I have scoured the forums and cannot seem to quite understand the config for the fortify plug-in with Sonar.
I understand it simply builds a widget based on data from a previously generated .fpr file.
My setup:
Maven 3 project
Jenkins 1.606
SonarQube 5.0.1
Sonar-Fortify plug-in 2.0
Prerequisites:
.fpr file is in Jenkins workspace
Sonar is added to pom.xml
sonar-fortify-plug-in v2.0 added to pom.xml - (wasn’t sure this was needed or not)
Sonar server configured in Jenkins
sonar fortify plug-in v2.0 added to Sonar – (only see a dropdown to ‘enableReportLink’ under ‘Configure widgets’
should there be more config somewhere?
Questions:
Where should this property be set? Jenkins Sonar config, Sonar, pom file?
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
Is that path to the .fpr file where it is within the Jenkins workspace?
The setup instructions on Github seem short and I feel I am missing something specific in my understanding.
Any help or direction to additional documentation is great appreciated.
First of all as documented version 2.0 can not be used anymore. Version 2.1 is going to be released soon. Vote for release will be started this week. Meanwhile you can:
download 2.1-SNAPSHOT version and copy it in extensions/plugins of your SonarQube server installation
restart server. The Fortify rules should be available in the page "Rules".
execute Fortify command "sourceanalyzer", independently from SonarQube. It generates a report file suffixed by .fpr.
execute a standard SonarQube analysis of your project by adding the property sonar.fortify.reportPath, for example:
mvn sonar:sonar -Dsonar.fortify.reportPath=/path/to/project.fpr
sonar-runner -Dsonar.fortify.reportPath=/path/to/project.fpr
If everything works, then you can automate these steps in Jenkins.
Related
Which versions am I using (SonarQube, Scanner, Plugin, and any relevant extension):
SonarQube 7.9.1 (on a remote server)
Sonar maven plugin 3.7.0.1746 (in my pom.xml file)
Jenkins 2.222.1 (local server)
Maven 3.6.0
What am I trying to achieve:
I want to perform an analysis with a Jenkins Pipeline with my remote server
What have I tried so far to achieve this :
I have succeed to do an analysis with my IDE (intelliJ) and it works with the command :
mvn -B sonar:sonar
After that, the server note the last analysis with the Quality Gate.
Nevertheless, it does not work with my Jenkins Pipeline.
I do not understand why it works with the IDE and not with Jenkins.
I have put in my pom.xml a sonar.login which is a specific user token. This user has the right to execute an analysis on this particular project. In my ~/.m2/settings.xml, I have put the sonar.host.url.
I also tried to set up manually a SonarQube server in Jenkins (in system configuration). I put there the url and my token thanks to a secret text but it does not work to.
I have also generated a Webhook but this is for the qualitygate variable in the pipeline and I don’t think it matters here.
I don’t know what to test now…
Any idea ?
Thanks
It is ok now : I have added on a sonar installer in the settings. In addition I move the sonar.host.url from ~/.m2/settings.xml to my pom.xml file.
We are using sonarqube(5.1.2) and jenkins(2.51) to run code analysis. Now we are planning to upgrade sonarqube to version 5.6.4.
Do we also need to upgrade Jenkins ?
No you don't have to.
Sonar is an independent tool, Jenkins is responsible only for running maven/gradle script, that will 'feed' sonar with data. Just make sure you have same credentials for new sonar and it should be fine.
You could consider upgrading Sonar plugin version also.
Just check whether the sonar plugin installed in Jenkins will support the new Sonarqube version else you will have to upgrade the plugin.
Changed my sonar for scm activity from 3.7 to sonarqube 5.1.1 as it has in built in scm plugin.
Not getting what are the configurations needed to run that and what to pass in
setting->genral setting->scm->sonar.scm.provider
I found this link
http://maven.apache.org/scm/clearcase.html
and created a
URL:- scm:clearcase:baxi_view_4:clinical
Error
org.apache.maven.plugin.MojoExecutionException: SCM provider was set to "scm:clearcase:baxi_view_4:clinical" but no SCM provider found for this key. Supported SCM providers are git,svn
and what other changes or configuration needed in my code or is there anything i have to specify in pom.xml.
I am using jenkins and sonar Integration for CI and reports
You have to install ClearCase plugin for SonarQube. Since there is no official release download a SNAPSHOT from:
https://github.com/SonarCommunity/sonar-scm-clearcase/releases/download/1.0-rc1/sonar-scm-clearcase-plugin-1.0-SNAPSHOT.jar
Plugin documentation is here:
http://docs.sonarqube.org/display/PLUG/ClearCase+Plugin
Make sure to add sonar.scm.provider=clearcase into sonar.properties and re-run SonarQube analysis.
