Configure SonarCloud on CircleCI without using orb

  • ALM used - GitHub
  • CI system used - Circle CI
  • Scanner command used when applicable (private details masked)
  • Languages of the repository - Swift

Hi, I’m quite new to the SonarQube platform and could not find a proper documentation describing how the system works and how to configure it.
So basically looking for a way to configure the Swift repo on the SonarCloud. I found that if the repo was connected to SonarCloud it should automatically analyze the code whenever a new Pull Request created, if using the automatic analysis.
In our organization it was configured back in 2019 through the CI-based analysis and seems like its not working since the time it was configured. The CI based on the CircleCI, I found that there is an official orb, but its not added into the CircleCI configuration file. Instead it uses only this piece of code:

  sonar:
    docker:
      - image: some-address/sonar-scanner:0.0.5
    parameters:
      options:
        type: string
        description: options added to sonar-scanner command
        default: ""
    steps:
      - *restore_source_cache
      - checkout
      - *fix_spm
      - *attach_workspace
      - run:
          name: Configure sonar projectBaseDir
          command: cp -R /root/project /Users/distiller
      - run:
          name: Copy code coverage file
          command: cp /tmp/workspace/sonarqube-generic-coverage.xml /Users/distiller/project
      - run:
          name: Run sonar
          command: >
            sonar-scanner
            -Dsonar.login=$SONAR_TOKEN
            <<parameters.options>>

Looks like it does everything without using the orb itself (does it correct or a deprecated code? ), connecting with the SonarCloud, generating the coverage-report file, but I don’t see the result of this job, even though the job executes correctly. Also it should fail when the coverage code is less than some limit, but it doesnt. Moreover it says in the result that the Analysis was succesfull:


