SonarQube reports are not generating in Bitbucket PR

We setup SonarQube self hosted server and integrated with Bitbucket using sonar document.

Setup is done using OATH consumer in SonarQube reports are generating but not showing in repos after PR gets merged and in pipeline section.
Verified by using below reference of Atlassian support SonarQube scanner don’t show report in pipeline section

Still issue is not sorted so reached Attlasian support below url can be used for overall conversation as reference.

Reply from Atlassian: I would suggest reaching out to SonarSource’s forum Topics tagged bitbucketcloud

to ask whether this pipe indeed generates reports and if so, which of the two types of reports I mentioned in my first post.
In case it does generate reports, you can ask in the forum for help troubleshooting why your reports don’t show. This pipe is not developed by Atlassian so I don’t have any knowledge of what exactly it does and if this is expected behavior or some configuration issue.


Hi,

Welcome to the community!

You seem to have overlooked the topic template for this category, so I’ll repeat it here:

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • how is SonarQube deployed: zip, Docker, Helm
  • what are you trying to achieve
  • what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Specifically, we need to know your SonarQube version and edition, as well as what you’ve done - explicitly, not just the docs you followed - to accomplish what you’re after.

Additionally, please share your analysis logs.

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann

Hello G Ann Campbell

  1. which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension): soanrqube-10.3 developer edition, SonarQube-connector
  2. how is SonarQube deployed: zip
  3. what are you trying to achieve: We are integrating our code base of Bitbucket (SCM and Pipeline both) with Sonarqube for reports.
  4. what have you tried so far to achieve this:
    Created OATH key attached Bitbucket project in SonarQube, integrated pipe in bitbucket yaml file.
    using Bitbucket Cloud integration
    In SonarQube detailed reports are coming but into PR or Pipeline reports are not coming.

Attaching
sonarqubelogs.log (17.7 KB)
logs of one of the SonarQube attached repository during pipeline ran

Hi,

Thanks for those details and the log.

From your log, it looks like a branch analysis is being run, not a PR analysis:

INFO: Detected analysis for branch 'QA'
INFO: Detected branch/PR in 'Bitbucket Pipelines'
INFO: Auto-configuring branch 'QA'

Per the docs analysis in Bitbucket pipelines automatically sets pull request parameters when a PR is recognized. So I’m guessing it was the underlying branch under analysis rather than the PR itself.

 
HTH,
Ann

Can you guide what should I do next.

We configured SonarQube self hosted server and integrated with Bitbucket.

Will this generate reports directly on Pipelines or PR merged?

Hi,

Can you share your pipeline?

 
Thx,
Ann

For BE service:

image: maven:3.3.9

definitions:
  steps:
    - step: &build-step
        name: SonarQube analysis
        script:
          - pipe: sonarsource/sonarqube-scan:2.0.1
            variables:
              SONAR_HOST_URL: ${SONAR_HOST_URL} # Get the value from the repository/workspace variable.
              SONAR_TOKEN: ${SONAR_TOKEN} # Get the value from the repository/workspace variable. You shouldn't set secret in clear text here.
  caches:
    sonar: ~/.sonar/cache

clone:
  depth: full


pipelines:
  pull-requests:
    'fix/**':
      - step: *build-step
      - step:
        name: Check Quality Gate on SonarQube
        #max-time: 5 # value you should use depends on the analysis time for your project
        script:
          - pipe: sonarsource/sonarqube-quality-gate:1.1.0
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}

      - step:
          name: Run PR scripts for fix
          size: 2x
          image: node:18.16.0
          trigger: automatic
          script:
            - echo "running the PR script fix"
            - npm install
            - npm run test
    'feat/**':
      - step: *build-step
      - step:
        name: Check Quality Gate on SonarQube
        #max-time: 5 # value you should use depends on the analysis time for your project
        script:
          - pipe: sonarsource/sonarqube-quality-gate:1.1.0
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}
      - step:
          name: Run PR scripts for feats
          size: 2x
          image: node:18.16.0
          trigger: automatic
          script:
            - echo "running the PR script feat"
            - npm install
            - npm run test
      
  branches:
      QA:
      - step: *build-step
      - step:
          name: Check Quality Gate
          script:
            - pipe: sonarsource/sonarqube-quality-gate:1.1.0
              variables:
                SONAR_HOST_URL: ${SONAR_HOST_URL}
                SONAR_TOKEN: ${SONAR_TOKEN}
      - step:
          name: Create .env file
          trigger: automatic
          deployment: QA
          script:
            - 'curl -O https://api.bitbucket.org/2.0/repositories/paypenny/devops-pipeline-files-paypenny/src/main/Backend/QA/env.sh --header "Authorization: Bearer $PP_BB_TOKEN"'
            - sh env.sh
          artifacts:
            - .env
      - step:
          name: Build, push Docker image to ECR & Deploy to ECS
          trigger: automatic
          services:
            - docker
          #deployment: QA
          script:
            - ls -la
            - 'curl -O https://api.bitbucket.org/2.0/repositories/paypenny/devops-pipeline-files-paypenny/src/main/Backend/QA/deploy.sh --header "Authorization: Bearer $PP_BB_TOKEN"'
            - sh deploy.sh

