How to reverse engineer the Sonar Web API

Every action that is taken in the SonarQube / SonarCloud UI is driven by the Web API. There is nothing you can do in SonarQube / SonarCloud that you cannot do using the Web API.

:warning: We put a great deal of effort into the UI and UX of our products and sincerely think that most actions should be completed there. Especially when it comes to viewing analysis results, the UI is the best place to view up-to-date information with the right context. We think it is much better that you give access to others to view analysis data within our products, rather than craft some export.

And, we recognize that there are common administrative actions where using Web APIs to help with automation makes sense. There are also surely some interesting reports not available in the UI where you would need to export the data from SonarQube.

A link to the Web API documentation for your SonarQube instance can always be found in the footer of your instance. The SonarCloud Web API is documented here.

You’ll find that most endpoints are properly documented, while some are not or are lacking in documentation.

If you’re not sure which Web API to use, you can reverse engineer what’s happening in the UI by diving into your browser’s dev tools.

Example: Retrieve historical coverage measures

  • Go to the Activity tab of a project

  • Open your browser’s dev tools (here we’ll use Chrome), switch to the Network tab, and select the Fetch/XHR filter:

  • Switch the metric filter to Coverage

Suddenly, it’s very clear from the Request URL which API was called. The Payload tab and Preview/Response tabs make it clear what query parameters are used and what the response was.

Thanks to Discourse for the inspiration

9 Likes
SonarCloud API for monorepo project import
User data export
How to get metrics from sonarqube api
SonarQube API - rating issue
Data Dictionary to get information
Technical dept report per tag
Retrieve analysis resuslts from python with web api
Import bitbucket project through web_api
How to filter on project key using api/components/search_projects?
Get Notifications When an Issue is Marked as 'False Positive' or 'Won't Fix'
Sonar REST API - date of scanning and Coverage on the same RESTAPI
SonarQube Exporting a Parseable Results File
Sonar analysis overview shows less number of Majors,blockers,criticals
Get all active rules by Quality Profile via API
Query to get all the issues for the project and branch
How to get the list of projects failing due to the specific rule
Setting Quality Gate Permissions via API
Why do I need admin privileges to list projects using the web API?
Retrieving issues and measures data file for a component for given history date
Present analysis to customer (report)
How to get sonar metrics based on commit id or date of commit
Fetch projectKey which has tag
Visualization and reporting
SonarQube Health alert from ADO pipeline
Api/project_tags/set overwrites existing tags
API returns the same value
Regulatory Report / API report Customization
New Code vs Overall Code for Quality Gate Conditions created using SonarCloud Web API
Difference between Two Code Scans for same branch
Using reference branch parameter in pipelines sonar.newCode.referenceBranch
SonarCloud long-lived and short-lived branches
Download the Project specific Security Report using API
[WebApi] Endpoint to set default project visibility?
Rest Api call to download project pdf report

Hi Colin, i really like this explanation. I am not that much interested in frontend development and that made it hard for me to “grok” the easy way that Ann mentioned in some replies (how to eavesdrop on the Web API usage) :+1: For this, your howto helps a lot!

Concerning the below quoted paragraph (and combining it with your current survey question about “communitysm”) … maybe you might be able to find a way how to “channel” some energy concerning “common administrative actions”? I really would be looking forward to it! (because some lonely helpful threads really get easily lost in the sea of new postings).

Sadly, i was not able to find an easy solution … how to structure that? By tag? In its own “compartment” (e.g. smth like here)? I have no good suggestion to make :confused:

1 Like

Hey Colin,

great post! This is exactly what I have been using for years to get in deeper with many tools.
I remember with a shudder the crappy browser tools of IE 11, but these days press F12 and start diving :joy:

Gilbert

1 Like

I hope this is on-topic (enough), but I’ve been using both the Web API documentation and the network activity in the UI to help me with building automations for SonarCloud. The Web API is especially useful as it let’s me generate a typed client by inspecting https://sonarcloud.io/api/webservices/list. (I have a go-sonarcloud client which, in turn, is used to build a Terraform provider for SonarCloud.)

My question is now: how should I deal with either deprecated endpoints or endpoints that are missing in the webservices/list? I figure for missing endpoints I could open a feature request at https://portal.productboard.com/sonarsource/1-sonarcloud/ , though it doesn’t feel like a feature request.

As an example of where I’m having problems: there are two important endpoints regarding permissions that have been marked deprecated for well over a year, but they still work. The API endpoints that replace them are not registered yet in the Web API Documentation, though they are in use by the UI. I’m still using the deprecated API endpoints, simply because I can generate the client code for them. I’d have to do manual work to add support for the new endpoints, and I kind of hate doing manual work :sweat_smile:.

Do you have any tips for a course of action here @Colin?

1 Like