Hi,
First, big thank to give a free community edition.
I have installed Sonarqube community edition self hosted, and I configure my self hosted Gitlab to run pipeline that Sonarqube asked me when I created new project in Sonarqube.
I just copy/past what Sonarqube give me without modification.
So I have this .gitlab-ci.yml :
stages:
- test
- sonarqube-check
- sonarqube-vulnerability-report
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
sonarqube-check:
stage: sonarqube-check
cache:
policy: pull
key: "${CI_COMMIT_SHORT_SHA}"
paths:
- sonar-scanner/
script:
- sonar-scanner
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $CI_COMMIT_BRANCH == 'master'
- if: $CI_COMMIT_BRANCH == 'main'
- if: $CI_COMMIT_BRANCH == 'dev'
sonarqube-vulnerability-report:
stage: sonarqube-vulnerability-report
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=XXXXX&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $CI_COMMIT_BRANCH == 'master'
- if: $CI_COMMIT_BRANCH == 'main'
- if: $CI_COMMIT_BRANCH == 'dev'
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json
The first job sonarqube-check success, but the second sonarqube-vulnerability-report fail because of :
Running with gitlab-runner 17.2.1 (9882d9c7)
on e5d7fef36576 j7p6wNhky, system ID: r_aWiznEhqrtUV
Preparing the "docker" executor 00:01
Using Docker executor with image sonarsource/sonar-scanner-cli:latest ...
Pulling docker image sonarsource/sonar-scanner-cli:latest ...
Using docker image sha256:28ccb3e6dcd60822ea19a882cd9b47f204326ab78235403847ea5737491e8281 for sonarsource/sonar-scanner-cli:latest with digest sonarsource/sonar-scanner-cli@sha256:0bc49076468d2955948867620b2d98d67f0d59c0fd4a5ef1f0afc55cf86f2079 ...
Preparing environment 00:01
Running on runner-j7p6wnhky-project-10-concurrent-0 via e5d7fef36576...
Getting source from Git repository 00:00
Fetching changes...
Reinitialized existing Git repository in /builds/xxxx/yyyy/.git/
Checking out 24281304 as detached HEAD (ref is dev)...
Removing .scannerwork/
Removing .sonar/
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:01
Using docker image sha256:28ccb3e6dcd60822ea19a882cd9b47f204326ab78235403847ea5737491e8281 for sonarsource/sonar-scanner-cli:latest with digest sonarsource/sonar-scanner-cli@sha256:0bc49076468d2955948867620b2d98d67f0d59c0fd4a5ef1f0afc55cf86f2079 ...
$ curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=XXXX&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json
/bin/bash: line 153: curl: command not found
Uploading artifacts for failed job 00:00
Uploading artifacts...
WARNING: gl-sast-sonar-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/xxxx/yyyy)
ERROR: No files to upload
Cleaning up project directory and file based variables 00:00
ERROR: Job failed: exit code 1
We can see that the error is :
/bin/bash: line 153: curl: command not found
I’m not familiar with how the sonarsource/sonar-scanner-cli docker image is build but I found this topic created 1-2 month ago only : Docker sonar-scanner-cli:10 misses cURL
This topic say curl was removed and then reinserted in the sonarsource/sonar-scanner-cli docker image not long ago
So what can we do ?
I think this is the normal behaviour, but if it is, maybe you should change the .gitlab-ci.yml that Sonarqube give you when we create new project ?
Thank you for all