[TOC]

1. Provide a token

https://sonar.bappartners.com/account/security

  • If you have the right to run the analysis code and publish it to the SonarQube server please create a token here https://sonar.bappartners.com/account/security.

  • If you do not have permission to run the analysis, please contact the administrator (thachpv) to obtain a token.

2. Run analysis on your project

Analysis parameters

setting_hierachy.png

  • Some analysis parameters
Parameters Description
sonar.token Token used by the scanner to authenticate to the SonarCloud server.
Replaces sonar.login and sonar.password properties which are deprecated.
sonar.host.url https://sonar.bappartners.com/ . The URL of the SonarCloud server
sonar.projectKey The project's unique key. Example format: s0027.ChallengeCR_tên_repo
sonar.projectName Name of the project that will be displayed on the web interface. Example format: s0027.ChallengeCR_tên_repo
sonar.sources Analysis baseline for main source code (non-test code) in the project.
sonar.tests Analysis baseline for test code in the project.
sonar.sourceEncoding Encoding of the source files. For example, UTF-8, MacRoman, Shift_JIS. The list of available encodings depends on your JVM.
sonar.exclusions A setting used to specify file paths that you want to exclude from the SonarQube analysis process

Please visit the official documentation of Analysis parameters for more details.

  • Setting configuration in a file
    • Maven Java project: pom.xml
    • Gradle Java project: build.gradle
    • Ant Java project: build.xml
    • Other CI-based analysis: sonar-project.properties
    • Automatic analysis: .sonarcloud.properties
  • Setting configuration on the command line
    • For CI-based analysis (not automatic analysis), parameters can also be set on the command line using the -D option indicator when launching an analysis

Execute the Scanner for Maven

Running a SonarQube analysis with Maven is straighforward. You just need to run the following command in your project's folder.

mvn clean verify sonar:sonar \
-Dsonar.projectKey=test1 \
-Dsonar.host.url=https://sonar.bappartners.com \
-Dsonar.login=sqp_a8f356df86c4c1660db14aa849bc1a829aaa3e42

Please visit the official documentation of the Scanner for Maven for more details.

Execute the Scanner for Gradle

1/ Running an analysis with Gradle is straighforward. You just need to declare the org.sonarqube plugin in your build.gradle file:

plugins {
  id "org.sonarqube" version "3.5.0.2730"
}

2/ run the following command:

./gradlew sonar \
  -Dsonar.projectKey=test1 \
  -Dsonar.host.url=https://sonar.bappartners.com \
  -Dsonar.login=sqp_a8f356df86c4c1660db14aa849bc1a829aaa3e42

Other (for JS, TS, Go, Python, PHP, …)

1/ Download and unzip the Scanner for Linux

  • https://docs.sonarsource.com/sonarcloud/advanced-setup/ci-based-analysis/sonarscanner-cli/

2/ Execute the Scanner

sonar-scanner \
  -Dsonar.projectKey=test1 \
  -Dsonar.sources=. \
  -Dsonar.host.url=https://sonar.bappartners.com \
  -Dsonar.login=sqp_a8f356df86c4c1660db14aa849bc1a829aaa3e42

Please visit the official documentation of the Scanner for more details.

Scanner .NET Core Global Tool

dotnet tool install --global dotnet-sonarscanner
dotnet sonarscanner begin /k:"test1" /d:sonar.host.url="https://sonar.bappartners.com"  /d:sonar.login="sqp_a8f356df86c4c1660db14aa849bc1a829aaa3e42"
dotnet build
dotnet sonarscanner end /d:sonar.login="sqp_a8f356df86c4c1660db14aa849bc1a829aaa3e42"

Execute the Scanner for Flutter

  • Sonar Server need to install SonarQube plugin for Flutter/Dart: https://github.com/insideapp-oss/sonar-flutter

  • Create sonar-project.properties file

    # Project identification
    sonar.projectKey=tcu.knock-fe-user
    sonar.projectVersion=1.0
    sonar.host.url=http://localhost:9000
    sonar.login=sqp_aae237585c0c1995591c82faae02c619eae1dc94
    
    # Source code location.
    # Path is relative to the sonar-project.properties file. Defaults to .
    # Use commas to specify more than one file/folder.
    # It is good practice to add pubspec.yaml to the sources as the analyzer
    # may produce warnings for this file as well.
    sonar.sources=lib,pubspec.yaml
    #sonar.tests=test
    
    # Encoding of the source code. Default is default system encoding.
    sonar.sourceEncoding=UTF-8
    
    # Analyzer mode
    # Can be:
    # - DETECT (attempt to detect automatically) - default
    # - MANUAL (an existing report needs to be provided)
    # - FLUTTER (flutter analyze)
    # - DART (dart analyze)
    # - DARTANALYZER (dartanalyzer)
    # sonar.dart.analyzer.mode=
    
    # Allows reuse of an existing analyzer report when mode is MANUAL
    # sonar.dart.analyzer.report.path=
    
    # Analyzer report output mode
    # Can be:
    # - DETECT (attempt to detect automatically, requires Dart SDK on the PATH) - default
    # - MACHINE (a new machine readable output that is available for Dart 2.12+)
    # - LEGACY (attempts to parse human readable output from dart/flutter) - default
    # sonar.dart.analyzer.report.mode=
  • Run the analysis and publish to the SonarQube server

    # Download dependencies
    flutter pub get
    # Run tests with User feedback (in case some test are failing)
    #flutter test
    # Run tests without user feedback regeneration tests.output and coverage/lcov.info
    #flutter test --machine --coverage > tests.output
    
    # Run the analysis and publish to the SonarQube server
    sonar-scanner
    —-

Analyze your project with GitLab CI

MAVEN

1/ Add the following to your pom.xml file

<properties>
  <sonar.qualitygate.wait>true</sonar.qualitygate.wait>
</properties>

2/ Add environment variables

2.1/ Define the SonarQube Token environment variable.

