How to identify specific component measures? (without pullRequest available)

  • ALM used: GitHub
  • CI system used: GitHub Actions
  • Scanner command used when applicable: mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=org_project
  • Languages of the repository: Java

Hi community,

I’m setting up safe analysis of a GitHub project for pull requests via GitHub Actions, according to Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests | GitHub Security Lab. This works in two steps:

  1. On a PR, run Workflow 1:
    1. Run the build, including tests, in an unprivileged environment
    2. Upload the project (including target/, etc.) and the PR number (see GitHub tutorial above) as an artifact
  2. Listen to the completion of Workflow 1, then run Workflow 2 with privilieges (access to tokens; note: this doesn’t have the PR context!):
    1. Download and unzip the artifact
    2. On the downloaded project, run mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=org_project
    3. Query the Sonarcloud Web API to retrieve measures, e.g., curl -u "$SONAR_TOKEN": ",new_vulnerabilities,new_security_hotspots" -o measures.json

This is all good and well, and gives me the measures I want, but I cannot be sure if these are the measures from the workflow run in which I run the Maven Plugin.

Is there a way to retrieve these measures deterministically for a specific run?

In /api/measures/component, I have the following parameters:

  • additionalFields: Can I set an additional field via the Maven plugin to identify the measures via this?
  • branch: The analysis is run as if it was on the default branch, unusable
  • component: :white_check_mark:
  • metricKeys: :white_check_mark:
  • pullRequest: I have the PR number, but the analysis isn’t run on the PR itself, but in a privilieged “context-less” environment.

I have tried mvn -B sonar-maven-plugin:sonar ... -Dsonar.analysis.customid="$(cat ../pr/NR)_$GITHUB_RUN_ID", but am unsure if I can/how to retrieve measures via this customid.

Thanks for any help with this!

If you run the scanner like this, when the pull request context is not available, then SonarCloud will receive it as a regular long-branch analysis of the default branch of the project. It seems to me that’s not really what you want. It seems to me you want pull request analysis here.

Just to be clear, what is “pull request context”: it’s a bunch of environment variables set by GitHub, which SonarCloud uses to detect the correct parameters for a pull request analysis. You could configure the pull request parameters yourself, they are:

  • sonar.pullrequest.key= the PR number on GitHub
  • sonar.pullrequest.base= the branch into which you want to merge
  • sonar.pullrequest.branch= the name of the branch of the PR

If you provide this configuration, I believe the scan should appear as a pull request analysis on SonarCloud, and then you’ll be able to call /api/measures/component with the pullRequest parameter to get the details you wanted, and be reasonably sure that it comes from the specific analysis.