Set up an integration with SonarQube

This topic explains how to set up an integration with SonarQube, to include code coverage and code vulnerabilities analysis into your development cycle. The integration enables you to see coverage and vulnerabilities. (Other issue types are not yet supported.)

Setting up an integration with SonarQube

To see data in ALM Octane from SonarQube, create a Jenkins job with Maven build configured to send data to SonarQube.

To configure the Jenkins job:

  1. In Sonar, create a server authentication token with administrator authorization. You then add this token to the SonarQube configuration in Jenkins, to enable Jenkins to create a webhook in Sonar to notify Jenkins when analysis is done.

  2. Set up the ALM Octane integration with your Jenkins server using the Application Automation Tools plugin. For details, see Set up CI/CD integration.

  3. In the Jenkins system configuration, in the SonarQube servers section:

    1. Enter your SonarQube server details, including the authentication token you created.

    2. Select the checkbox Enable injection of SonarQube server configuration as build environment variables.

  4. In the Jenkins job whose coverage and vulnerability data you want to see in ALM Octane, add the following:

    1. In the Build Environment section, select the checkbox Prepare SonarQube Scanner environment.

    2. Add the ALM Octane SonarQube listener build step before your Maven command. Select one or both of the checkboxes for the data you want integrated: Push Vulnerabilities and Push Coverage.

    3. In the build step, in addition to SonarQube goal, inject two environment parameter values to SonarQube with the build and job name from Jenkins: sonar.analysis.buildNumber, and sonar.analysis.jobName. For details, see here.

      This enables ALM Octane to identify the job when getting the coverage results from SonarQube.

      Example: 
      clean install $SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL
      -Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.analysis.buildNumber=${BUILD_NUMBER} 
      -Dsonar.analysis.jobName=${JOB_NAME}
  5. Define the pipeline in ALM Octane as type security. You can see a pipeline's type in the pipeline's Details tab.

Note: Jenkins does not support Basic authentication. If you are integrating SonarQube with Jenkins, we recommend that you verify your organization's security policy.

Back to top

Pipeline as Code

This section describes the steps you need to take if you are using Pipeline as Code.

Perform the following steps:

  1. Enter the following step in your build stage before your Maven command: addALMOctaneSonarQubeListener.

  2. In this step, define the following variables: sonarServerUrl, sonarToken, pushCoverage (optional), pushVulnerabilities (optional).

  3. In the Maven command, define sonar.analysis.buildNumber and sonar.analysis.jobName similar to a regular Jenkins job.

Example: 
withSonarQubeEnv('my_sonar_instance') {
	addALMOctaneSonarQubeListener pushCoverage: true, pushVulnerabilities:true, sonarToken:env.SONAR_AUTH_TOKEN, sonarServerUrl:env.SONAR_HOST_URL
	sh(returnStatus: true, script: "mvn clean install $SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.analysis.buildNumber=${BUILD_NUMBER} -Dsonar.analysis.jobName=${JOB_NAME}")
}

Back to top

See also: