Get vulnerabilty by GitlabCI

aehanno · October 9, 2020, 8:05am

Must-share information (formatted with Markdown):
Hello,
I just create a new job in my Gitlab to launch an analyze sonar of all my commits.
For now, I have two job, one with sonarscanner with maven and another with sonarscanner CLI

I want to put my job in failed if I have vulnerabilities in my code. But I can’t get an artifact in my job to see the analyze of sonar.

Is there anyone who knows how to get me to retrieve sonar analysis information from my commit. Or the differences with the last analysis

Thank you very much to any responses

Jeff_Zapotoczny · October 7, 2020, 8:36pm

Hi Ehanno,

This topic is well-covered in our docs. You can have your job wait to check the quality gate status and fail if the QG status is failed. Whether a vulnerability will fail your QG depends upon your specific QG criteria.

aehanno · October 8, 2020, 8:22am

Hi @Jeff_Zapotoczny,

Thank you for you answer.

Maybe I didn’t cover all my interogation.
I want to know if we can do this with another scan than the last one.
Because with the quality gate we compare with our latest analyze. But it is possible if I want compare with a specific analyze thath is not the last one ?

Jeff_Zapotoczny · October 8, 2020, 9:08pm

I’m not sure I understand why you’d want to get an analysis result for an old analysis dynamically in GitLab CI. Let’s assume I don’t need to understand your use case. You might want to look at our web API, specifically api/project_analyses/search, which can be used to return prior quality gate results from earlier commits/analyses.

I hope this helps.

aehanno · October 8, 2020, 10:02pm

Thanks, yes I think that will help me

The use case it’s to compare analyze from devolpment branches with analyze of master branch.

aehanno · October 22, 2020, 2:58pm

Hello @Jeff_Zapotoczny,

I try to use the qualitygate filter with gitlab. There is my .yaml

sonar_scanner:
  stage: security
  image:
    name: $DOCKER_REPO_REGISTRY/sonarsource/sonar-scanner-cli:4.5
    entrypoint: [""]
  variables:
    BRANCH_VERSION: "$CI_COMMIT_REF_NAME"
  script:
    - sonar-scanner -Dsonar.quality.wait=true -Dsonar.projectVersion=$BRANCH_VERSION
  allow_failure: true
  when:
    always

But job passed anyway even if in sonar my qualitygate says failed.

Is there a special configuration to do?

I’m in version 7.9.4 of SonarQube and 12.10.6 of GitLab (community edition)

Thanks

Jeff_Zapotoczny · October 22, 2020, 3:57pm

This is because you need to tell your gitlab pipeline to not allow failure.

Change this to false.

I’m not sure if you’ll succeed; we didn’t introduce GitLab CI support until SonarQube 8. But I believe the functionality here mostly depends upon the sonar-scanner CLI, and you appear to be running the latest, so try it anyhow.

aehanno · November 16, 2020, 11:12am

Hello @Jeff_Zapotoczny ,

I change allow-failure by false.
Thaht didn’t work so I updated my sonar in the version 8.5.1

But my job in Gitlab still passed even if the qualitygate failed

Do you have any idea where can be the wrong configuration

Thanks

Jeff_Zapotoczny · November 17, 2020, 7:38pm

The combination of -Dsonar.quality.wait=true as a sonar-scanner parameter and allow_failure: true on the task should be all that’s needed.

Can you provide a full analysis log of a run?