I’m looking to setup Sonarqube for our repository and having trouble figure out how to configure projects for our use case.
We have a Mono-repo with 6 sub-projects that are released as single unit. All projects are written in C, each generate a seperate compile_commands.json file. About 80% of the code between these projects is shared. For this reason, I don’t want to create 6 seperate Sonarqube projects, because then I would need to manage duplicate vulnerabilities/bugs across each project. But it doesn’t look like I can share a single Sonarqube project, because each time I scan, it overwrites the previous result.
Any advice on create project structure for this application? Is there a way to scan multiple compile_commands.json files in single scan and combine results? There seems to be a concept of a “Application” that may apply here but really hard to find more information about this: Applications | SonarQube Server Documentation.
With this much shared code, I have to ask whether you could just output one json file and analyze it as one project?
Generally, it’s one project per build, and analyses are not additive. Each new analysis replaces/updates what came before.
If you’ve got 6 separate builds, then yes, this should be 6 separate projects / analyses.
You should be able to handle this with exclusions. At a minimum, issue exclusions would remove the need to manage duplicate issues, while full file-level exclusions would keep you from being double- (quintuple)-charged for the license LOC. That said, it’s not clear to me how well C analysis would handle having necessary files present in the json but excluded from (i.e. not read by) analysis. So this may take some experimentation.
BTW, an Application is an aggregation that, yes, is designed to pull together the ratings and Quality Gate status of separate projects that ship together so that you have one place to go for a centralized overview. But its use would be on top of correctly configuring analysis.
I would love to analyze things as one project, but wasn’t sure if it was valid to combine compile commands from different builds into a single project. These seperate projects may share same files but have seperate toolchains/compiler flags so not sure how Sonarqube scanner is going to handle that. I’ll do some testing.
)