SonarQube Azure DevOps Build ID

Abhishek_Rai · March 24, 2023, 7:21am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) 9.8
how is SonarQube deployed: zip, Docker, Helm
Azure DevOps pipeline job
what are you trying to achieve
I am pulling scan results from the SonarQube API. When I do so, I am including the buildId in the request as well. I want to ask, does SonarQube identify the build ID? If I do not include it, which resuls would be returned?
what have you tried so far to achieve this
General question.
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Colin · March 27, 2023, 2:50pm

Hey there.

Can you provide some more context about what you’re doing here?

How are you constructing your API call (which API are you using, what query parameters are you including…)

Abhishek_Rai · March 27, 2023, 2:54pm

Hi Colin, Thank You for your response. I am trying to gain some understanding about the build Id of an Azure DevOps pipeline with respect to SonarQube. How does the API respond when I pass the build Id. Is there a build ID specific scan that gets returned? That would imply that that if I do not pass the build ID to the API, the latest scan for that pipeline would be returned? or is it something else entirely.

for e.g sonarqube.org.com/search/issues/.../&branch=Dev&BuildId=34521

Colin · March 29, 2023, 8:46am

Hey there.

SonarQube doesn’t know anything about the Azure DevOps Build ID – and BuildId is not a valid query parameter (you can find all valid query parameters in the Web API documentation, linked in the footer of your instance).

GET api/issues/search is not an API that you can retrieve historical data for – it represents the current state of issues for a project, not a specific scan.

Can you explain a bit more what you’re trying to do with an API call that queries issues for a specific scan? I’m interested in your use-case and if there’s something else in SonarQube that can help.

Abhishek_Rai · March 29, 2023, 9:10am

I have a list of Azure Pipelines and I am trying to get the scan results for them. For e.g one of the queries is f"{base_url}?component={key}&metricKeys=alert_status,code_smells,security_rating,violations,bugs,coverage,duplicated_lines_density&buildId={id}&branch={bran}"
The other is f"https://sonarqube.org.com/api/issues/search?componentKeys={key}&ps=500&&buildId={id}&branch={bran}

I include the build ID in the query. The base url is the sonarqube URL with the id of the project. My understanding was that the results returned are for that particular build ID…is it not?

I have been running this for quite some time and there was no error message or anything about the buildId not being a valid parameter, so I continued.

Edit:- I look at the data, I have thousands of pipelines. So, I see that for a particular pipeline, it returns the latest scan results only. SonarQube identifies branch but not the buildId. It overwrites every time the scan is run.

Colin · March 30, 2023, 8:03am

It’s not. As it’s not a valid parameter, it’s just junk.

What I’m really interested in is what you’re exporting this data for – what is the SonarQube UI lacking for you that you need to export the data for each Build ID?

Abhishek_Rai · March 30, 2023, 9:27am

That doesn’t really has to do with SonarQube as such. I just need to report weather people are scaning their Azure builds or not. So, if there is a sonarqube found in the logs, I call the sonarqube API.

Colin · March 30, 2023, 2:52pm

If you find a SonarQube in the Azure DevOps logs, isn’t it implied that they’re scanning their azure builds?

Abhishek_Rai · March 30, 2023, 4:10pm

No. That is what I need to check. There are pipelines which are being scanned and there are pipelines which are not. Which should not be the case. So, I am gathering that info and need to present it.