Butbucket pipeline question

SonarQube Cloud
1

We are using the pipeline definition generated by the “wizard” of sonarcube cloud (see below). The only thing we had to change as the JDK because our application is not compatible with java 17. We dont use butbucket pipelines for any of our builds, so we are not familiar with it. We only use it because our build system is not supported by sonar.

Our main branch is develop. We only ever want to check PRs on develop, and we only want to do full branch analysis of develop. We would never want to do any kind of analysis on master, as master just a way to deploy.

In the supplied pipeline, it has this:

pipelines:                 
  branches:
    master:
      - step: *build-test-sonarcloud
  pull-requests:
    '**':
      - step: *build-test-sonarcloud

The question is, should this be changed?

e.g. should it be something like this?

pipelines:                 
  branches:
    develop:
      - step: *build-test-sonarcloud
  pull-requests:
    '**':
      - step: *build-test-sonarcloud

We assume ** means all branches. Is there any way to restrict it to just branches from develop? Otherwise every feature branch will be duplicate checked as it goes from develop->test->master, causing wasted pipeline cost and presumably a lot of unwanted duplicate information and branches in the sonar UI.

image: maven:3-jdk-11

clone:
  depth: full              # SonarQube Cloud scanner needs the full history to assign issues properly

definitions:
  caches:
    sonar: ~/.sonar/cache  # Caching SonarQube Cloud artifacts will speed up your build
  steps:
    - step: &build-test-sonarcloud
        name: Build, test and analyze on SonarQube Cloud
        caches:
          - maven
          - sonar
        script:
          - mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
        artifacts:
          - target/**

pipelines:                 
  branches:
    master:
      - step: *build-test-sonarcloud
  pull-requests:
    '**':
      - step: *build-test-sonarcloud
2

Hi,

I’ll be honest and say I’m not famililar with Bitbucket pipelines either.

If you don’t use BB, where/how are you using the pipeline? Or have you adopted BB in order to use SonarQube Cloud? (And what is your normal CI?)

I’m asking before I dig into docs and ask questions so I know I’m looking / digging in the right places.

BTW, your guess about master vs develop seems reasonable. And I would further guess that that ** should become develop.

 
Ann

3

Our normal pipeline is AWS Codebuild.

4

Hi,

 
Thx,
Ann

5

Yes, we are using BB pipelines just for sonar, due to lack of tutorials/info on setting up BB to run locally and via our own pipelines allong with analysing branches.

We noticed that in our enterprise, the other departments using sonar (around 2m lines of code) and > 50 developers and 100 repos), noone had managed to get Sonar to analyse PRs nor get Sonar to analyse their develop branch - they all use it on main branch only which means they have no PR code gates. Their devops guys tried to do this some years ago but hit the same wall we did. I wonder how many sonar uses use it in this limited way due to lack of clear documentation, and the wizard incorrectly stating the PRs will be analyzed when they provide code for “other” build systems when they don’t.

This is something I would recommend Sonar look into - a tutorial to setup sonar with a different build system, handling PRs, and not on the main branch. If I had time I would write this myself for people in our position. Not everyone has the luxury of being able to use one of the few directly supported build systems like bitbucket pipelines.