Merge Requests support for GitLab

So the problem isn’t a missing partnership with gitlab, but sonarqube removing some of its own features?

Yes, for GitLab, this solution would be perfect since GitLab users would never have to go to SonarCloud UI - which is what they want (= keep their users inside their own UI only). You can understand that on our side, this is not acceptable because it totally breaks the user experience we expect for development teams to efficiently manage code quality. For instance, SonarCloud helps developer to understand tricky bug or vulnerabilities thanks to an advanced navigation in the source code locations which led to the discovery of an issue. This is not possible in the UI of a merge request.

Also, commenting only is not a good way to achieve automatic code review feature because it does not allow to push a status on the pull request to prevent a merge when the quality requirements are not met.

The problem is related to GitLab’s product strategy: "GitLab is a single application for the entire software development lifecycle". By design, this prevents any good integration with other products/solutions.

I don’t think that is a fair assumption, at least not anymore.
They clearly have external application support as a milestone and probably would want to work with you on it: https://gitlab.com/groups/gitlab-org/-/epics/1252

Maybe you should ask what GitLab users want too :wink: They should the center of all your discussions.To me it seems evident that GitLab remains the principal place where the development occurs, SonarQube analysis being just a part in the whole dev process.

In the merge request I’d like to get a good summary of what’s the quality of changes going to enter. Did the test coverage increase? How many new issues are added/resolved? etc…

Please note that with the current plugin you can break the pipeline:

That being said I agree that GitLab extensibility points are not perfect for now.

1 Like

Also, commenting only is not a good way to achieve automatic code review feature because it does not allow to push a status on the pull request to prevent a merge when the quality requirements are not met.

Yes it does, see bellow how easy it was before preview mode is dead via the https://github.com/gabrie-allaigre/sonar-gitlab-plugin plugin:

code-quality:
stage: test
image: $DOCKER_MAVEN_IMAGE
script:
- mvn $MAVEN_CLI_OPTS
org.jacoco:jacoco-maven-plugin:prepare-agent
package
sonar:sonar
–define maven.test.failure.ignore=true
–define revision=$CI_COMMIT_REF_NAME
–define sonar.analysis.mode=preview
–define sonar.gitlab.commit_sha=$CI_COMMIT_SHA
–define sonar.gitlab.ref_name=$CI_COMMIT_REF_NAME
–define sonar.gitlab.project_id=$CI_PROJECT_ID
only:
- merge_requests

If quality gate is not good after MR analysis, the sonarqube check (automaticaly added by the plugin) in picture bellow is red and you cannot merge.

1 Like

Please forget the “preview” mode, this was a hacky way to get raw issues, and only raw issues. With the preview mode, you did not get coverage, duplication, the tracking of issue state over time, issue assignment to the relevant developers, the possibility to quality an issue, the ability to drill down into issue multiple locations, and most importantly the quality gate defined for your project.

GitLab currently only wants to ingest our raw data. It might not bother the few of you who care only about raw issues, but it does bother us because it breaks the overall user experience that we’ve designed for our users and the value proposition that we bring to them. GitHub, Microsoft (with Azure DevOps) and Atlassian (with Bitbucket Cloud) allow us to bring this value to the development teams. Currently, GitLab does not.

3 Likes

Good or bad, but I cannot understand the current conception of SQ team. Even I had discussions with SQ rep or googling information in the internet. Current position of SQ is unclear. Do you want to brake CI ability? If not please explain how I can get results of changed code verification? Lets suppose I do not believe to developer and want to verify what he/she changed in the code. How is it stable and issues-free after the change? And the project he is working on is not 2 but 20000 LOC (at least). Without preview mode I need to spend long time to get results. What I want to say - SQ has been a great tool before, fully compatible with CI/CD, now it is not. I tried to get integration with CI even in commercial versions, but it is not possible anyway.

@gateKeeper I suggest you try out the integrations we have with GitLab’s competitors, and you will see that SonarQube is perfectly compatible with CI/CD when the integration is done the right way.

2 Likes

@Fabrice_Bellingard Do you have a video showing the flow with GitHub ? I quickly looked but couldn’t find one.

We don’t have videos @jairbubbles, but this is indeed a very good idea to convey what we expect for our users :slight_smile: I’ll think about this!

Do you mean the integration that is in Developer (commercial) edition you mentioned somewhere? Just because community plugin looks stops working in the latest SQ 7 as I red above. And I support Julien’s idea about video explaining how to configure and use such integration (in community edition ??)

We (in our company) were tired of waiting for a feature from SQ (with sonarqube gitlab plugin) that will raise a red flag when code coverage on new or changed code is below 80% that we spent some fraction of our time implementing own utility that takes java, jgit, jacoco and formula from docs of SQ to calculate coverage. Wrapped it up into docker image and just plugged beside SQ preview job in Gitlab CI. Now we have branch analysis from Developer Edition and broken builds with insufficient coverage.

And now we are kind of stuck with SQ 7.6 Developer Edition where we want to have branch analysis with Gitlab integration plugin, but we cannot upgrade to 7.7 to replace that own tool.

Is there a way out?

I can’t comment what goes behind close doors but this:

“Nothing moved since my last message, and to be honest I don’t expect things to move in the near future given the “one-single-product-for-everything” strategy that GitLab follows. Basically, they don’t want integrations with tools/services which can lead their users to move out of the GitLab user experience”

seems to me to be a lot of… horse shite…

I suspect Microsoft’s GitHub acquisition to which was referred as “good partnership and a privileged relationship with the solution providers (Microsoft, Atlassian and GitHub)” carrying leverage?

Gitlab integrates with Snyk service and guess what, you can check the status of snyk service during Merge Request for example (Pass or Fail). In the case of a Fail you will be notified with the most relevant and critical information (at your fingertips). If you need to view their detailed report you you can open it on their website: snyk.io.

So either you won’t integrate, you haven’t got time or you can’t integrate, which is which.

Hi all,

just wanted to update this thread since we had a discussion with GitLab about what we can do on this topic.

We (SonarSource) will start an effort to integrate SonarCloud with GitLab.com. Like we always do, we are going to go baby steps and see where this leads. We expect GitLab guys to help and support us along the way. We already know there will be some challenges at some point, but we hope and believe that by that time, we’ll know each other’s world better to find the best solutions to those concerns.

We plan to have something before the end of the year - yet I don’t know for now when we start. Wish you want to follow the topic, please watch https://jira.sonarsource.com/browse/MMF-1750

10 Likes

I guess this is good news!

Can we expect that we’ll be able to use the same integration on private GitLab instances afterwards?

EDIT: just saw the notes on the Jira link

2 Likes

Also, GitLab does allow to add asynchronous job results to pipelines.
But it seems that it’s no longer working for the merge requests pipelines (which are new). See https://gitlab.com/gitlab-org/gitlab-ce/issues/61794

1 Like

You may want to watch/upvote https://jira.sonarsource.com/browse/MMF-1787

Hello @Fabrice_Bellingard ~ In our need of integrating SonarQube with Gitlab, I ended up reading all the threads here on SonarSource community and gitlab.com. Just wanted to touch base here and ask if there are any updates you could share with us?

Hey there, we started looking at it during the summer, and we will start the first developments in the upcoming weeks. Note that as usual, we’ll progress step by step, so it will take a couple of minor SonarQube versions to have something which works for the main use cases.

Hi,

FYI

 
Ann

2 Likes