I have recently found out about SonarQube and decided to try it out. On my VM server, I have downloaded the docker image using the following command:
sudo docker pull sonarqube
Then I have ran it using the command:
sudo docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
I have then connected to the SonarQube web interface via the my_server_address:9000 and followed the instructions to connect SonarQube with my Gitlab repository and setup CI/CD pipeline.
In my .gitlab.ci.yml I have added the following:
stages:
- sonarqube-check
- sonarqube-vulnerability-report
sonarqube-check:
stage: sonarqube-check
image:
name: sonarsource/sonar-scanner-cli:5.0
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
allow_failure: true
only:
- merge_requests
- master
- main
- develop
sonarqube-vulnerability-report:
stage: sonarqube-vulnerability-report
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'
allow_failure: true
only:
- merge_requests
- master
- main
- develop
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json
dependencies:
- sonarqube-check
and in my sonar-project.properties I have included the following:
sonar.projectKey=embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622
sonar.qualitygate.wait=true
Everything seems to work ok. I have ran the CI/CD job and got the following result:
Running with gitlab-runner 16.6.1 (f5da3c5a)
on Runner for changelog generator QxsfarD_, system ID: s_1de69ef528ed
Preparing the "docker" executor
00:04
Using Docker executor with image sonarsource/sonar-scanner-cli:5.0 ...
Pulling docker image sonarsource/sonar-scanner-cli:5.0 ...
Using docker image sha256:2f384fb1bbd5f033fa0b628efb5ef3d40b9cafaddb68b9ffdd8c3cacdc237199 for sonarsource/sonar-scanner-cli:5.0 with digest sonarsource/sonar-scanner-cli@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 ...
Preparing environment
00:00
Running on runner-qxsfard-project-121-concurrent-0 via xxx-test...
Getting source from Git repository
00:07
Fetching changes...
Reinitialized existing Git repository in /builds/embeded-programmers/Embedded-FW-Guidelines/.git/
Checking out 66887ab8 as detached HEAD (ref is main)...
Removing gl-sast-sonar-report.json
Skipping Git submodules setup
Restoring cache
00:05
Checking cache for sonarqube-check-2-protected...
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.
Successfully extracted cache
Executing "step_script" stage of the job script
00:43
Using docker image sha256:2f384fb1bbd5f033fa0b628efb5ef3d40b9cafaddb68b9ffdd8c3cacdc237199 for sonarsource/sonar-scanner-cli:5.0 with digest sonarsource/sonar-scanner-cli@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 ...
$ sonar-scanner
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: /builds/embeded-programmers/Embedded-FW-Guidelines/sonar-project.properties
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.8 Alpine (64-bit)
INFO: Linux 5.4.0-173-generic amd64
INFO: User cache: /builds/embeded-programmers/Embedded-FW-Guidelines/.sonar/cache
INFO: Analyzing on SonarQube server 10.4.1.88267
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=148ms
INFO: Server id: 147B411E-AY4843AWCgSsVKEGLvhP
INFO: User cache: /builds/embeded-programmers/Embedded-FW-Guidelines/.sonar/cache
WARN: sonar.plugins.downloadOnlyRequired is false, so ALL available plugins will be downloaded
INFO: Loading all plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=98ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=239ms
INFO: Process project properties
INFO: Process project properties (done) | time=1ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=2ms
INFO: Project key: embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622
INFO: Base dir: /builds/embeded-programmers/Embedded-FW-Guidelines
INFO: Working dir: /builds/embeded-programmers/Embedded-FW-Guidelines/.scannerwork
INFO: Load project settings for component key: 'embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622'
INFO: Load project settings for component key: 'embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622' (done) | time=28ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=159ms
INFO: Auto-configuring with CI 'Gitlab CI'
INFO: Load active rules
INFO: Load active rules (done) | time=10124ms
INFO: Load analysis cache
INFO: Load analysis cache (4.9 kB) | time=33ms
INFO: Preprocessing files...
