration.
and
sonar.links.scm Project source repository.
sonar.links.issue Issue tracker.
Maybe also specify sonar.host.url=$SONAR_HOST_URL (where SONAR_HOST_URL is the global setting in Bamboo) in the analysis step parameters.
Those populate the Project Overview page sidebar:
That should provide the links from SonarQube back to the other systems of interest.
If you have properly configured Bamboo, you should see a link in Bamboo to the SonarQube project, post execution.
I have a project where I my sonarqube is in a remote server and the server has connection to SVN repository.
Now I wish to add a jacoco plugin to sonar qube which will checkout the project from SVN, build it and generate code coverage report and display it in my sonar report.
can anyone suggest what should I do for this.
Thanks in advance.
First of all you are missing an important step. SonarQube Server will only display your report and your data, and tell you if you passed the quality gate or not and it will show you your issues. But it will not do the analyzing part.
For that you need to use a SonarQube Scanner. There are multiple scanners available as you can see here. Those scanners can be executed locally, or ideally will be integrated in your Continous Integration pipeline, via Jenkins, Bamboo, TeamCity, etc. This Scanner will analyze your project based on the plugins/sensors on your Sonarqube server.
This scanner has to be configured to point to your server via sonar.host.url property, and ideally you will have some login setup. More details regarding that can be found in the SonarQube Documentation, which i highly suggest to read.
I have configured IntelliJ with SonarLint to a connected SonarQube instance in AWS. I am able to run a code analysis in IntelliJ and I do get results back in IntelliJ.
But I want to have these results in Sonarqube. How to do this?
You should have a look on the documentation to see how to :
Install SonarQube : https://docs.sonarqube.org/display/SONAR/Installing+the+Server
Execute an analysis : https://docs.sonarqube.org/display/SCAN
If you have Jenkins you should have 2 jobs: one to build application from branch, another to run SonarQube analysis based on artifacts created by first job (build job). You can create a pipeline: when you push to git (or other repository) first job automatically will be started, when build is done and it’s successful it will trigger job to analyze code in sonar. Try to find configuration examples at https://docs.sonar.org/ or I can send you tomorrow details how we configured our pipeline. P.S. forgot to mention that you need to install SonarQube plugin in Jenkins too.
SonarLint: this tool only open connection to your Sonar server just to get rules for analysis, but analysis is done on your side (localhost) without sending results to Sonar server back. This is how SonarLint works.
I have the following setup:
Bamboo runs builds on every commit on feature branches, including
Bamboo SonarQube plugin
Analysis, including test code coverage
displays in SonarQube.
We installed SonarQube plugin on the Stash Server, and it mostly works (quality gate, etc), but code coverage does not show up in diff in pull requests. What needs to be enabled to that to work?
You could use Code Coverage plugin to integrate coverage information into stash pull-requests. In order to use it, you need to:
Install plugin on your Bitbucket server
Publish coverage information from your branch build. You could use maven client or nodejs client depending on your tech stack.
That doesn't require SonarQube at all, since all information stored on Bitbucket itself.
Pull Request analysis doesn't (yet?) handle code coverage; it only looks at new issues (other than, of course, issues for things that are calculated server-side like inadequate test coverage).
It seems like the Build Breaker Plugin is no longer compatible with SonarQube 5.2. Is there any alternative to have a (VSO) build fail if a Sonar gate is not fulfilled or are there plans to update the Build Breaker Plugin to 5.2?
There is not (for now) any plugin which will break build when Quality Gate did't pass on SonarQube 5.2.
But for SonarQube 5.3+ you can again use Build Breaker plugin.
From mailing list:
Breaking the build in SonarQube 5.2 (21/Oct/2015)
Fabrice Bellingrad: The Build Breaker
Plugin
won't be available for SQ 5.2+. The idea is to develop a core feature
to answer the use cases previously covered by this plugin. This is
what we call the "what if" feature =>
https://jira.sonarsource.com/browse/SONAR-6763
This issue SONAR-6763 is planned for SonarQube 6.X.
You can now use the SonarQube Build Breaker Plugin with version SonarQube version 5.3+.
In SonarQube 5.2 we found alternative way in usage of Web Service /api/events.
Request example:
https://<sq-host>/api/events?categories=Alert&resource=<project_key>
Response example:
<events>
<event>
<id>50411</id>
<name>Red (was Green)</name>
<resourceKey>project_key</resourceKey>
<category>Alert</category>
<date>2015-09-29T22:38:44+0200</date>
<description>New Critical issues > 0 since previous analysis (2015 Sep 23), New Major issues > 0 since previous analysis (2015 Sep 23), New issues > 0 since previous analysis (2015 Sep 23)</description>
</event>
....
</events>
Detecting RED status of the project:
To verify RED status you will need to find event with highest id value in events list from response and then verify that name of this event is starting from Red and if you will find it you will need to fail build.
Such verification can be done just on CI server using additional command line step after SQ step or it can be done from build automation system like Maven or Gradle.
We didn't implement such workaround yet in our project, just because of lack free time, but we will do this in near future.
Proposed solution should be used only as workaround until issue SONAR-6763 will be done.
With SonarQube 5.3 a new Quality Gates Web Service was introduced which could be called and used to break the build.
To break the CI build for a failed Quality Gate, use WS API calls in a loop to wait until processing is finished, and then check Quality Gate web service:
call the analysis's ceTaskUrl and examine the "status" value:
PENDING or IN_PROGRESS - check again later
FAILED or CANCELED - break the build?
SUCCESS - move forward
call Quality Gate web service for status
I've also added an issue to enhance the VSTS Tasks with an option to automatically call this service.
Update: A recent PR added this feature to the VSTS Task (not released yet)