I'm trying to get FxCop analysis for .NET projects within a Jenkins build (Invoke Standalone SonarQube Analysis).
Configuration looks like this:
SonarQube 5.1.2
C# 4.2
sonar-runner 2.4
Jenkins: SonarQube Plugin 2.2.1
And the main problem is that when I enable FxCop rules in SonarQube I get the error:
java.lang.IllegalArgumentException: The property
"sonar.cs.fxcop.assembly" must be set and the project must have been
built to execute FxCop rules. This property can be automatically set
by the Analysis Bootstrapper for Visual Studio Projects plugin, see:
http://docs.codehaus.org/x/TAA1Dg.If you wish to skip the analysis of
not built projects, set the property
"sonar.visualstudio.skipIfNotBuilt".
However, if I explicitly set sonar.cs.fxcop.assembly in sonar-project.properties to point at an assembly (.dll) I get the analysis for that one, but the project has multiple assemblies for which I'd like the FxCop analysis.
Even if it's possible to set a list of assemblies as an argument (is it?) this is not an elegant/generic solution and patterns are not an accepted value.
I understand that MSBuild SonarQube Runner could solve this problem (no need to set sonar.cs.fxcop.assembly), but it looks like it's not a good candidate for the Jenkins plugin (under SonarQube Runner installations), as only sonar-runner installations are allowed.
Is there any way I could get FxCop working using the Jenkins plugin and sonar-runner without setting the sonar.cs.fxcop.assembly property?
Indeed, MSBuild projects should be analyzed using the MSBuild SonarQube Runner, for which there is currently no dedicated build step in Jenkins yet: You can use the Execute Windows batch command step to execute MSBuild.SonarQube.Runner.exe begin ... and MSBuild.SonarQube.Runner.exe end in between the call to msbuild.
With the upcoming release of the Jenkins SonarQube plugin version 2.3, there will be two dedicated build steps, one for the MSBuild SonarQube Runner's begin call, and another one for the end call. See https://jira.sonarsource.com/browse/SONARJNKNS-219
You should not use the sonar-runner, nor the Invoke Standalone SonarQube Analysis Jenkins build step (which simply calls the sonar-runner) to analyze .NET projects: The MSBuild SonarQube Runner is the way to go.
Related
I am using SonarQube version 6.7 for running analysis of Maven projects using the command mvn clean verify sonar:sonar from the project directory using command prompt and get the results. The sonar configurations in settings.xml for maven (v3.5.3) are added respectively.
In Jenkins (version 2.161), I have installed SonarQube Scanner for Jenkins (v2.8.1) plugin. The SonarQube Server configuration is configured as below.
In the Jenkins maven project, I have configured the post steps as below.
I have checked the Prepare SonarQube Scanner environment in the Build Environment section and the Build goal is -e clean verify sonar:sonar.
My issue is, when the SonarQube analysis for a maven project is triggered through command prompt using the command mvn clean verify sonar:sonar, I am getting the results as expected. But when the Jenkins job is triggered with the configurations above for the same maven project, the results are different and incorrect. What am I missing?
P.S- In the Post-build Actions, I can see the SonarQube analysis with maven is deprecated.
Thanks in advance.
You use different scanners. First you used SonarScanner for Maven (mvn sonar:sonar). Next you used Basi SonarScanner, which requires manual configuration of all options.
The best option to sole it is always use the same scanner. You have Maven project, so you can enable Prepare SonarQube Scanner environment in Build Environment, and next execute Sonar goal $SONAR_MAVEN_GOAL in Build.
I am trying to integrate Sonarqube in Jenkins for windows.
I have installed Jenkins 2.138.2 and Sonarqube scanner plugin version 2.8.1
Also installed Sonarqube-7.3 and added it to path variable.
Below is my configuration in Jenkins:
Under "Global Tool Configuration", for SonarQube Scanner
installations - I have selected "Install automatically" and choose
"Install from Maven Central".
Under "Configure System", I have specified name and server url for
Sonarqube servers.
For the job, I have selected "Sonarqube analysis with Maven" under
post build action step(shows this is deprecated).
I am getting the below error.
WARN: Unable to locate 'report-task.txt' in the workspace. Did the SonarScanner succedeed?
SonarQube analysis completed: FAILURE
Build step 'SonarQube analysis with Maven' changed build result to FAILURE
Build step 'SonarQube analysis with Maven' marked build as failure
Is there anything wrong with the configuration.
Edit: Added job configuration screenshots.
Downloading of sonarqube can be done form https://www.sonarqube.org/downloads/ where downloading can be done irrespective to the requirements(here, downloading of Developers Version ver 7.4 is done)
a. It will be downloaded in a zip format and will contain the sonarqube accessing file in various platforms, unzip the folder and extract all the files in your local system.
b. Download the sonarqube scanner, it is helpful cause, it is the only way to start the code analysis, it is the most required or can be said as default launcher to analyse project with SonarQube.
c. To start sonarqube, the start/open the startsonar.bat file.
d. The sonarqube can be runs in default 9000 port.
e. Launch sonarqube locally in the system.
Situation:
I want to analyze my project with SonarQube (5.4) triggered by Jenkins (1.642.4). It is a java project build with maven.
I see two ways to trigger the analysis:
Post Build Action "SonarQube analysis with maven" but it's deprecated, so I don't want to use it
Post Build Step "Execute SonarQube Scanner", is the recommended way.
Problem:
If I use the deprecated Post Build Action, the properties for sonar project configuration are derived automatically from the project pom.
It I use the recommended Post Build Step, I receive the Exception
You must define the following mandatory properties for 'Unknown': sonar.projectKey, sonar.projectName, sonar.projectVersion, sonar.sources
Undesired Solution:
The solution is to provide the required properties, via sonar-project.properties file in the java project or via parameters in Jenkins step.