INFO: 5 languages detected in 198 preprocessed files
INFO: 0 files ignored because of scm ignore settings
INFO: Load project repositories
INFO: Load project repositories (done) | time=27ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 89 files indexed
INFO: Quality profile for json: Sonar way
INFO: Quality profile for py: Sonar way
INFO: Quality profile for xml: Sonar way
INFO: ------------- Run sensors on module embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=23ms
INFO: Sensor Python Sensor [python]
WARN: Your code is analyzed as compatible with all Python 3 versions by default. You can get a more precise analysis by setting the exact Python version in your configuration via the parameter "sonar.python.version"
INFO: Starting global symbols computation
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: Starting rules execution
INFO: 1 source file to be analyzed
INFO: 1/1 source file has been analyzed
INFO: The Python analyzer was able to leverage cached data from previous analyses for 0 out of 1 files. These files were not parsed.
INFO: Sensor Python Sensor [python] (done) | time=1280ms
INFO: Sensor Cobertura Sensor for Python coverage [python]
INFO: Sensor Cobertura Sensor for Python coverage [python] (done) | time=56ms
INFO: Sensor PythonXUnitSensor [python]
INFO: Sensor PythonXUnitSensor [python] (done) | time=29ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=4ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=68ms
INFO: Sensor IaC AzureResourceManager Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC AzureResourceManager Sensor [iac] (done) | time=145ms
INFO: Sensor CSS Rules [javascript]
INFO: No CSS, PHP, HTML or VueJS files are found in the project. CSS analysis is skipped.
INFO: Sensor CSS Rules [javascript] (done) | time=1ms
INFO: Sensor C# Project Type Information [csharp]
INFO: Sensor C# Project Type Information [csharp] (done) | time=2ms
INFO: Sensor C# Analysis Log [csharp]
INFO: Sensor C# Analysis Log [csharp] (done) | time=44ms
INFO: Sensor C# Properties [csharp]
INFO: Sensor C# Properties [csharp] (done) | time=0ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=4ms
INFO: Sensor XML Sensor [xml]
INFO: 2 source files to be analyzed
INFO: 2/2 source files have been analyzed
INFO: Sensor XML Sensor [xml] (done) | time=259ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: 28 source files to be analyzed
INFO: 28/28 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=1042ms
INFO: Sensor VB.NET Project Type Information [vbnet]
INFO: Sensor VB.NET Project Type Information [vbnet] (done) | time=2ms
INFO: Sensor VB.NET Analysis Log [vbnet]
INFO: Sensor VB.NET Analysis Log [vbnet] (done) | time=37ms
INFO: Sensor VB.NET Properties [vbnet]
INFO: Sensor VB.NET Properties [vbnet] (done) | time=0ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=40ms
INFO: ------------- Run sensors on project
INFO: Sensor Analysis Warnings import [csharp]
INFO: Sensor Analysis Warnings import [csharp] (done) | time=2ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=13ms
INFO: CPD Executor Calculating CPD for 1 file
INFO: CPD Executor CPD calculation finished (done) | time=11ms
INFO: Analysis report generated in 132ms, dir size=210.5 kB
INFO: Analysis report compressed in 43ms, zip size=32.1 kB
INFO: Analysis report uploaded in 55ms
INFO: ------------- Check Quality Gate status
INFO: Waiting for the analysis report to be processed (max 300s)
INFO: QUALITY GATE STATUS: PASSED - View details on http://192.168.3.144:9000/dashboard?id=embeded-programmers_Embedded-FW-Guidelines_bb38c305-dce0-4cd5-b386-119f7e9e6622
INFO: Analysis total time: 38.909 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 41.486s
INFO: Final Memory: 27M/100M
INFO: ------------------------------------------------------------------------
Saving cache for successful job
00:01
Creating cache sonarqube-check-2-protected...
.sonar/cache: found 55 matching artifact files and directories
Archive is up to date!
Created cache
Cleaning up project directory and file based variables
00:01
Job succeeded
On the web interface, I can see the following :
However, my project contains my source files:
For some reason, it failed to detect main/main.c. I have even made a mistake on purpose on my main.c and was hoping the SonarQube to pick it up.
I am very new to SonarQube and I am hoping to use it in CI/CD pipeline to automatically pick up silly mistakes. I would appreciate if someone could point me in the right direction. Do I need to manually tell SonarQube which directories to analyze and locate source code?