I’m currently attempting to move the google checkstyle ruleset to sonarqube in order to benefit from the sonarqube features. I was able to successfully do that by configuring each rule manually one by one and comparing the ruleset with the one I started from.
We are using sonarqube developer edition version 126.96.36.199863. And the latest checkstyle plugin 4.30.
I see that we are able to get the original ruleset by going to the quality gate where I configured the rules and I get a URL. like: http://mysonarqube/profiles/show?language=java&name=Sonar+Way+with+Collibra+Checkstyle
However I read some rumors on several fora on the internet that there would be permalinks with anonymous access to these ruleset ? The current url looks brittle and requires authentication. I would like to allow all devs to configure this url from the intellij plugin and also by using it from our checkstyle plugin in gradle if they want. However maintaining this url everywhere including credentials is quite costly. One single change of the name of quality gate etc will have impact everywhere.
How can I mitigate the risks related to this problem ? Are there permalink capabilities or not ?
Welcome to the community!
It’s not clear to me what you’re trying to accomplish. I’m not aware of any plans internally to change what links are available to individual Quality Profiles. What more would you expect versus the kind of link you’ve already demonstrated? It’s not like the link is going to change unless you rename your profile… and why would you do that?
I was looking into some kind of confirmation whether the link described e.g in this forum: https://stackoverflow.com/questions/8155404/how-to-export-findbugs-pmd-checkstyle-rules-from-sonar-and-import-into-netbeans actually is possible.
If indeed I keep the name identical the current one I have should not break. The only thing is then I need to manage credentials properly and that will require some custom code and maintenance to handle that. If there would be a way to have anonymous access to the checkstyle ruleset only that would make it a lot easier.
Even so, it looks like adding authentication currently is only possible with https://username:password@mysonarqube/… This is very unsecure and for this checkstyle ruleset it would be preferred for sure to have no authentication at all, instead of exposing credentials in plain text over the network.
Is there a way to use tokens here or any other solution ?
I would like to use checkstyle using gradle or by using the checkstyle intellij plugin. Both don’t seem to support the tokens and seem only useable by doing it as described above.
So first, that SO answer is pretty old. As I guess you’ve discovered, there’s no longer a ‘permalinks’ section (if there ever was one - I don’t remember one…) on a Quality Profile. Second, unless your entire instance is locked down, you don’t need credentials to access Quality Profiles.
Third, in connected mode SonarLint automatically runs your profile against your code. The caveat, is that it’s the built-in rules only, not the ones from community plugins. However you want to run Checkstyle rules. In that case it may be easiest to manage your Checkstyle profile outside of SonarQube so you can use whatever IDE integration there is for that, run Checkstyle before SonarQube analysis, and then import the Checkstyle results as external issues.
Thanks that makes my options clear. Some final questions:
- Is it possible to configure in sonarqube directlly to allow anonymous access for this specific URL ?
- Can we use a token in some way instead of the username - password in the url http://username:firstname.lastname@example.org/… ?
If you’ve locked down your entire SonarQube instance (login required to access anything) then you’ll need to log in to see… anything, including profiles. If you haven’t then profiles are available to anonymous users.
Sure. Just be aware that tokens - while they can’t be used via the UI - grant the bearer all the privs allowed to the token creator when used via the web API.