SonarQube Enterprise/BitBucket/Jenkins - Decorate PR failed

Elements:

  • SonarQube Enterprise:8.3
  • Bitbucket Server/Enterprise:7.1
  • Jenkins Server

Goal

  • Implement PR based SonarQube analysis with PR decoration
  • Bitbucket PR -> via webhook -> Jenkins -> SQ
  • Jenkins invokes the analysis successfully to SQ (I see the results in SQ)
  • No comments/Decorations in the PR

What I have done

Jenkins Config

${scannerHome}/bin/sonar-scanner -Dsonar.host.url=https://sonarqube.domain.com
Dsonar.bitbucket.branchName=${PR_BRANCH}
Dsonar.bitbucket.branchName=${PR_BRANCH} 
Dsonar.pullrequest.branch=${PR_BRANCH}
Dsonar.pullrequest.key=${pr_id} 
Dsonar.pullrequest.base=${TARGET_BRANCH}"

sonar-project.properties File

sonar.projectKey=Infosec-agate-AgencySettings-test
sonar.projectName=InfoSecagate-AgencySettings-test

sonar.sources=src
sonar.sourceEncoding=UTF-8
sonar.exclusions=*/_tests/,*/tests_//,*/vendor//,*/build/,*/build//,*/Tests/,*/Tests//,*/JsTests/,*/JsTests//,*/node_modules//,*/cypress//,*/cypress/

sonar.tests=src
sonar.test.inclusions=*/Tests//,*/JsTests//,*.spec.js

sonar.php.coverage.reportPaths=build/php/coverage-clover.xml
sonar.javascript.lcov.reportPaths=build/js/coverage/lcov.info

I have been reading the documents (SonarQube) and general Internet, I don’t know where else to look to troubleshoot and if I am missing additional runtime parameters

Hi @cjbischoff,

It looks like you might have missed that we have specific support for Jenkins to auto-detect the PR context and set the scanner parameters for you. It depends upon usage of the Bitbucket Branch Source plugin on the Jenkins side, as the link mentions.

Also note that in SonarQube 8.4, there’s been additional improvement to help automate the setup of Bitbucket-based projects to ensure everything is correct. Since you haven’t gotten this working yet, you might consider upgrading to 8.4.1 and then trying this using the new project wizard.

@Jeff_Zapotoczny I reviewed this https://docs.sonarqube.org/8.3/analysis/jenkins/ and I don’t see any mention of Bitbucket Branch Source plugin only SonarScanner for Jenkins

To confirm you are speaking to about the SonarScanner for Jenkins plugin?

I meant what I said. In the 3rd paragraph on the page:

Depending on your ALM provided, you’ll need the BitBucket, GitHub, or GitLab Branch Source plugin.

I was under the impression SQ/Enterprise/8.3 supported native PR decoration

It does. But the configuration of that decoration is made easier on the Jenkins side if you use a combination of a standard branch source plugin for your particular ALM in conjunction with our plugin.

To confirm - I am using/have deployed the Jenkins Plugin for SonarQube - https://plugins.jenkins.io/sonar/, but I am using a Pipeline script

Thanks for confirming; what I am trying to make clear is that if you additionally use the Bitbucket Branch Source plugin and define a multibranch pipeline, the configuration of branch/PR parameters will be done automatically for you.

@Jeff_Zapotoczny

With that approach (multibranch pipeline) we are completely dependent on Jenkinsfile to identify branches and PRs whereas currently we have the flexibility to scan any repo using generic webhook on jenkins for invoking SQ builds

Okay, I was trying to make suggestions that might ease the burden of configuration, but since none of them sound appealing to you, we’ve got to troubleshoot it the way you’re doing it now.

Can you do the following?

  • Toggle the log level to DEBUG (in Administration/System)
  • Perform the PR analysis again, capturing the output as well as the command run itself with all parameters
  • Attach both the ce.log from your SonarQube server as well as the analysis log from your Jenkins build run to this thread?

JenkinsBuild.txt (283.8 KB) Scanner Context- InfoSecagate-AgencySettings-test [Project Analysis].txt (2.2 KB)

sonarqube_ce.log
https://app.box.com/s/tfg0gfm87g6e92xtvnlvd0iinez7rsqa

I noticed the reason why you’re not seeing PR decoration in the log:

2020.08.03 14:03:58 DEBUG ce[AXO0otThVyNarV3RsenZ][c.s.C.D.A.A.C] Unable to contact Bitbucket server: 404 com.atlassian.bitbucket.commit.NoSuchCommitException Commit '3f94e086e71ce68b1a604f0446a44d0601614a82' does not exist in repository 'agency-settings-binder'.
2020.08.03 14:03:58 DEBUG ce[AXO0otThVyNarV3RsenZ][c.s.C.D.A.D] Failed to create Bitbucket Server Quality Report for commit SHA '3f94e086e71ce68b1a604f0446a44d0601614a82'

My guess is that Jenkins has checked out something that doesn’t exactly correspond to the latest commit on the PR branch; they need to match up.

You need to figure out the commit for the actual PR.
We had to add this to really make it work:
In Jenkisfile, when you do checkout, you would need to so something like this:
def scmVars = checkout scm
scmVars.GIT_BRANCH should be populated at this stage (or get it by some other means).
Now you can get PR hash:
def git_pr_hash = sh(
script: “git rev-parse origin/{GIT_BRANCH}", returnStdout: true ).trim() Now, pass git_pr_hash to scanner on analysis: withSonarQubeEnv('sonarqube') { sh """ {scannerHome}/bin/sonar-scanner \
-Dsonar.scm.revision=${git_pr_hash}
“””
}
This way sonarqube will match PR hash with Bitbucket server.

Let me check with the build pipeline script - thank you.

Its weird since I see a successful build in Jenkins console:
ANALYSIS SUCCESSFUL, you can browse https://sonarqube.DOMAIN.com/dashboard?id=com.odesk.agora%3Athrift-auth-parent&pullRequest=56

Then I goto SQ via that link and review and you see analysis of the PR (all the relevant information there). One thing I noticed in the Code Section its empty.

I goto to the See the PR link - it links back to Bitbucket/PR and review the code and nothing is added

Thank you

Added Dsonar.scm.revision=${git_pr_hash} and that seemed to work

However in SQ I don’t see the code within PR analysis

Is that correct?