Skip to content

SonarQube Setup and Upload Results

Jump to bottom
Brandon Cruz edited this page Oct 14, 2023 · 8 revisions

Overview

SonarQube is the tool we use for developer static analysis of the codebase. Currently, we use it for checking on security vulnerabilities, code coverage, and and potential bugs. Our sonarQube instance can be found at https://sonarqube.cloud.cms.gov/ and requires CMS VPN connection to access.

Setup needed for local and hosted

Firstly, ensure you're on the CMS VPN before accessing https://sonarqube.cloud.cms.gov/ or you won't be able to connect. Once you access the hosted instance, you'll need to log in with your EUA username/password.

In order to see the bfd-parent project, you'll also need an ITOPs ticket created for you to be added as an admin to the project. This will allow you to see the project, comment or change status on issues, and upload results to the instance.

Once you have access to the bfd-parent project, go to My Account (found in top right colored square dropdown menu) > Security (subtab). Here there will be a few boxes you can use to generate a token you can use for uploading results.

Create a new token with the following values:

  • Name: bfd (this can be anything)
  • Type: Project Analysis token
  • Project: bfd-parent
  • Expiration: 90 days

Once this token is generated, you should see a token id shown. Copy this and save it; you'll need it for uploading results to sonarQube in the future. You won't be able to see it again without making a new token, so make sure to grab it!

Next, build the project from the apps folder, ensuring you skip the build cache. (If you don't skip the build cache, you may get errors where calling sonar will complain about classes not found or detecting invalid files.)

mvn clean install -DskipITs -Dmaven.test.skip=true -Dmaven.build.cache.enabled=false

Upload to hosted instance

To upload the the hosted instance, build the project from apps (skipping cache as mentioned above) first. Then run (from apps):

mvn clean verify sonar:sonar \
-Dsonar.projectKey=bfd-parent \
-Dsonar.projectName='bfd-parent' \
-Dsonar.host.url=https://sonarqube.cloud.cms.gov/ \
-Dsonar.login=<login token created earlier> \
-Dmaven.javadoc.skip=true -DskipITs -DskipTests

The sonar.login should be the token id you copied when the token was generated.

In the web SonarQube UI, you should now see the project with its new analysis. This should also upload the code coverage results.

Run and upload Locally

Setup and run the dockerImage

https://docs.sonarsource.com/sonarqube/latest/try-out-sonarqube/

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

It'll download and create a docker image, you can see it on your docker desktop

Log in to http://localhost:9000 using System Administrator credentials:

  • login: admin
  • password: admin

You may be prompted to change this password; this is your local sonarQube so use whatever username/password you'd like.

Wait for it to setup and use above credentials, Follow the prompts. Project name "bfd-parent" and main branch master.

You may need to go to (local) UI Administration > analysis scope > global source file exclusions: *.java

Run the local sonar upload code which the UI will describe. It will be similar to this (your token will vary):

mvn clean compile sonar:sonar \
-Dsonar.projectKey=bfd-parent \
-Dsonar.projectName='bfd-parent' \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.token=<login_token> \ -DskipITs -DskipTests

After this you should see the results appear in your locally hosted sonarQube instance (http://localhost:9000)

For BFD Contributors and Maintainers
Clone this wiki locally