SonarQube Dev - Full code analysis

SonarQube Server / Community Build
1
  • Version of SonarQube Dev : v10.6 (92116)
  • Installed via zip
  • I’m trying to do a first analysis of our code from a branch on self-hosted Gitlab

Hi there, I want to evaluate SonarQube for our current Gitlab repos (C/C++ code).
So far I’ve managed to implement the pipeline provided by SonarQube Import Project function.
We want to have a full report of our code base from a SonarQube Test-Branch, because we don’t want to merge it into main/develop yet (for obvious reasons). Is there a parameter, switch etc. that forces SonarQube into a complete scan rather using iterative as it uses per default? I understand why this feature is awesome, but we want to evaluate SonarQube and need a full analysis of our software for that.

Our current gitlab-ci

image: git.own-repo.de:5050/xxx/dockerimages/own_image:ev

variables:
  SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
  GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task


stages:
  - get-binaries
  - build
  - sonarqube-check
  - sonarqube-vulnerability-report

get-binaries:
  stage: get-binaries
  cache:
    policy: push
    key: "${CI_COMMIT_SHORT_SHA}"
    paths:
      - sonar-scanner/

  script:
    - curl -sSLo ./sonar-scanner.zip 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.0.0.4432-linux.zip'
    - unzip -o sonar-scanner.zip
    - mv sonar-scanner-6.0.0.4432-linux sonar-scanner

  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_COMMIT_BRANCH == 'master'
    - if: $CI_COMMIT_BRANCH == 'main'
    - if: $CI_COMMIT_BRANCH == 'develop'

build:
  stage: build
  dependencies:
    - get-binaries
  script:
    - sudo apt-get update && sudo apt-get install -y openssh-client
    - eval $(ssh-agent -s)
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - echo "$CI_SERVER_GITLAB_PRIV_KEY" | tr -d '\r' | ssh-add -
    - ssh-keyscan git.own-repo.de >> ~/.ssh/known_hosts
    - chmod 644 ~/.ssh/known_hosts
    - sudo mkdir /deploy && sudo chown -R ciserver:ciserver /deploy
    - echo "[credential \"https://git.own-repo.de\"]" > /home/ciserver/.gitconfig
    - echo "        username = ciserver" >> /home/ciserver/.gitconfig
    - echo "        helper = \"!f() {  echo username=ciserver; echo password=$CI_SERVER_GITLAB_APIKEY; }; f\"" >> /home/ciserver/.gitconfig
    - cmake --preset ConfigRelease
    - cmake --build --preset BuildRelease --parallel
    - ctest --preset "Test Release all"

  cache:
    policy: pull-push
    key: "${CI_COMMIT_SHORT_SHA}"
    paths:
    - sonar-scanner/

sonarqube-check:
  stage: sonarqube-check
  dependencies:
    - get-binaries
    - build
  cache:
    policy: pull
    key: "${CI_COMMIT_SHORT_SHA}"
    paths:
      - sonar-scanner/

  script: sonar-scanner/bin/sonar-scanner -X --define sonar.host.url="${SONAR_HOST_URL}"
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_COMMIT_BRANCH == 'master'
    - if: $CI_COMMIT_BRANCH == 'main'
    - if: $CI_COMMIT_BRANCH == 'develop'

sonarqube-vulnerability-report:
  stage: sonarqube-vulnerability-report
  script:
    - 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=xxx_developer_xxx-template_6af7cbea-1d1f-4d80-9a76-be5782caa93c&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_COMMIT_BRANCH == 'master'
    - if: $CI_COMMIT_BRANCH == 'main'
    - if: $CI_COMMIT_BRANCH == 'develop'
  artifacts:
    expire_in: 1 day
    reports:
      sast: gl-sast-sonar-report.json
2

Hey there.

Any branch analysis should be a full analysis of the code – what signs are there that this isn’t the case?

3

Nothing found in a test project I’ve set up

image
image989×601 44.6 KB

While merging into main gave me

image
image1200×754 52.5 KB

Also pipeline before merging the branch says

14:51:59.181 INFO  Using git CLI to retrieve untracked files
14:51:59.183 WARN  Analyzing only language associated files, make sure to run the analysis inside a git repository to make use of inclusions specified via "sonar.text.inclusions"
14:51:59.189 INFO  2 source files to be analyzed
14:51:59.206 INFO  2/2 source files have been analyzed
14:51:59.207 INFO  Sensor TextAndSecretsSensor [text] (done) | time=247ms
14:51:59.209 INFO  ------------- Run sensors on project
14:51:59.223 INFO  Sensor Zero Coverage Sensor
14:51:59.228 INFO  Sensor Zero Coverage Sensor (done) | time=5ms
14:51:59.231 INFO  CPD Executor 9 files had no CPD blocks
14:51:59.232 INFO  CPD Executor Calculating CPD for 2 files
14:51:59.235 INFO  CPD Executor CPD calculation finished (done) | time=3ms
14:51:59.237 INFO  SCM revision ID 'f4ee921741dfbbcfbe6535f8cda8b15238c53cc5'
14:51:59.272 INFO  SCM writing changed lines
14:51:59.274 INFO  Merge base sha1: 03d626e539bbeb07211687fc518bad0027205a51
14:51:59.274 INFO  SCM writing changed lines (done) | time=3ms
14:51:59.277 INFO  Analysis report generated in 39ms, dir size=297.6 kB
14:51:59.290 INFO  Analysis report compressed in 13ms, zip size=35.3 kB
14:51:59.318 INFO  Analysis report uploaded in 27ms
14:51:59.318 INFO  ------------- Check Quality Gate status

While after the merge into main happened, it reads way more source files analyzed

13:43:11.712 INFO  Using git CLI to retrieve untracked files
13:43:11.714 WARN  Analyzing only language associated files, make sure to run the analysis inside a git repository to make use of inclusions specified via "sonar.text.inclusions"
13:43:11.722 INFO  14 source files to be analyzed
13:43:11.744 INFO  14/14 source files have been analyzed
13:43:11.745 INFO  Sensor TextAndSecretsSensor [text] (done) | time=260ms
13:43:11.748 INFO  ------------- Run sensors on project
13:43:11.762 INFO  Sensor Zero Coverage Sensor
13:43:11.767 INFO  Sensor Zero Coverage Sensor (done) | time=5ms
13:43:11.768 INFO  SCM Publisher SCM provider for this project is: git
13:43:11.769 INFO  SCM Publisher 11 source files to be analyzed
13:43:11.958 INFO  SCM Publisher 11/11 source files have been analyzed (done) | time=189ms
13:43:11.961 INFO  CPD Executor 9 files had no CPD blocks
13:43:11.962 INFO  CPD Executor Calculating CPD for 2 files
13:43:11.967 INFO  CPD Executor CPD calculation finished (done) | time=6ms
13:43:11.971 INFO  SCM revision ID 'bf6724d57beb2635a6100b649d491f6e39350e59'
13:43:12.037 INFO  Load New Code definition
13:43:12.049 INFO  Load New Code definition (done) | time=12ms
13:43:12.053 INFO  Analysis report generated in 81ms, dir size=455.1 kB
13:43:12.076 INFO  Analysis report compressed in 23ms, zip size=192.3 kB
13:43:12.154 INFO  Analysis report uploaded in 78ms
13:43:12.155 INFO  ------------- Check Quality Gate status
4

Looks like you’re doing a Pull Request Analysis, the trigger being a creation of the PR in GitLab.

You’ll want to make sure you run a branch analysis (building/analyzing the branch, not the PR)

1 Like
5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.