SonarQube integration
This topic explains how to set up an integration with SonarQube, to include code coverage and code vulnerabilities analysis into your development cycle.
Setting up an integration with SonarQube
To see data from SonarQube, create a Jenkins job with Maven build configured to send data to SonarQube.
Note: The integration enables you to see coverage and vulnerabilities. Other issue types are not yet supported.
To configure the Jenkins job:
-
In Sonar, create a server authentication token with administrator authorization. Add this token to the SonarQube configuration in Jenkins, to enable Jenkins to create a webhook in Sonar to notify Jenkins when analysis is done.
-
Set up the OpenText Core Software Delivery Platform integration with your Jenkins server using the Application Automation Tools plugin. For details, see Set up CI/CD integration.
-
In the Jenkins system configuration, in the SonarQube servers section:
-
Enter your SonarQube server details, including the authentication token you created.
-
Select the Enable injection of SonarQube server configuration as build environment variables checkbox.
-
-
In the Jenkins job whose coverage and vulnerability data you want to see, add the following:
-
In the Build Environment section, select the checkbox Prepare SonarQube Scanner environment.
-
Add the ALM Octane SonarQube listener build step before your Maven command. Select one or both of the checkboxes for the data you want integrated: Push Vulnerabilities and Push Coverage.
-
In the build step, in addition to SonarQube goal, inject two environment parameter values to SonarQube with the build and job name from Jenkins: sonar.analysis.buildNumber, and sonar.analysis.jobName.
This enables OpenText Core SDP to identify the job when getting the coverage results from SonarQube.
Copy codeExample:
clean install $SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL
-Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.analysis.buildNumber=${BUILD_NUMBER}
-Dsonar.analysis.jobName=${JOB_NAME}
-
-
Define the pipeline in OpenText Core SDP as type security. You can see a pipeline's type in the pipeline's Details tab.
Note: Jenkins does not support Basic authentication. If you are integrating SonarQube with Jenkins, we recommend that you verify your organization's security policy.
Pipeline as Code
This section describes the steps to take if you are using Pipeline as Code.
Perform the following steps:
-
Enter the following step in your build stage before your Maven command: addALMOctaneSonarQubeListener.
-
In this step, define the following variables: sonarServerUrl, sonarToken, pushCoverage (optional), pushVulnerabilities (optional).
-
In the Maven command, define sonar.analysis.buildNumber and sonar.analysis.jobName similar to a regular Jenkins job.
Copy codeExample: Using Pipeline as CodewithSonarQubeEnv('my_sonar_instance') {
addALMOctaneSonarQubeListener pushCoverage: true, pushVulnerabilities:true, sonarToken:env.SONAR_AUTH_TOKEN, sonarServerUrl:env.SONAR_HOST_URL
sh(returnStatus: true, script: "mvn clean install $SONAR_MAVEN_GOAL -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_AUTH_TOKEN -Dsonar.analysis.buildNumber=${BUILD_NUMBER} -Dsonar.analysis.jobName=${JOB_NAME}")
}
See also: