SonarQube Code Quality and Security Solution Integration
SonarQube
DeployHub Pro can associate SonarQube Project Status, Bugs, Code Smells, and Violations metrics to your Component Version. Associating these metrics enable compliance scoring for Application Versions since the metrics are rolled-up from the Component Versions to the Application Version. See the Application Compliance Scorecard below for details.
Example Scorecard Report
Getting Metrics from SonarQube to DeployHub Pro
DeployHub Pro uses the Command Line Interface from the Ortelius Open Source project incubating at the Linux Foundation. The Ortleius CI/CD command line program is used to associate Sonar metrics to the DeployHub Pro Component Version. See [CLI Installation](https://docs.DeployHub Pro.com/userguide/installation-and-support/0-commandlineinterface/) for instructions on basic setup in your CI/CD pipeline.
Restful API calls are needed in your pipeline to grab the metrics from Sonar. Shell commands using curl and jq allow us to parse the data returned from Sonar and format it for storage with the Component Version. The component.toml file used by the DeployHub Pro CLI is appended to with each new metric and upload to DeployHub Pro at the end of the pipeline. See [CI-CD Integration](https://docs.DeployHub Pro.com/userguide/integrations/ci-cd_integrations/) for more details.
Note: Your codebase must be scanned with SonarQube and the results uploaded to the Sonar Server. Sonar RestAPI calls will be made to fetch the metrics from the stored scanned results. Also, a loop to recheck maybe needed since there can be delay between the scan and publishing the results. See SonarQube Project Status below for an example that includes the loop.
SonarQube Project Status
| Variable | Value |
|---|---|
| SORAR_URL | URL for SonarQube Server. For example: https://sonar.example.com |
| SONAR_ID | Userid used to login to SonarQube |
| SONAR_PASS | Password for the userid |
| PROJECTKEY | Name of the project in SonarQube |
| COMPONENT_TOML | The DeployHub Pro Component TOML file that defined the Component Version to DeployHub Pro. Typically called component.toml |
Check=$(curl -s -u ${SONAR_ID}:${SONAR_PASS} "${SONAR_URL}/api/qualitygates/project_status?projectKey=$PROJECTKEY" | jq -r '.projectStatus.status')
max_retry=30
counter=0
until [ "$Check" == "OK" ] || [ "$Check" = "ERROR" ] || [ "$Check" == "WARN" ];
do
sleep 20
[[ counter -eq $max_retry ]] && echo "Failed! Check you sonnar-server" && exit 1
echo "Retrying. Try #$counter"
((counter++))
Check=$(curl -s -u ${SONAR_ID}:${SONAR_PASS} "${SONAR_URL}/api/qualitygates/project_status?projectKey=$PROJECTKEY" | jq -r '.projectStatus.status')
done
echo ' SonarProjectStatus = "$Check"' >> ${COMPONENT_TOML}
SonarQube Bugs
| Variable | Value |
|---|---|
| SORAR_URL | URL for SonarQube Server. For example: https://sonar.example.com |
| SONAR_ID | Userid used to login to SonarQube |
| SONAR_PASS | Password for the userid |
| COMPONENT_NAME | Name of the component in SonarQube. This name will typically be the same as the name of the component being built, but the Sonar Scan maybe uploaded to an alternate name. Use the name from SonarQube. |
| COMPONENT_TOML | The DeployHub Pro Component TOML file that defined the Component Version to DeployHub Pro. Typically called component.toml |
SONAR_BUGS=$(curl -k -s -u ${SONAR_ID}:${SONAR_PASS} "${SONAR_URL}/api/measures/component?component=${COMPONENT_NAME}&metricKeys=complexity,bugs,new_technical_debt,code_smells,branch_coverage,violations" | jq -r '.component.measures | .[] |select(.metric == "bugs") | (.value)')
echo ' SonarBugs = "%{SONAR_BUGS}"' >> ${COMPONENT_TOML}
SonarQube Code Smells
| Variable | Value |
|---|---|
| SORAR_URL | URL for SonarQube Server. For example: https://sonar.example.com |
| SONAR_ID | Userid used to login to SonarQube |
| SONAR_PASS | Password for the userid |
| COMPONENT_NAME | Name of the component in SonarQube. This name will typically be the same as the name of the component being built, but the Sonar Scan maybe uploaded to an alternate name. Use the name from SonarQube. |
| COMPONENT_TOML | The DeployHub Pro Component TOML file that defined the Component Version to DeployHub Pro. Typically called component.toml |
SONAR_CODESMELLS=$(curl -k -s -u ${SONAR_ID}:${SONAR_PASS} "${SONAR_URL}/api/measures/component?component=${COMPONENT_NAME}&metricKeys=complexity,bugs,new_technical_debt,code_smells,branch_coverage,violations" | jq -r '.component.measures | .[] |select(.metric == "code_smells") | (.value)')
echo ' SonarCodeSmells = "%{SONAR_CODESMELLS}"' >> ${COMPONENT_TOML}
SonarQube Violations
| Variable | Value |
|---|---|
| SORAR_URL | URL for SonarQube Server. For example: https://sonar.example.com |
| SONAR_ID | Userid used to login to SonarQube |
| SONAR_PASS | Password for the userid |
| COMPONENT_NAME | Name of the component in SonarQube. This name will typically be the same as the name of the component being built, but the Sonar Scan maybe uploaded to an alternate name. Use the name from SonarQube. |
| COMPONENT_TOML | The DeployHub Pro Component TOML file that defined the Component Version to DeployHub Pro. Typically called component.toml |
SONAR_VIOLATIONS=$(curl -k -s -u ${SONAR_ID}:${SONAR_PASS} "${SONAR_URL}/api/measures/component?component=${COMPONENT_NAME}&metricKeys=complexity,bugs,new_technical_debt,code_smells,branch_coverage,violations" | jq -r '.component.measures | .[] |select(.metric == "violations") | (.value)')
echo ' SonarViolations = "%{SONAR_VIOLATIONS}"' >> ${COMPONENT_TOML}
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.