Sonarqube 5.1 TFS sonar msbuild runner with branches - visual-studio-2013

We have just started using Sonarqube 5.1 integrated in TFS build as described on this page http://www.sonarqube.org/announcing-sonarqube-integration-with-msbuild-and-team-build/
We have one main branch, and two development branches for the same project.
What is the recommended strategy for handling this?
I want to be able to see analyze result trends over time and also let people working in different branches able to see analyze result for the branch they are working in. As far as I can see the Sonar msbuild runner (https://github.com/SonarSource/sonar-msbuild-runner) only supports projectkey, projectname and version, but not branch key.
Any advice and suggestions will be greatly appreciated!

Indeed Wangen, I do confirm that the MSBuild Runner 0.9 doesn't yet provide a way to inject some SonarQube properties and so including the "sonar.branch" property. This limitation is going to be dropped in version 1.0 of the MSBuild Runner. Nevertheless, you must be aware that the support of branches by SonarQube is really limited because at the end in your case you're going to have 3 different projects in SonarQube and for instance flagging an issue as false-positive won't lead to flag the same issue in another branch as false-positive.

Related

How to get merged project results in SonarQube from 2 scanners?

We are using the SonarQube Scanner for MSBuild and the default SonarQube Scanner through Jenkins in our project. The two scanners are executed from different jenkins jobs. One job for .net code and the default scanner for java & typescript.
As project version, the git commit hash is used. The results from both scanners seem to overwrite each other even with the same commit hash.
Either we have only C# results or only java / ts results.
How can we get merged results in one SQ project?
SonarQube Version 5.6
This is just impossible to merge analysis reports for one project.
Technically, this would probably be achievable to execute only 1 single SonarQube analysis that does both the .NET part and the Java/JavaScript part. This would answer your use case. But this would be a kind of hack.
IMO, the good way to do it is to split your source code in 2: the .NET part and the Java part. There are chances that these are 2 different technical components anyway, that might have different life cycles even though they relate to the same "business" application.

Move "Won't fix" between projects in Sonarqube

I am using SonarQube to analyze my code before uploading to Gerrit and as a step in the review process in Gerrit. The same code is analyzed twice and I have two projects, e.g. "development-project" and "gerrit-project" in SonarQube. I then sometimes marks something as "Won't fix" or " False positive" etc in my "developpment-project". I would like to move that to the "gerrit-project". Is that possible?
I was in similar situation and I created simple command line tool for copying Won't Fix and False-Positive resolution types from one SonarQube project to another. A bit clumsy solution, you need to run it after each merge, but better than manually resolve the same issues in two or more SonarQube projects.
You can find the tool on GitHub - https://github.com/HonzaTau/SqCopyResolution
Unfortunately you cannot. There is information, in SonarQube documentation, that projects created with sonar.branch parameter are treated as independent* projects.
*independent - not associated with any other project
http://docs.sonarqube.org/display/SONAR/Local+and+Branch+Analysis:
[...] you add the sonar.branch=[branch key] analysis property to the
release branch to create a second, independent project in SonarQube.

Sonar quality profile in command line cannot be replaced by a project profile

Having a look to our build logs, I can see this warning:
build 31-Dec-2015 10:37:39 [WARN] [10:37:39.896] Ability to set quality profile from command line using 'sonar.profile' is deprecated and will be dropped in a future SonarQube version. Please configure quality profile used by your project on SonarQube server.
Even if I can easily understand why it could be deprecated, I have an issue with that. We have a single SonarQube installation for all our teams. Each team must be compliant with a given Quality Gate but can define its own profile, depending on the needs. We are working with git branches. We have "static" branches such as master and develop, but also feature and bugfix branches which are also scanned (to insure code quality before merge). Entries in sonar are created also from command line
Dsonar.project.branch=${bamboo.planRepository.branch}
Which helps us to get one sonar entry per development branch.
Issue: Each time we create a feature, not having the command line will force us to go to Sonar and manually change the profile.
Do you have any suggestions, ideas, which may help us ?
Thanks
I have a similar problem with the potential deprecation of this feature. We have too many projects to be managing this administratively in sonarqube.
The best approach for our site is to allow the teams to select an approved profile using setting in the maven pom.xml.

Project analysis (Sonar Report )for branches

I recently configured our build server using bamboo and Sonar. In our case we have a multiple developer environment and chose to not only analyse our trunk but also the branch. The nightly builds of trunk and branch are analysed by sonar. And there lies our problem. The last build will be the build saved in Sonar, which is plausible from a Sonar point-of-view, ie the projects have the same name so are probably the same.
In Branch we have fixes for our major release all projects name and code are same just in branch we have bug fixes. so we would love to see the analysis of branch and trunk separately in sonar dashboard.
The question is there is a way to make multiple version of the same project in Sonar? Or is there any other best practice in this situations?
Looking forward to you replies :)
Use the sonar.branch analysis property to distinguish the branches from head and from each other. Note that there are limitations. E.G. Issues marked "False Positive" in one version of the project will not show up as FP's in the other versions.
More analysis params in the docs

SonarQube - analyzing branches of the same project

I know that there is no "new project" button on SonarQube UI. However, I have two branches of the same project that I want to do analysis on. The thing is that since the project names are the same, SonarQube will upload the analysis results of the two branches into the same project on SonarQube Server. How do I configure SonarQube so that one branch will upload analysis results to one project and the other branch will upload results to another project on SonarQube server?
You might want to look at this part of the Sonar documentation, specifically at the sonar.branch parameter. It seems to be designed for what you want to do, and is working that way for us.
As the sonar.branch parameter is deprecated and the Developer Edition costs money, one possible option it to use the already mentioned branch plugin for SonarQube Community Edition (LGPL).
Update: seems like the repo is gone, not sure why. Active fork can be found here.
If you use SonarQube Runner, then you have to change the sonar.projectKey property to different values. If you use maven based analyses, then add -Dsonar.projectKey="Something" to your command. Example:
mvn sonar:sonar -Dsonar.projectKey="My project in first branch"
mvn sonar:sonar -Dsonar.projectKey="My project in second branch"
You can change the project name in a similar way with the sonar.projectName property.
This blog post by the SonarQube team suggests that treatment of branches will be improved in version 6.
Additionally, if you are using pull requests, have a look at its pull request analysis plugins (both GitHub and BitBucket at the moment).
The sonar.branch parameter is deprecated from sonar version 7.1 so, for alternative for that and having separate branch analysis on sonarQube version 7.1 on-words you can use something like this.
I assume you have maven project. if not just remove -D from it and use it.
mvn sonar:sonar -Dsonar.projectKey=<projectname>
mvn sonar:sonar -Dsonar.projectName=<project-name>
The project key should be unique. Otherwise it will combine the result of other branches who has the same project key.

Resources