SonarQube integration with Bitbucket Cloud AND Azure DevOps

nick.pham.hcl · March 29, 2021, 6:23am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
** 8.7.0.41497
what are you trying to achieve
** Our code base is stored / versioned on Bitbucket Cloud
** Our Pull Requests are created/stored and managed on Bitbucket Cloud
** However, we would like to use Azure DevOps CI & CD pipelines
** How can I use Azure DevOps Pull Request decoration when I DO NOT HAVE ANY PULL REQUEST on Azure DevOps sorry?
** We would like to find a way to break the build on Azure DevOps and NOT DO ANYTHING ELSE AFTERWARDS (E.G. STOP PUBLISHING BROKEN ARTIFACTS) if SonarQube Quality Gate fails
** We would like to find a way to block Pull Requests on Bitbucket Cloud that fail SonarQube Quality Gate
what have you tried so far to achieve this
** I have implemented the work-around as per this blog Fail your Azure DevOps pipeline if SonarQube Quality Gate fails – writeabout.net
** However, SonarQube API always reports wrong results (status should be “ OK ”)
**

bcipollone · March 30, 2021, 10:38pm

Hi Nick,

Welcome to the SonarSource community.

I’m assuming that you can successfully trigger these builds. If not, Microsoft documentation explains how to connect and trigger Azure Pipelines based on PRs on Bitbucket Cloud repos..

If you haven’t already you need to enable Pull Request Decoration for Bitbucket Cloud.

To fail the pipeline add the sonar.qualitygate.wait=true parameter to the SonarQubePrepare task. For example:

steps:
- task: SonarQubePrepare@4
  inputs:
    SonarQube: 'MySonarQubeService'
    extraProperties: 'sonar.qualitygate.wait=true'

Hope this helps!

Brian

nick.pham.hcl · March 30, 2021, 10:51pm

@bcipollone thanks for your instructions.

however, your suggestion means I will have to run SonarQube twice (2 times) once on Bitbucket Cloud and once on Azure DevOps.

that consumes lots of extra resources and unnecessary

Is there anything we can do on Azure DevOps? e.g. SonarQube runs on Azure but prevents PRs from merging on Bitbucket?

nick.pham.hcl · March 30, 2021, 10:53pm

@bcipollone please let me emphasize this again:

I have enabled Azure CI Pipelines on our source code hosted on Bitbucket Cloud
The Azure CI Pipeline runs SonarQube analysis and publish Quality Results to our stand-alone on-premise SonarQube server
We need to break the PRs on Bitbucket Cloud

Your further instruction is greatly appreciated

Again, that would be ideal if WE DO NOT RUN SONARQUBE TWICE

bcipollone · March 30, 2021, 11:39pm

Nick,

I’m not sure where you got the idea the SonarQube needs to be run twice.

SonarQube scan is run once, in the Azure DevOps pipeline. The PR decoration is an integration between SonarQube and BitBucket Cloud. I tried this on ADO Services pulling code from Bitbucket Cloud, using a self-hosted SQ server publishing the Quality Gate result back to the BB Cloud PR. It works as expected.

Brian

nick.pham.hcl · March 31, 2021, 6:41am

@bcipollone sorry I misunderstood what you meant. your link “enable Pull Request Decoration for Bitbucket Cloud” only mentions about bitbucket-pipelines.yml and your instruction above did not clearly say where to add the extra line of config. I thought you meant “add this to Bitbucket Cloud”

I can see the SonarQube decoration on Bitbucket Cloud now.

Thanks

nick.pham.hcl · March 31, 2021, 6:51am

@bcipollone may I also ask:

how we stop Azure Pipelines if Quality Gate fails?
how we prevent PRs from being merged on Bitbucket Cloud if Quality Gate fails?

PR decoration does not actually break builds or block PRs, does not it?

I saw the answer here from SonarQube:

I tried a work-around from here

Fail your Azure DevOps pipeline if SonarQube Quality Gate fails – writeabout.net

However, for some reason SonarQube always reports Quality Gate’s status as NONE

nick.pham.hcl · March 31, 2021, 6:55am

i am not allowed to add another photo in my previous post, hence i post it here

bcipollone · March 31, 2021, 2:52pm

Hi Nick,

The snippet I provided earlier is from a azure-pipelines.yml file checked into the root of the project on Bitbucket. Adding the sonar.qualitygate.wait=true parameter will cause the scan task to fail if the Quality Gate is not met. I’m not sure what you are attempting via the screenshots of that script but it looks like you are querying the API for quality gate status. The sonar.qualitygate.wait=true parameter does the same thing.

For Bitbucket Cloud, I believe you need to set up Merge Check to block merges. I do not have a Premium account handy to fully enforce this but I can see the build and PR decoration is happening so should be pretty straight forward.

Brian

nick.pham.hcl · March 31, 2021, 10:44pm

@bcipollone the failed quality gate breaks my Azure builds now and this is what I am after

can you please correct this common (mis)understanding and SonarQube’s statement in other Support tickets, please?

Azure DevOps: how to break CI build if quality gate conditions fail to meet - #4 by Daniel_Meppiel

please also clearly state that and provide the solution/code sonar.qualitygate.wait=true on SonarQube official documentation for the next newbies like me to quickly get the idea

i googled this solution for a few days and almost everyone (including SonarQube Support team members) said SonarQube does not want to break any build

bcipollone · April 1, 2021, 3:26pm

Hi Nick,

While we do not recommend build breaking in all pipelines, failing the build is the only way to block the merge with Bitbucket Cloud. Other SCMs have preferred methods to prevent merges.

This parameter is already documented in our Bitbucket Cloud Integration section. Understand that we are not able to document every possible combination of SCM and CI tool or provide advice that applies to every use case. We leave it to our users to determine what works best in their CI environments based on their comfort level using SonarQube.

Brian

nick.pham.hcl · April 5, 2021, 11:27pm

Hi @bcipollone,

Thanks for your response.

However, may I suggest you and the SonarQube team please kindly update your documentation on Azure DevOps integration (or a general place for integration rules which apply to ALL SCM and CI tools) to have the flag mentioned and explained, please?

As you might be aware, if you and we do not want to use Bitbucket Cloud (and hence its pipelines), NORMALLY we do NOT read any documentation related to Bitbucket Cloud. If a general rule applies to Azure DevOps and ALL other SCM and CI tools, how much effort would it take for you to document it in 1 central place as the general rule for all SonarQube users to gain the correct understanding?

that would have saved us/me lots of our time googling around and apparently finding (wrong) workarounds
interestingly, as you might have read the response from the SonarQube Support team on Azure DevOps at Azure DevOps: how to break CI build if quality gate conditions fail to meet - #4 by Daniel_Meppiel, this is totally opposite to what you have taught me so far
- image1224×513 53.9 KB
that response from our reliable source actually made me believe that I MUST SEEK ALTERNATIVES while indeed SonarQube has already implemented the correct solution. That was why I did not create this support ticket in the first place and wasted 2 days of my trial (and hundreds of build minutes on Azure) on finding something useless and unnecessary.

This is not a complain, please do not get me wrong. I simply wish that no one else would have gained the wrong impression and understanding as I did (and apparently wasting their time chasing their own tail).

Your kind help, effort, and tutoring so far is greatly appreciated, Brian.

Thank you.

Nick P