SonarQube Configuration Details

2020-06-25 Table of Contents

Server configuration...... 2

Quality Gates ...... 2

Update ...... 3

Rules / quality profile ...... 4

Technical Debt ...... 5

Troubleshooting ...... 5

See SonarQube for an older build...... 6

Make sure I’ve got all the relevant new rules in my profile ...... 6 Table 1. History

Date Author Detail

2020-01-28 bcouetil Ὅ (all) refactor detail tag to new collapsible asciidoc feature

2020-01-28 bcouetil Ὅ (core) update theme

2020-01-28 bcouetil Ὅ (core) remove sample and build with docker

2019-12-15 Benoît Ὅ (doc) add asciidoc docker generation sample on gitlab + add pipeline sh scripts COUETIL

2018-12-11 bcouetil - Added reveal plugins and background - Fixed reveal following change in structure in asciidoc-reveal master (from previous version : 1.1.3) - Implemented Zenika layout in HTML and PDF - Reported back reveal-js enhancements

2018-11-28 bcouetil - Updated reveal css for all syntax elements, for both light and dark themes : asciidoc-syntax-quick-reference is now nicely output - Refactored light and dark css, extracting common items into reveal-zenika.css - Added syntax quick reference in all format generated and linked in asciidoc page

2018-11-13 bcouetil - Updated sample project with Reveal.js generation - Duplicated Reveal.js execution to have multiple styles - Compromised layout between 4/3 and 16/9 - Minor changes in Reveal.js css - Added some web comics

2018-09-19 bcouetil - Sample asciidoctor maven project published on Github - Github & LinkedIn links - Sample project tree - new images + resizing and positioning

2018-08-23 bcouetil Initial commit

1 SonarQube helps you calculate and monitor in near real time your code quality for most development languages.

Server configuration

Quality Gates

Click on Quality Gate

Create a new one for your project and select your quality gate rules :

• Comments is less than 30 then 25 • Coverage is less than 86 then 80 • Maintainability Raiting is worse than A then • Reliability Raiting is worse than A then C • Security Raiting is worse than A then C • Unit Test Success (%) is worse than A then C

In pipelines

Use this script to enforce Quality Gate in pipelines.

2 Example 1. sonar-gateway-check.sh

#!/bin/bash # # Getting analysis progress status # taskId=`cat $WORKSPACE/build/sonar/report-task.txt |grep ceTaskId |cut -f2 -d "="`

sonarApiUrl="curl -u $TOKEN: http://localhost:9000/api"

analysisResponse=`$sonarApiUrl/ce/task?id=$taskId` echo "*** global status of SonarQube analysis : $analysisResponse ***"

sleep 10s status=`echo "$analysisResponse" | jq .task.status | sed -e 's/^"//' -e 's/"$//'`

while [[ "$status" == "IN_PROGRESS" || "$status" == "PENDING" ]] do sleep 10s analysisResponse=`$sonarApiUrl/ce/task?id=$taskId` status=`echo "$analysisResponse" | jq .task.status | sed -e 's/^"//' -e 's/"$//'` done

if [ "$status" = "SUCCESS" ] then analysisId=`echo "$analysisResponse" | jq .task.analysisId | sed -e 's/^"//' -e 's/"$//'` else echo "*** SonarQube server failed at analyzing this build ***" exit 1; fi

# # Getting gateway result # gatewayResponse=`${sonarApiUrl}/qualitygates/project_status?analysisId=$analysisId`

echo "$gatewayResponse" | jq .

qualityGateStatus=`echo "$gatewayResponse" | jq '.projectStatus.status' | sed -e 's/^"//' -e 's/"$//'` if [ "$qualityGateStatus" != "OK" ]; then RED='\033[0;31m' echo -e "${RED}/!\ Quality gate shows WARNINGS/ERRORS : You shall not pass ! (∩`-´)⊃━☆" exit 1; fi

Update

 This has to be done only for a new Production Line

Administration → System → Update Center

• SonarJava : install or update to latest • Findbugs : install • SoftVis3D : install

3 Rules / quality profile

Export

• Navigate to Quality Profiles → BCT (or your profile) → Actions → Back Up • This will download a XML • On CG-WM, the common java XML quality profile is saved here :

src\docs\SonarQube.qualityProfile.BCT.

Import

for an import to be successful, SonarQube must know the rules, so SonarJava and  Findbugs must be up to date

• Navigate to Quality Profiles → dropdown menu next to Create → Restore Profile • Provide the saved XML

Create

 This has to be done only if you want to define a custom set of rules

• Choose Quality Profiles → Java → Sonar way → Copy • Select the newly created profile

4 • Now you can : ◦ Click on the number of active rules to deactivate some ◦ Click on Activate More ◦ Go to Rules, search one and change its value

Technical Debt

• Select Administration → Configuration → General Settings → Technical Debt • Set Maintainability rating grid = 0.01,0.02,0.03,0.05 ◦ This means that a tech debt < 1% is rated A, a tech debt > 5% is rated E. • Hit save technical debt

Troubleshooting

5 See SonarQube for an older build

SonarQube does not have history available for browsing, you can only see the last build. So you have to retrigger the gerrit patch to see specific data associated to your change.

You can do an empty commit amend from . But you can also retrigger from .

• Go to Jenkins homepage • