Questions/concerns from someone coming from Sonar LTA 9.9.8 going to latest 2025.1

SonarQube Server / Community Build
1

Using Github Enterprise 3.13 and Github actions with Sonarqube 9.9.8 and will be upgrading my prod environment to the latest 2025.1. Will there be any adjustments needed in my pipeline in order to integrate current Github actions workflow to the latest Sonarqube LTA 2025.1?

I already installed latest 2025.1 LTA in my dev environment but it doesn’t have a good workflow to test this on.

Also will this AI-Code fix feature make the gateway check more stricter? Also what happens if I decided not to enable AI-Code fix feature? Will I get all the security issues that got patched and other new features minus the AI-Code Fix if I decide not to enable this AI-Code Fix feature?

2

Upgrade notes that affect Analysis can be found in the LTA to LTA Upgrade Notes but in principle, no, your actions should continue to work. However, we recommend using the latest major version of Official SonarQube Scan · Actions · GitHub Marketplace · GitHub

I’m not sure what you mean by “make the gateway check more stricter” – but anyawys, AI CodeFix is completely opt-in. You can get everything else and not turn this on. :slight_smile:

3

Thanks Colin for the quick response. Glad to know that I can get everything else except the AI-Codefix feature.

Btw you mentioned that it’s recommended using the latest major version of Official SonarQube Scan · Actions · GitHub Marketplace · GitHub. I don’t remember having that setup in my github enterprise instance. Whenever Sonarqube is being called to do some quality check step in the workflow/pipeline we use this:

npm run sonar -Dsonar.branch.name=${{ inputs.branch_name }} -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }}

then after a series of steps, it calls another repo to do sonarqube quality gate check. I can’t articulate here in details what it does but i notice that in the said repo there’s a check-quality-gate.sh, I assume this is how code quality check is being called for Sonarqube to run.

#!/usr/bin/env bash

source "$(dirname "$0")/common.sh"

if [[ -z "${SONAR_TOKEN}" ]]; then
  echo "Set the SONAR_TOKEN env variable."
  exit 1
fi

metadataFile="$1"

if [[ ! -f "$metadataFile" ]]; then
   echo "$metadataFile does not exist."
   exit 1
fi

if [[ ! -z "${SONAR_HOST_URL}" ]]; then
   serverUrl="${SONAR_HOST_URL%/}"
   ceTaskUrl="${SONAR_HOST_URL%/}/api$(sed -n 's/^ceTaskUrl=.*api//p' "${metadataFile}")"
else
   serverUrl="$(sed -n 's/serverUrl=\(.*\)/\1/p' "${metadataFile}")"
   ceTaskUrl="$(sed -n 's/ceTaskUrl=\(.*\)/\1/p' "${metadataFile}")"
fi

if [ -z "${serverUrl}" ] || [ -z "${ceTaskUrl}" ]; then
  echo "Invalid report metadata file."
  exit 1
fi

task="$(curl --silent --fail --show-error --user "${SONAR_TOKEN}": "${ceTaskUrl}")"
status="$(jq -r '.task. Status' <<< "$task")"

until [[ ${status} != "PENDING" && ${status} != "IN_PROGRESS" ]]; do
    printf '.'
    sleep 5s
    task="$(curl --silent --fail --show-error --user "${SONAR_TOKEN}": "${ceTaskUrl}")"
    status="$(jq -r '.task.status' <<< "$task")"
done

analysisId="$(jq -r '.task.analysisId' <<< "${task}")"
qualityGateUrl="${serverUrl}/api/qualitygates/project_status?analysisId=${analysisId}"
qualityGateStatus="$(curl --silent --fail --show-error --user "${SONAR_TOKEN}": "${qualityGateUrl}" | jq -r '.projectStatus.status')"

#TODO this needs to be removed after investigation
#echo '::set-output name=quality-gate-status::PASSED'

# TODO need to uncomment this after sonarqube verification

if [[ ${qualityGateStatus} == "OK" ]]; then
   echo '::set-output name=quality-gate-status::PASSED'
   success "Quality Gate has PASSED."
elif [[ ${qualityGateStatus} == "WARN" ]]; then
   echo '::set-output name=quality-gate-status::WARN'
   warn "Warnings on Quality Gate."
elif [[ ${qualityGateStatus} == "ERROR" ]]; then
   echo '::set-output name=quality-gate-status::FAILED'
   fail "Quality Gate has FAILED."
else
   echo '::set-output name=quality-gate-status::FAILED'
   fail "Quality Gate not set for the project. Please configure the Quality Gate in SonarQube or remove sonarqube-quality-gate action from the workflow."
fi

So granted those things that I said, will it be a show stopper (will my github actions not work) if I don’t get that latest Sonarqube Scan in the github marketplace?

4

Ah sorry, I made some assumptions!

So if you’re not using the SonarQube GitHub Action, I assume you might be using something the like SonarScanner for NPM? Unfortunately, not knowing much about your project, I’m a bit blind here. If you’ve got a scripts section in your package.json or similar file, it should tell you where the sonar-scanner is coming from.

That script you reference later does something else (checks the Quality Gate after analysis has already run).

In any case, scanner version requirements change rarely, and the only notable one if the upgrade notes isn’t relevant for you.

SonarScanner for .NET compatibility (10.4)

Starting with SonarQube 10.4, analysis of .NET projects requires SonarScanner for .NET 5.14+.

The absolute worst that would happen is you have to bump a version number somewhere if you’re using an absolutely ancient version of the scanner.