OpenJDK 64-Bit Server VM warning: Ignoring option MaxPermSize; support was removed in 8.0
INFO: Scanner configuration file: /root/sonar_home/conf/sonar-scanner.properties
INFO: Project root configuration file: /Users/distiller/project/sonar-project.properties
INFO: SonarScanner 4.3.0.2102
INFO: Java 11.0.7 Oracle Corporation (64-bit)
INFO: Linux 4.15.0-1106-aws amd64
INFO: SONAR_SCANNER_OPTS=*************************
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /root/sonar_home/conf/sonar-scanner.properties
INFO: Project root configuration file: /Users/distiller/project/sonar-project.properties
INFO: Analyzing on SonarCloud
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=549ms
INFO: Server id: 1afdasdfasdfasdf
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=127ms
INFO: Load/download plugins (done) | time=26117ms
INFO: Loaded core extensions: developer-scanner
INFO: Found an active CI vendor: 'CircleCI'
INFO: Load project settings for component key: 'dsdfasdfasdf'
INFO: Load project settings for component key: 'asdfasdfasdf' (done) | time=109ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Project key: asdfasdfasdfasd
INFO: Base dir: /Users/distiller/project
INFO: Working dir: /Users/distiller/project/.scannerwork
INFO: Load project branches
INFO: Load project branches (done) | time=112ms
INFO: Check ALM binding of project 'asdfasdfas'
INFO: Detected project binding: NOT_BOUND
INFO: Check ALM binding of project 'asdfasdfasdfa' (done) | time=96ms
INFO: Load project pull requests
INFO: Load project pull requests (done) | time=220ms
INFO: Load branch configuration
INFO: Load branch configuration (done) | time=1ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=191ms
INFO: Load active rules
INFO: Load active rules (done) | time=3105ms
INFO: Organization key: *********
INFO: Pull request 8560 for merge into main from feature/asdfasdf
INFO: SCM collecting changed files in the branch
INFO: SCM collecting changed files in the branch (done) | time=243ms
INFO: Indexing files...
INFO: Project configuration:
INFO:   Excluded sources: **/AppDelegate.swift, **/*Builder.swift, **/*Constants.swift
INFO: 1185 files indexed
INFO: 2592 files ignored because of inclusion/exclusion patterns
INFO: 0 files ignored because of scm ignore settings
INFO: Quality profile for js: Sonar way
INFO: Quality profile for swift: Sonar way
INFO: ------------- Run sensors on module iOS
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=106ms
INFO: Sensor CSS Rules [cssfamily]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [cssfamily] (done) | time=2ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=2ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=0ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=4ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=5ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=1ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=1ms
INFO: Sensor Swift Code Quality and Security [swift]
INFO: 1150 source files to be analyzed
INFO: 726/1150 files analyzed, current file: some-file
INFO: 1150/1150 source files have been analyzed
INFO: Sensor Swift Code Quality and Security [swift] (done) | time=14366ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=4ms
INFO: Sensor JavaScript analysis [javascript]
INFO: Deploying custom rules bundle jar:file:/root/.sonar/cache/d56f116051dbab33b2a9e2aee8b0502b/sonar-securityjsfrontend-plugin.jar!/js-vulnerabilities-rules-1.0.0.tgz to /Users/distiller/project/.scannerwork/.sonartmp/eslint-bridge-bundle/package/custom-rules8271589510856459941
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Sensor JavaScript analysis [javascript] (done) | time=3868ms
INFO: Sensor TypeScript analysis [javascript]
INFO: No input files found for analysis
INFO: Sensor TypeScript analysis [javascript] (done) | time=2ms
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend]
INFO: Sensor ThymeLeaf template sensor [securityjavafrontend] (done) | time=2ms
INFO: Sensor Serverless configuration file sensor [securityjsfrontend]
INFO: 0 Serverless function entries were found in the project
INFO: 0 Serverless function handlers were kept as entrypoints
INFO: Sensor Serverless configuration file sensor [securityjsfrontend] (done) | time=65ms
INFO: Sensor Generic Coverage Report
INFO: Parsing /Users/distiller/project/sonarqube-generic-coverage.xml
INFO: Imported coverage data for 1083 files
INFO: Coverage data ignored for 1767 unknown files, including:
some files...
INFO: Sensor Generic Coverage Report (done) | time=582ms
INFO: Sensor JavaSecuritySensor [security]
INFO: Reading type hierarchy from: /Users/distiller/project/.scannerwork/ucfg2/java
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /Users/distiller/project/.scannerwork/ucfg2/java
INFO: No UCFGs have been included for analysis.
INFO: Sensor JavaSecuritySensor [security] (done) | time=3ms
INFO: Sensor CSharpSecuritySensor [security]
INFO: Reading type hierarchy from: /Users/distiller/project/ucfg_cs2
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /Users/distiller/project/ucfg_cs2
INFO: No UCFGs have been included for analysis.
INFO: Sensor CSharpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PhpSecuritySensor [security]
INFO: Reading type hierarchy from: /Users/distiller/project/.scannerwork/ucfg2/php
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /Users/distiller/project/.scannerwork/ucfg2/php
INFO: No UCFGs have been included for analysis.
INFO: Sensor PhpSecuritySensor [security] (done) | time=0ms
INFO: Sensor PythonSecuritySensor [security]
INFO: Reading type hierarchy from: /Users/distiller/project/.scannerwork/ucfg2/python
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /Users/distiller/project/.scannerwork/ucfg2/python
INFO: No UCFGs have been included for analysis.
INFO: Sensor PythonSecuritySensor [security] (done) | time=0ms
INFO: Sensor JsSecuritySensor [security]
INFO: Reading type hierarchy from: /Users/distiller/project/.scannerwork/ucfg2/js
INFO: Read 0 type definitions
INFO: Reading UCFGs from: /Users/distiller/project/.scannerwork/ucfg2/js
INFO: 16:19:00.227697 Building Runtime Type propagation graph
INFO: 16:19:00.231865 Running Tarjan on 11 nodes
INFO: 16:19:00.232675 Tarjan found 11 components
INFO: 16:19:00.234061 Variable type analysis: done
INFO: 16:19:00.234347 Building Runtime Type propagation graph
INFO: 16:19:00.234656 Running Tarjan on 11 nodes
INFO: 16:19:00.234745 Tarjan found 11 components
INFO: 16:19:00.234821 Variable type analysis: done
INFO: Analyzing 3 ucfgs to detect vulnerabilities.
INFO: rule: S2083, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S2083 done
INFO: rule: S2631, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S2631 done
INFO: rule: S5334, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5334 done
INFO: rule: S5144, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5144 done
INFO: rule: S5146, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5146 done
INFO: rule: S5147, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5147 done
INFO: rule: S6096, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S6096 done
INFO: rule: S5696, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5696 done
INFO: rule: S2076, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S2076 done
INFO: rule: S5883, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5883 done
INFO: rule: S5131, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S5131 done
INFO: rule: S6105, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S6105 done
INFO: rule: S3649, entrypoints: 3
INFO: Running symbolic analysis
INFO: rule: S3649 done
INFO: Sensor JsSecuritySensor [security] (done) | time=862ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=8ms
INFO: CPD Executor 162 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 989 files
INFO: CPD Executor CPD calculation finished (done) | time=220ms
INFO: SCM writing changed lines
INFO: SCM writing changed lines (done) | time=18ms
INFO: Analysis report generated in 195ms, dir size=914 KB
INFO: Analysis report compressed in 873ms, zip size=987 KB
INFO: Analysis report uploaded in 751ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: https://sonarcloud.io/dashboard?id=h?????
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at https://sonarcloud.io/api/ce/task?id=??????
INFO: Analysis total time: 35.624 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 1:06.125s
INFO: Final Memory: 82M/287M
INFO: ------------------------------------------------------------------------
CircleCI received exit code 0

In fact no updates on the SonarCloud and through the configuration file its not clear if the rules on SonarCloud even implements. The CircleCI job should fail if the quality gates set on the SonarCloud are would show that the code are not meeting the requirements.

Might be it is needed to use the orb? https://sonarcloud.io/documentation/reference/ci/circleci/
by adding this code:

version: 2.1
orbs:
  sonarcloud: sonarsource/sonarcloud@1.0.0
jobs:
  build:
    docker:
      - image: 'circleci/python:3.7.4'
    steps:
    - checkout
    - sonarcloud/scan
workflows:
  my-workflow:
    jobs:
      - build:
          context: sonarcloud

In this case how should I set the quality gates to make sure the job will fail if doesnt meet the limits?
Would it compare it with the SonarCloud directly on the server or should I add some additinal configurations in the config file to set the coverage code quality gate?