  • In GitLab, go to Settings > CI/CD > Variables to add the following variable and make sure it is available for your project:
  • In the Key field, enter SONAR_TOKEN
  • In the Value field, enter an existing token, or a newly generated one: Generate a token
  • Uncheck the Protect Variable checkbox.
  • Check the Mask Variable checkbox.

2.2/Define the SonarQube URL environment variable.

Still in Settings > CI/CD > Variables add a new variable and make sure it is available for your project:

  • In the Key field, enter SONAR_HOST_URL
  • In the Value field, enter https://sonar.bappartners.com
  • Uncheck the Protect Variable checkbox.
  • Leave the Mask Variable checkbox unchecked.

3/Create or update your .gitlab-ci.yml file with the following content.

stages:
  - analyze
sonarqube-check:
  stage: analyze
  image: maven:3.6.3-jdk-11
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - mvn verify sonar:sonar -Dsonar.projectKey=test1
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: manual
    - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "develop"'
  allow_failure: true
  tags:
    - sonar-scanner

gradle

1/ Add the following to your build.gradle file

plugins {
  id "org.sonarqube" version "3.5.0.2730"
}

sonar {
  properties {
    property "sonar.projectKey", "test1"
    property "sonar.qualitygate.wait", true
  }
}

Example:

// SonarQube
sonar {
    properties {
        property 'sonar.sourceEncoding', 'UTF-8'
        property 'sonar.language', 'java'
        property 'sonar.java.binaries', '**/build/classes'
        property 'sonar.exclusions', '**/com/honda/rd/**,**/ext/preevisionadapter/**'
        property 'sonar.issue.ignore.allfile', 'e1'
        property 'sonar.issue.ignore.allfile.e1.fileRegexp', '@Test'
        property 'sonar.issue.ignore.allfile', 'e2'
        property 'sonar.issue.ignore.allfile.e2.fileRegexp', '@ParameterizedTest'
        property 'sonar.junit.reportPaths', 'build/test-results/aggregate'
        property 'sonar.coverage.jacoco.xmlReportPaths', 'build/reports/jacoco/aggregate/jacocoTestReport.xml'
        property 'sonar.coverage.exclusions', '**/src/test/**'
        property 'sonar.cpd.exclusions', '**/src/test/**'
    }
}
project.tasks['sonar'].dependsOn 'junit5TestReport'
project.tasks['sonar'].dependsOn 'aggregateJacocoMerge'

2/ Create or update your .gitlab-ci.yml file with the following content.

stages:
  - analyze
sonarqube-check:
  stage: analyze
  image: gradle:jre11-slim
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: gradle sonar
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: manual
    - if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "develop"'
  allow_failure: true
  tags:
    - sonar-scanner

Other (for JS, TS, Go, Python, PHP, …)

1/ Create a sonar-project.properties file in your repository and paste the following code

# must be unique in a given SonarQube instance
sonar.projectKey=s0168.Monocad_lambda-flask-api
# --- optional properties ---

# defaults to project key
sonar.projectName=s0168.Monocad_lambda-flask-api
# defaults to 'not provided'
#sonar.projectVersion=1.0

# Path is relative to the sonar-project.properties file. Defaults to .
# sonar.projectBaseDir=.
# sonar.sources=./src,./resources,./web
sonar.sources=./app

# Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8

#sonar.test.inclusions=**/*Test.js

#sonar.exclusions=,**/coverage/**

# Fail CI pipeline if Sonar fails.
sonar.qualitygate.wait=true

2/ Create or update your .gitlab-ci.yml file with the following content.

stages:
  - analyze
sonarqube-check:
  stage: analyze
  image:
    name: sonarsource/sonar-scanner-cli:4.8
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: manual
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "develop"
  allow_failure: true
  tags:
    - sonar-scanner

NET

1/ Add environment variables

1.1/ Define the SonarQube Token environment variable.

  • In GitLab, go to Settings > CI/CD > Variables to add the following variable and make sure it is available for your project:
  • In the Key field, enter SONAR_TOKEN
  • In the Value field, enter an existing token, or a newly generated one: Generate a token
  • Uncheck the Protect Variable checkbox.
  • Check the Mask Variable checkbox.

1.2/Define the SonarQube URL environment variable.

Still in Settings > CI/CD > Variables add a new variable and make sure it is available for your project:

  • In the Key field, enter SONAR_HOST_URL
  • In the Value field, enter https://sonar.bappartners.com
  • Uncheck the Protect Variable checkbox.
  • Leave the Mask Variable checkbox unchecked.

2/ Create or update your .gitlab-ci.yml file with the following content.

sonarqube-check:
  image: mcr.microsoft.com/dotnet/core/sdk:latest
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
      - "apt-get update"
      - "apt-get install --yes openjdk-11-jre"
      - "dotnet tool install --global dotnet-sonarscanner"
      - "export PATH=\"$PATH:$HOME/.dotnet/tools\""
      - "dotnet sonarscanner begin /k:\"s0202.meta.b2b.unity_fe\" /d:sonar.login=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" "
      - "dotnet build"
      - "dotnet sonarscanner end /d:sonar.login=\"$SONAR_TOKEN\""
  allow_failure: true
  only:
    - merge_requests
    - staging
    - develop