For FE service:

image: maven:3.3.9

definitions:
  steps:
    - step: &build-step
        name: SonarQube analysis
        script:
          - pipe: sonarsource/sonarqube-scan:2.0.1
            variables:
              SONAR_HOST_URL: ${SONAR_HOST_URL} # Get the value from the repository/workspace variable.
              SONAR_TOKEN: ${SONAR_TOKEN} # Get the value from the repository/workspace variable. You shouldn't set secret in clear text here.
  caches:
    sonar: ~/.sonar/cache

clone:
  depth: full

# definitions:
#   services:
#     docker-with-large-memory:
#       memory: 6144
#       type: docker

pipelines:
  pull-requests:
    'fix/**':
      - step: *build-step
      - step:
        name: Check Quality Gate on SonarQube
        #max-time: 5 # value you should use depends on the analysis time for your project
        script:
          - pipe: sonarsource/sonarqube-quality-gate:1.1.0
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}
      - step:
          name: Run PR scripts for fix
          size: 2x
          image: node:18.16.0
          trigger: automatic
          script:
            - echo "running the PR script fix"
            - npm install
            - npm run test
            - npm run build
    'feat/**':
      - step: *build-step
      - step:
        name: Check Quality Gate on SonarQube
        #max-time: 5 # value you should use depends on the analysis time for your project
        script:
          - pipe: sonarsource/sonarqube-quality-gate:1.1.0
            variables:
              SONAR_TOKEN: ${SONAR_TOKEN}
      - step:
          name: Run PR scripts for feat
          size: 2x
          image: node:18.16.0
          trigger: automatic
          script:
            - echo "running the PR script feat"
            - npm install
            - npm run test
            - npm run build
  branches:
       QA:
      - step: *build-step
      - step:
          name: Check Quality Gate
          script:
            - pipe: sonarsource/sonarqube-quality-gate:1.1.0
              variables:
                SONAR_HOST_URL: ${SONAR_HOST_URL}
                SONAR_TOKEN: ${SONAR_TOKEN}
      - step:
          name: Create .env file
          trigger: automatic
          image: node:18.16.0
          deployment: QA
          script:
            - 'curl -O https://api.bitbucket.org/2.0/repositories/paypenny/devops-pipeline-files-paypenny/src/main/Frontend/QA/env.sh --header "Authorization: Bearer $PP_BB_TOKEN"'
            - sh env.sh
          artifacts:
            - .env
            - build/**
            - node_modules/**
      - step:
          name: Build, push Docker image to ECR & Deploy to ECS
          trigger: automatic
          services:
            - docker
          #size: 2x
          #- docker-with-large-memory

          #deployment: QA
          script:
            - 'curl -O https://api.bitbucket.org/2.0/repositories/paypenny/devops-pipeline-files-paypenny/src/main/Frontend/QA/deploy.sh --header "Authorization: Bearer $PP_BB_TOKEN"'
            - sh deploy.sh

Hi,

Thanks for sharing your pipeline. I’m not an expert in that, but nothing jumps out at me there.

So let’s look server-side. Did you use the in-app wizard to import your projects into SonarQube? If not, you may need to do per-project setup to enable PR decoration.

Also, could you clarify whether this is Bitbucket Server or Cloud?

 
Thx,
Ann

Hi,

We have done using in-app wizard with per-project setup.

We have used Bitbucket cloud.

Thanks,
Ameer

Hi Ameer,

Since you used the wizard, the project should be properly configured for PR decoration.

So let’s back up a bit.

The question is why a branch pipeline is being run, rather than the PR pipeline. Going back to your pipelines, it looks like the PR pipeline is only triggered when the underlying branch name starts with fix/ or feat. Looking at the screenshot in your initial post, I see an upper-case Feat.

I think it might be useful to try a simplified pipeline with no name restrictions.

 
HTH,
Ann

Hello G Ann Campbell,
Tried using simplified pipeline with no name restrictions, instead of ‘fix/’ and 'feat/’ used ‘/’.
still reports are not generated.

Hi,

Can you provide the new analysis log?

 
Ann

Hi Ann,

Attached new logs
sonarqube1.log (14.6 KB)

Hi,

Thanks for the log. As you’re aware, it’s still a branch analysis that’s detected:

INFO: Detected analysis for branch 'devops/PB-2522-2'
INFO: Detected branch/PR in 'Bitbucket Pipelines'
INFO: Auto-configuring branch 'devops/PB-2522-2'

That detection is done based on the SCM data in the environment. What does your checkout look like?

 
Ann