N.B.: We are waiting for positive feedback (on SonarQube Google group) before doing an official release since we do not have Clearcase instance for testing.
Install ClearCase plugin for SonarQube. Download and compile it from:
http://github.com/SonarCommunity/sonar-scm-clearcase
Make sure to add sonar.scm.provider=clearcase into sonar.properties and re-run Sonar analysis.
The machine which runs Jenkins should have ClearCase. And make sure Jenkins can run cleartool command from console.
Thanks #Julien H. - SonarSource Team
For running SonarQube with JRE 7:
From SonarQube page:
The SonarQube Java analyser is able to analyse any kind of java source files whatever is the version of Java they comply to. But SonarQube analysis and SonarQube server require some specific versions of the JVM to be executed.
We can install many JRE versions on our machine. For SonarQube, just set the JRE variable before run it.
Example on Linux
export JRE_1.7=/opt/jre_1.7
export PATH=$JRE_1.7/bin:$PATH
java -version
/opt/sonar/sonarqube-5.1.1/bin/sonar.sh start
Using SonarQube Eclipse plugin, I run remote analysis [Sonar > Mode > Remote] (localhost:9000 and ip_on_my_lan:9000) and I see Sonar Issues tab with some elements (everything is OK).
But if I run local analysis I don't have any issue on Sonar Issues tab and Eclipse deletes all issues marks from source code.
It seems sonar-runner local analysis was OK: INFO - ANALYSIS SUCCESSFUL
What I'm doing wrong?
I tried with:
Eclipse Kepler, Sonar 3.7, SonarQube Plugin 3.0 and 3.2
Eclipse Juno, Sonar 3.7, SonarQube Plugin 3.0 and 3.2
Thanks for your time.
I found the problem!!!!
I have my sources on src/test/java instead of src/main/java (test framework)
If I run my analysis with "sonar-runner.bat" everything is ok, but when I run a local analysis from eclipse it seems eclipse doesn't found any source, but it doesn't say anything...
Eclipse put the binary code on /target/test-classes/ and I think Sonar plugin can't found it.
So I have two options: Move my source to src/main/java (checked) or create new local analysis properties (sonar.binaries)
Thanks for your time!
I've been working on this all day and haven't been able to find a solution, so thought i'd turn to the stackoverflow community.
I have a server setup with Jenkins (version 1.454). It's configured to perform the build with Maven (version 3.0.4). The build command is as follows:
clean clover2:setup verify clover2:aggregate clover2:clover
Jenkins has the sonar plugin installed and configured. My sonar install (version 3) is on a different server to jenkins. After the build is completed, i can see the results on sonar (the basics of the build).
I have installed to sonar the clover plugin (sonar-clover-plugin-2.8.jar) manually by putting it into the 'extentions/plugins' folder. It appeared in sonar and I can configure it. I put in the license, version (3.1.4) and sonar.clover.reportPath as "target\site\clover\clover.xml".
When I run the build, it is successful as before, and I can see the basic results as before in Sonar, however, I cannot see any test code coverage results.
When I look at the maven build output I notice the following:
[INFO] Writing report to '/opt/jenkins/jobs/foo/workspace/target/site/clover/clover.xml'
and then near the bottom of the output:
[INFO] [15:08:36.586] Clover XML report not found
The following are also in my pom:
<sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
<sonar.clover.reportPath>target\site\clover\clover.xml</sonar.clover.reportPath>
<sonar.surefire.reportsPath>target\surefire-reports</sonar.surefire.reportsPath>
<sonar.core.codeCoveragePlugin>clover</sonar.core.codeCoveragePlugin>
<sonar.clover.version>${clover.version}</sonar.clover.version>
When I look on the jenkins box, I can see that it has generated the clover.xml file (infact in my fiddling I have the clover plugin working on jenkins, so i can see the results there!).
I'm guessing at this stage that there is some issue with jenkins and sonar being on seperate boxes.
Any help would be appreciated!
Cheers.
After a lot more fiddling around, it appeared that I needed to change the following:
<sonar.clover.reportPath>${project.build.directory}/site/clover/clover.xml</sonar.clover.reportPath>
<sonar.surefire.reportsPath>${project.build.directory}/surefire-reports</sonar.surefire.reportsPath>
A good reference was the following:
all about pom variables