IMHO: this is duplication. All relevant information is defined in the Maven pom: projectKey can be derived from artifactId, projectName and projectVerstion are same properties in maven. Especially the projectVersion is critical. I don't want to update the project version after each release (or write some code in release plugin to update it automatically).
What I want
I want to use the recommended Post Build Step in Jenkins, without redefine all project properties for all my project to make sonar happy. Instead sonar/jenkins/plugin/whatever should derive the properties from my maven pom file. Is there an additional plugin I can use? Can I reconfigure my Jenkins-Sonar-Plugin?
I don't want to provide any sonar specific information in my pom/project, because the project shouldn't care about sonar. It should contain only information required to build the project.
The documentation (although slightly confusing, see edit below) explains how to use a generic post-build step (leveraging environment variables), instead of the deprecated post-build action. in short:
install latest SonarQube Plugin (v2.4 as of now) in Jenkins
in System Config under SonarQube servers: check Enable injection of SonarQube server configuration as build environment variables
in the configuration of your Maven project:
check Prepare SonarQube Scanner environment
add a post-build step Invoke top-level Maven targets and leverage the injected environment variables in the Goals field e.g.:
$SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_AUTH_TOKEN
Edit: when the documentation says The Post-build Action for Maven analysis is deprecated. , it refers to the old post-build action which is not documented anymore. The paragraph after that warning (summarized in this answer) really is the recommended procedure. Illustration here if it's still not clear.
Using SonarQube Scanner as a post build step you can configure it with at least this properties in Analysis properties:
sonar.projectKey=${POM_ARTIFACTID}
sonar.projectName=${POM_DISPLAYNAME}
sonar.projectVersion=${POM_VERSION}
sonar.sources=src
sonar.java.binaries=target
sonar.language=java
sonar.sourceEncoding=UTF-8
POM_* variables are mapped by Jenkins from Maven GAV info, look here: https://github.com/jenkinsci/jenkins/pull/933/files
Changed my sonar for scm activity from 3.7 to sonarqube 5.1.1 as it has in built in scm plugin.
Not getting what are the configurations needed to run that and what to pass in
setting->genral setting->scm->sonar.scm.provider
I found this link
http://maven.apache.org/scm/clearcase.html
and created a
URL:- scm:clearcase:baxi_view_4:clinical
Error
org.apache.maven.plugin.MojoExecutionException: SCM provider was set to "scm:clearcase:baxi_view_4:clinical" but no SCM provider found for this key. Supported SCM providers are git,svn
and what other changes or configuration needed in my code or is there anything i have to specify in pom.xml.
I am using jenkins and sonar Integration for CI and reports
You have to install ClearCase plugin for SonarQube. Since there is no official release download a SNAPSHOT from:
https://github.com/SonarCommunity/sonar-scm-clearcase/releases/download/1.0-rc1/sonar-scm-clearcase-plugin-1.0-SNAPSHOT.jar
Plugin documentation is here:
http://docs.sonarqube.org/display/PLUG/ClearCase+Plugin
Make sure to add sonar.scm.provider=clearcase into sonar.properties and re-run SonarQube analysis.
N.B.: We are waiting for positive feedback (on SonarQube Google group) before doing an official release since we do not have Clearcase instance for testing.
Install ClearCase plugin for SonarQube. Download and compile it from:
http://github.com/SonarCommunity/sonar-scm-clearcase
Make sure to add sonar.scm.provider=clearcase into sonar.properties and re-run Sonar analysis.
The machine which runs Jenkins should have ClearCase. And make sure Jenkins can run cleartool command from console.
Thanks #Julien H. - SonarSource Team
For running SonarQube with JRE 7:
From SonarQube page:
The SonarQube Java analyser is able to analyse any kind of java source files whatever is the version of Java they comply to. But SonarQube analysis and SonarQube server require some specific versions of the JVM to be executed.
We can install many JRE versions on our machine. For SonarQube, just set the JRE variable before run it.
Example on Linux
export JRE_1.7=/opt/jre_1.7
export PATH=$JRE_1.7/bin:$PATH
java -version
/opt/sonar/sonarqube-5.1.1/bin/sonar.sh start
I have scoured the forums and cannot seem to quite understand the config for the fortify plug-in with Sonar.
I understand it simply builds a widget based on data from a previously generated .fpr file.
My setup:
Maven 3 project
Jenkins 1.606
SonarQube 5.0.1
Sonar-Fortify plug-in 2.0
Prerequisites:
.fpr file is in Jenkins workspace
Sonar is added to pom.xml
sonar-fortify-plug-in v2.0 added to pom.xml - (wasn’t sure this was needed or not)
Sonar server configured in Jenkins
sonar fortify plug-in v2.0 added to Sonar – (only see a dropdown to ‘enableReportLink’ under ‘Configure widgets’
should there be more config somewhere?
Questions:
Where should this property be set? Jenkins Sonar config, Sonar, pom file?
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
Is that path to the .fpr file where it is within the Jenkins workspace?
The setup instructions on Github seem short and I feel I am missing something specific in my understanding.
Any help or direction to additional documentation is great appreciated.
First of all as documented version 2.0 can not be used anymore. Version 2.1 is going to be released soon. Vote for release will be started this week. Meanwhile you can:
download 2.1-SNAPSHOT version and copy it in extensions/plugins of your SonarQube server installation
restart server. The Fortify rules should be available in the page "Rules".
execute Fortify command "sourceanalyzer", independently from SonarQube. It generates a report file suffixed by .fpr.
execute a standard SonarQube analysis of your project by adding the property sonar.fortify.reportPath, for example:
mvn sonar:sonar -Dsonar.fortify.reportPath=/path/to/project.fpr
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
If everything works, then you can automate these steps in Jenkins.