Set up an integration with SonarQube

This topic explains how to set up an integration with SonarQube, to include code coverage and code vulnerabilities analysis into your development cycle.

Setting up an integration with SonarQube

The integration enables you to see coverage and vulnerabilities. Other issue types are not yet supported.

  1. Prerequisites: To see data in ALM Octane from SonarQube, you need to have a Jenkins job with Maven build configured to send data to SonarQube.

    1. In the Jenkins job whose coverage and vulnerability data you want to see in ALM Octane, add the ALM Octane SonarQube listener build step before your Maven command.

    2. Select one or both of the checkboxes for the data you want integrated: Push Vulnerabilities and Push Coverage.

    This sets a webhook in SonarQube that sends a notification to Jenkins when the analysis is complete.

  2. In this step, inject two environment parameter values to SonarQube with the build and job name from Jenkins: sonar.analysis.buildNumber, and sonar.analysis.jobName. For details, see here.

    Example: 
    clean install $SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL
    -Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.analysis.buildNumber=${BUILD_NUMBER} 
    -Dsonar.analysis.jobName=${JOB_NAME}

    This enables ALM Octane to identify the job when collecting the coverage results.

  3. Set up the ALM Octane integration with your Jenkins server using the Application Automation Tools plugin. For details, see Set up CI servers.

Note: Jenkins does not support Basic authentication. If you are integrating SonarQube with Jenkins, we recommend that you verify your organization's security policy.

Back to top

Pipeline as Code

  1. If you are using Pipeline as Code, enter the following step in your build stage before your Maven command: addALMOctaneSonarQubeListener.

  2. In this step, define the following variables: sonarServerUrl, sonarToken, pushCoverage (optional), pushVulnerabilities (optional).

  3. In the Maven command, define sonar.analysis.buildNumber and sonar.analysis.jobName similar to a regular Jenkins job.

Example: 
withSonarQubeEnv('my_sonar_instance') {
	addALMOctaneSonarQubeListener pushCoverage: true, pushVulnerabilities:true, sonarToken:env.SONAR_AUTH_TOKEN, sonarServerUrl:env.SONAR_HOST_URL
	sh(returnStatus: true, script: "mvn clean install $SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.analysis.buildNumber=${BUILD_NUMBER} -Dsonar.analysis.jobName=${JOB_NAME}")
}

Back to top

See also: