How to get the Quality Gate satus and the revision of an analysed PR over Web-API?

SonarQube Product Manager for a Day
, ,
1

My problem is exactly the same as GET api/project_pull_requests/list response does not contain commit sha but I can’t continue the discussion there.

Given a projectKey and a pullRequest I would like to get:

  • The quality Gate Status
  • The revision (the value sonar.scm.revision) where the scanner did run.

On SonarCloud:

GET /api/project_pull_requests/list?project=<key>

And then a filter in the returned JSON Array to find a correct PR works fine.

The body looks like this:

{
    "key": "1",
    "title": "A test PR",
    "branch": "patch-1",
    "base": "main",
    "status": {
        "qualityGateStatus": "ERROR",
        "bugs": 0,
        "vulnerabilities": 0,
        "codeSmells": 1
    },
    "analysisDate": "2023-03-15T13:58:05+0100",
    "url": "https://github.com/<owner>/<project>/pull/<id>",
    "target": "main",
    "commit": {
        "sha": "789aa2365d8aed57428b91636ac6a6899c2b3a7b",
        "author": {
            "name": "First Last",
            "login": "firstLast@github",
            "avatar": "7c4c4a33a1d1c28abd249b712651df97"
        },
        "date": "2023-03-15T13:54:48+0100",
        "message": "A test commit"
    },
    "contributors": [
        {
            "name": "First Last",
            "login": "firstLast@github",
            "avatar": "7c4c4a33a1d1c28abd249b712651df97"
        }
    ]
}

On SonarQube (on prem), tested on 9.9 LTS

The same endpoint:

GET /api/project_pull_requests/list?project=<key>

And the filter to find the correct PR contains only:

{
    "key": "1",
    "title": "A test PR",
    "branch": "patch-1",
    "base": "main",
    "status": {
        "qualityGateStatus": "ERROR",
        "bugs": 0,
        "vulnerabilities": 0,
        "codeSmells": 1
    },
    "analysisDate": "2023-03-15T13:58:05+0100",
    "url": "<on prem gitlab server>/a-group/a-subgroup/a-project/merge_requests/<id>",
    "target": "main"
}

I have tried this other endpoint:

GET /api/qualitygates/project_status?projectKey=<key>&pullRequest=<pr>

But this contains the gate status but not the revision:

{
    "projectStatus": {
        "status": "OK",
        "conditions": [
            {
                "status": "OK",
                "metricKey": "new_reliability_rating",
                "comparator": "GT",
                "periodIndex": 1,
                "errorThreshold": "1",
                "actualValue": "1"
            },
            {
                "status": "OK",
                "metricKey": "new_security_rating",
                "comparator": "GT",
                "periodIndex": 1,
                "errorThreshold": "1",
                "actualValue": "1"
            },
            {
                "status": "OK",
                "metricKey": "new_maintainability_rating",
                "comparator": "GT",
                "periodIndex": 1,
                "errorThreshold": "1",
                "actualValue": "1"
            },
            {
                "status": "OK",
                "metricKey": "new_security_review_rating",
                "comparator": "GT",
                "periodIndex": 1,
                "errorThreshold": "1",
                "actualValue": "1"
            }
        ],
        "periods": [],
        "ignoredConditions": false
    }
}

Even with multiple Web-API call to Sonar, I do not understand how I can access the revision information.

Any advise is highly highly appreciated…

2

Hey there.

While SonarCloud stores the SCM revision for each Pull Request, SonarQube does not.

Can you explain your use-case a little bit more – what are you doing with the data for the SCM revision? Does an existing DevOps Platform Integration not already help you do things like decorate pull requests, or fail the build based on Quality Gate?

3

Hi Colin,

Thank you for your feedback.

My use case is the same as the one in the original post almost 3 years ago.

The GitLab integration proposal is not as smooth as the Bitbucket one.

To prevent merging of Merge-Request with failing Sonar Quality Gate for a given Pull Request, the recommended strategy is to fail the GitLab pipeline and then to have a GitLab rule that prevents merging with failing pipeline.

We often have the case of some findings being marked as false positive in the SonarQube server.
In that case the gate is turned to green.
This is reflected in the GitLab, the comment is updated:

Screenshot 2023-03-08 at 11.24.50
Screenshot 2023-03-08 at 11.24.50945×880 70.4 KB

But the corresponding pipeline stays red. So we would have to re-run it. This is a problem for our setup.

So we came up with our small tool that reports the Sonar Quality Gate as external status check on GitLab (Ultimate): u-sonar-status

This tool reacts on Sonar Webhook Event where the revision value is present (aka sonar.scm.revision). We can match the revision against the head commit of the source branch of the MR. This works great.

But there is a second flow: we also need to react on a GitLab event, when GitLab asks for the status for a given commit on a MR. In that case you should check the quality-gate in Sonar. But to be accurate you need the sonar.scm.revision value. The GitLab event is emitted especially when there are a new commit added to the MR.
So checking the status of a given Pull Request in SonarQube without the revision will be wrong in most of the case.

I hope SonarQube will be aligned with SonarCloud soon.

4

Hi,

I’ve moved this to the ‘Product Manager for a Day’ category since, as acknowledged, the functionality doesn’t exist.

 
Ann