API to fetch specific analysis report by Id or Tag

• Which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  SonarQube Enterprise Edition - v 10.5 / Helm deployed

• What are you trying to achieve
  Need to integrate SonarQube with an internal CI system. Our CI system creates pipelines that need to associated with a specific analysis (analysisId in Sonar). There is currently no API that fetches the analysis report (not the QualityGate information) by analysisId or by analysis event (e.g., VERSION).

• What have you tried so far to achieve this

• Attempt #1 - Use webhook to retrieve task info, fetch analysisId using ce API and then the analysis report using analysisId. NOTE: I need the analysis report data. Webhook only has qualityGate payload.

  curl --request GET \   --url 'https://sonar.xyz.com/api/ce/task?id=<taskId from webhook>' \ --header 'Authorization: <auth>`
 
# Response
{
  "task": {
    "id": "<task Id>",
    "type": "REPORT",
    "componentId": "14370493-591d-4e12-969b-f5a18fa06b49",
    "componentKey": "<component key>",
    "componentName": "<component name>",
    "componentQualifier": "TRK",
    "analysisId": "486aa640-dff2-422c-9fc6-335f972810e2",
    "status": "SUCCESS",

This is however a dead end as there is no API to fetch analysis report using the analysisId

• Attempt #2 - Use project analyses summary API

curl --request GET \
  --url 'https://sonar.xyz.com/api/project_analyses/search?project=<project>' \
  --header 'Authorization: <>' 

# Response
 "analyses": [
    {
      "key": "b4012fb0-2233-446b-ad00-e280444f0224",
      "date": "2024-10-23T02:18:34+0300",
      "events": [
        {
          "key": "169a7f11-6d83-4fff-be21-e5315c16ecba",
          "category": "VERSION",
          "name": "0.0.2"
        }
      ],
      "projectVersion": "0.0.2",
      "manualNewCodePeriodBaseline": false,
      "revision": "df67b970aefb2827e96163a2cb4455fec107a0ba",
      "detectedCI": "Jenkins"
    },
    ...]

This API does not return analysis data but it returns the event category that can be used by the client application as an analysis correlation identifier. However, there is no API to fetch a specific analysis by a category value.

• Attempt #3 - Scrape information from measures/search_history or measures/component API.

This one was hard to find. I had to scrape Sonar UI and infer that it uses this query to render analysis info:

"https://sonar.xyz.com/api/measures/component?additionalFields=metrics&component=<component>\&metricKeys=alert_status%2Cquality_gate_details%2Cnew_violations%2Caccepted_issues%2Cnew_accepted_issues%2Chigh_impact_accepted_issues%2Cmaintainability_issues%2Creliability_issues%2Csecurity_issues%2Cbugs%2Cnew_bugs%2Creliability_rating%2Cnew_reliability_rating%2Cvulnerabilities%2Cnew_vulnerabilities%2Csecurity_rating%2Cnew_security_rating%2Csecurity_hotspots%2Cnew_security_hotspots%2Csecurity_hotspots_reviewed%2Cnew_security_hotspots_reviewed%2Csecurity_review_rating%2Cnew_security_review_rating%2Ccode_smells%2Cnew_code_smells%2Csqale_rating%2Cnew_maintainability_rating%2Csqale_index%2Cnew_technical_debt%2Ccoverage%2Cnew_coverage%2Clines_to_cover%2Cnew_lines_to_cover%2Ctests%2Cduplicated_lines_density%2Cnew_duplicated_lines_density%2Cduplicated_blocks%2Cncloc%2Cncloc_language_distribution%2Cprojects%2Clines%2Cnew_lines" 

and another related API:

curl --request GET \
  --url 'https://sonar.xyz.com/api/measures/search_history?component=<component>&metrics=ncloc%2Cduplicated_lines%2Cduplicated_lines_density&p=1&ps=1000' \
  --header 'Authorization: Bearer <>'

Both these APIs return analysis measures but they suffer from several constraints:

• Result is indexed by metric and not by a specific analysis instance (date)
• Due to metric based index, the response cannot associate analysisId or for that matter a specific analysis event (such as VERSION).

Any help is appreciated.

Hi,

Welcome to the community!

You’re having difficulty because SonarQube wasn’t designed to deliver the information in the way you’re trying to consume it.

When you say you want the “analysis report”… what data, exactly are you looking for? I suspect you’re going to need to cobble this together manually. And you’ll need to do it immediately after the analysis, before the next one. SonarQube keeps the latest analysis and some historical data. You’re not going to be able to reach into the past and reconstruct a full “analysis report” for something that happened last month or even (probably) last week.

 
Ann

Thanks for the welcome Ann!

You’re right that I am looking for the measures and metrics thereof for a specific analysis. There are several APIs (as noted in my original post) that fetch measures/metrics data but they all feel incomplete as they do not fetch the result of an analysis deterministically. Do note that system integrators and clients can very well store the info on their end, even if this information is temporal on Sonar.

Here’s one of the several ways this could be accomplished:

1. CE API to fetch analysis report by analysis ID GET api/ce/analysis_task?id=<analysisId>.
   NOTE: CE APIs expose analysisId, however, there is no “follow-on” API that uses this identifier to fetch relevant information.

2. Component Measure API with analysis event parameters - GET api/measures/component?eventCategory="VERSION"&eventName="x.y.z"

3. Update Project analyses search to include specific event value - GET api/project_analyses/search?eventCategory="VERSION"&eventName="0.6"

Options 2 and 3 extend existing APIs to include event parameters. Currently, there are set of APIs that allow clients to associate their identifiers such as VERSION or OTHER custom identifiers to an analysis, however it is very odd that there is no API that allows using this event to query back to fetch the information later.

Hi,

Measure data isn’t tied directly to the analysis it came from.

 
HTH,
Ann

I see… but any of option 1 and 3 should be feasible right?

Hi,

Feasible to change in the product? Ehm… I suppose. But I’m not aware of any plans to do so.

 
Ann

Well…it looks like there is no deterministic option to fetching a specific analysis report even though Sonar almost supports it. So yes, I’m blocked and will have to do it sub-optimally for now. That said, I’d like to make a new product request for such an API. If you are aware, do let me know what the process would be.

Hi,

This is the process. Can you share your full use case?

 
Thx,
Ann

Thanks Ann.

Use case: Integration of Sonar analysis with a home grown CI system.

Detail:

1. Our CI system provides a “managed pipeline” service akin to GitHub workflows. Pipelines are a collection of Jobs (user or system defined).
2. A new feature - Continuous Quality (CQ), integrates Sonar scan jobs, as a system configured job, to the pipelines
3. Pipelines execute as usual on MR/PR or commit push events, except for CQ enabled applications/pipelines where the scans are triggered automatically.
4. An application (git repo / sonar project) that may have any number of pipelines executing at any point in time
5. As scans complete, the pipelines need to query / download a specific analysis output and associate them as an artifact with the job in the pipeline.

The association action is supported (through events APIs) however an API to query and fetch the associated analysis result using an event or with specific analysis Id is not supported.

Hi,

Thanks for the details. I’ve passed them on internally.

 
Ann

Hey Ann,
I found this in Sonar docs.

sonar.buildString
The string passed with this property will be stored with the analysis and available in the results of api/project_analyses/search, thus allowing you to later identify a specific analysis and obtain its key for use with api/new_code_periods/set on the SPECIFIC_ANALYSIS type..

However, the Web API docs are unclear on how to use buildString to do this query with api/project_analyses/search API?. Can you or the dev team help with a sample api/project_analyses/search that uses buildString parameter?

Hi,

That parameter is provided to allow you to label your analyses as needed. Not to allow you to search analyses by build string.

 
Sorry,
Ann