Gitlab.com merge request decoration

Hello,

Our enterprise uses Gitlab.com as a SCM (and for much more) and we are using SonarCloud for the quality analysis.

In that thread SonarCloud + GitLab = ❤️, I saw a few months ago that the merge request decoration should be available.

The documentation here https://sonarcloud.io/documentation/integrations/ci/gitlab-ci/#3-merge-request-decoration seems to say that as soon as we set up the CI with SonarCloud analysis, we should be able to have this merge request decoration. At least for now, it is not the case for use. I did more search about that topic and found this documentation https://docs.sonarqube.org/latest/analysis/pr-decoration/ but the instructions here seems to be for a self hosted Gitlab’s instance…

For now, we have 2 kind of repositories:

  • Java analyzed with Maven
  • Javascript

I can not found somewhere some step-by-step guide to help us achieve this.

Can you help us ?

Thanks a lot!

Hello @gbrissonnette,

It sounds to me like your SonarCloud organization and projects are not actually bound to GitLab.

I recommend that you delete your existing projects and organization on SonarCloud, log out, and then log back in using your GitLab credentials. Once you are logged in you can click the “+” in the top right and “analyze new project”, then follow the prompts. You will be guided through creating a new SonarCloud org that corresponds with your existing GL org, after which you should be able to import the projects you want from that org into SC. The org and these imported projects will be properly bound to SC and merge request decoration should work automatically.

Hello @Peeter_Piegaze

Thanks for your answer.

We followed what you are describing here at the beginning when we set everything up (at the beginning of this year) and it seems that both are well linked.

Because we have a lot of projects that implies many teams, it is not an acceptable way to go for us to delete everything and start again…

Is there no any other option to:

  1. verify if we are bound in a proper way
  2. fix it if necessary

Thanks a lot for your help!

Hi @Peeter_Piegaze

We are facing the same issue :{

Our Sonarcloud account is bound to Azure AD, connecting everything again through GitLab is - unfortunately - a no-go.
Isn’t there another way of integrating Sonarcloud and GitLab?

Thank you!

Hi @rictorres, @gbrissonnette,

I will check with my team to see if we can find a solution.

We will get back to you ASAP.

Just to clarify a few things:

Pull request analysis is available for all four repository services: GitHub, BitBucket Cloud, Azure DevOps and GitLab. @rictorres, you would not need to switch to GitLab to get PR analysis, as you seemed to suggest, it should be available on your existing AzDO setup.

However,

In all cases, PR analysis is only available for bound repositories, i.e., repositories that have been imported according to the procedures outlined in Getting started with Azure DevOps and Getting started with GitLab (and similar, for the other two repo providers)

You can determine if your project is bound to the repository by checking for the repository provider symbol in the top left of the project page. If your project is bound then hovering over the symbol should reveal “this project is bound to…”, something like this:

With GitLab, PR analysis is only available if you are also using GitLab CI/CD.

It is technically possible that your repositories are not bound. But, for that to be the case, you (or whoever did the setup) would have had to manually create an organization and project on SonarCloud and then manually configure the SonarScanner tool in your build environment to use those org ID and project ID. This is usually only done in very specific circumstances and is not really a recommended way of doing things.

I would first of all double-check if your projects are bound. If they are, then we can narrow down the issue further.

Cheers,
Peeter

Hello @Peeter_Piegaze

Thanks for the update.

I confirm that we use the CI/CD of Gitlab.

I can see that our organization is bound to Gitlab

But I can not see this logo against my project:

On my pom.xml I have this setup as properties:

    <sonar.projectKey>groupemutuel.io_fcot-backend</sonar.projectKey>
    <sonar.organization>groupemutuelio</sonar.organization>

They seems ok with our project on Sonar:
image

Thanks for your help

@gbrissonnette

So, this is good news! Your project is bound and you are using the GitLab CI/CD, so PR decoration is supported and indeed it should work right out-of-the-box.

But, apparently, it is not working. Is that correct?

@Peeter_Piegaze

Yep that is correct.
And I am so sad :weary:

I hope we can find the missing part :slight_smile:

@gbrissonnette
Can you go to [your project] > Administration > Background Tasks
and give us a screenshot or give us some of the IDs of the tasks listed there?

@Peeter_Piegaze

There it is :slight_smile:

@gbrissonnette Sorry I missed this earlier in the thread, but in fact while your organization is bound, your project is not (there is a difference between these two types of binding).

This is almost certainly the reason that you are not getting PR decoration.

Currently, we do not support binding an already created, unbound project. So, you will have to create a new project by importing the repository through the SC import process.

@Peeter_Piegaze

Thanks for the update.

So I deleted the existing project and import it again via SC import process.
Now I can see the icon related to the bound project:

But when I create a MR on a branch (where an analysis occurred) I still don’t see any PR Decoration:

Hello @gbrissonnette,

Could you share how you have set-up your CI pipeline to run the SonarCloud analysis?
Did you set the projectKey of the newly created project or are you still using the projectKey of the older project?

Hello @TomVanBraband

I let the same keys as before because they still the same. Here is the key on SonarCloud:
image

And the configuration on our pom.xml

Thanks a lot for your help :slight_smile:

Thanks @gbrissonnette,

In the pictures you shared one references the projectKey groupemutuel.io_fcot-backend while the other references groupemutuel.io_fcot-api. I assume this is just a copy-paste error though :slightly_smiling_face:.

Could you share your CI configuration that invokes the scanner? If you are using GitLab pipelines that would be in your .gitlab-ci.yml

Oh yes, sorry

It was reliquat from our pom’s modules. I cleaned them up.
Here are the one from our pom reactor:

And here is the CI content of this job:

I add to put them back again…

So on our pom reactor:

From one of our module:

and for the other:

And still no PR decoration :cry:

Hello @gbrissonnette,

It’s not standard to have multiple different projectKeys in one project, could you explain a bit more about the structure of your project? For example:

  • Do you want the code scan results from the two submodules to show up in a separate project on SonarCloud?
  • Is there code that doesn’t fall under the fcot-api or fcot-infermedica-proxy module?

Hello @TomVanBraband

Thanks for your feedback
Here is my project structure:

– fcot-backend (reactor)
|---- fcot-api (module1)
|---- fcot-infermedica-proxy (module2)

On the pom reactor we have:
sonar.projectKey == groupemutuel.io_fcot-backend and sonar.organization == groupemutuelio

on the pom of the module1 we have
sonar.projectKey == groupemutuel.io_fcot-api

on the pom of the module2 we have
sonar.projectKey == groupemutuel.io_infermedica-proxy

I have no specific needs. Everything can be wrapped up in the same SC project it is fine for me. Just let me know what needs to be changed in my configuration and I will do it :slight_smile: