How to java + nodejs + gradle/maven scan in container

Hello there,

i know that something for official docker images can be found here GitHub - SonarSource/official-images: Primary source of truth for the Docker "Official Images" program

I am pessimistic when thinking i might find a official image there which would enable me to

  • scan a java based project (jdk11)
  • use gradle(w) or mvn(w) to build and scan
  • have node.js available to the scanner so that web stuff can be analysed

Could maybe someone point me in a direction that might help me concerning the above? Are there maybe custom examples available on the interwebs?

My goal would be to use such an image as the base for a jenkins-agent based quality check … so if there exists some example jenkins-setup for this already … i’d take that, too, gladly :slight_smile:

cheers
Daniel

Hi Daniel,

To be clear, our official images are officially (:face_with_hand_over_mouth:) here. And those are server images. If you really feel the need for a scanner image, that’s here. But that image is for the vanilla SonarScanner cli. If you want to do a Maven analysis or Gradle analysis, then there shouldn’t be a need for an image.

 
HTH,
Ann

Hi Ann,

Am i reaching for the wrong goal then?

I think i understand it better now: If i want to build/test/coverage/analyse a maven or gradle based web-app with jenkins-agent based qa … i “get” the sonarscanner part via maven/gradle plugins!

Which means that i “only” need a jenkins-agent-image which supports java/[mvn/gradle]/nodejs.

In the case that i want to analyse python or c# or smth else (without gradle) it might be useful to work with the scanner image. (edit: no, on the scanner image mentions as follows: NB: These Docker images are not compatible with C/C#/C++/Objective-C projects. … so this might work for python? :person_shrugging:)

Am i getting it right?

Hi Daniel,

Yes, you’re on the right track now.

The Docker SonarScanner image won’t work for C, C++, and Objective-C, and it’s not relevant for C#/.NET. For that you need the SonarScanner for .NET. But for other languages - including Python - it will work just fine.

 
HTH,
Ann

Hi Ann,

by chance i recalled my question from some weeks ago. And re-read the thread. I think that my question still stands unanswered. :person_shrugging:

(i know we have some ppl here that maintain rather big automated setups, so they might be able to point to recipes or solutions already present that i did not find. What i mean by that is that i am not specifically looking to you, Ann, to find me a fine answer here :wink: )

I am envisioning a container setup where i volume-mount the directory containing the maven/gradle project. Then the tools that are baked into the container can do the work of building, testing coveraging, scanning and node-js’sing and etc.

(This container could then also be used as a jenkins-agent, but the “true” question was concering this container setup)

Has noone done something like this before?

Hi @daniel,

I am using something similar to your needs I think. We are extending the official Jenkins jnlp agent image with the tools that we need and use it as our generic build image. Of cause there is not a good separation of concern here in between projects. We solved it by different images and labels on the configured Jenkins k8s runners/jobs (Kubernetes).

Maybe this repo is useful to you: GitHub - gdisdevops/docker-images

Hope that helps (:

1 Like

Hi (not)Tobi! yay, thank you! This definitely helps, as it inspires in multiple ways

  • not only Ann reads my posts :rofl:
  • checkov
  • a different approach than what i was envisioning

Anyone else? *looking.around * I would really like to get some more insights into different approaches

(@DefinitelyNotTobi in my thoughts i was envisioning something starting with a FROM gradle:7.6.0-jdk11-focal or FROM maven:3.8.6-eclipse-temurin-11 and then installing additional tooling. I already “found” jenkins inbound agent but did not envision this as the “host”-image! So your approach is valuable to me because i can dabble about different tradeoffs now :nerd_face: :+1: )

e.g.: “standalone” agents calling in on their own vs. jenkins-docker plugin setup to instruct docker/kubernetes instances

Does anyone have opinions about the different ways to handle this? I’d very much like to read them as much as i’d like to bury myself into more approaches/solutions :slight_smile:

cheers
Daniel

1 Like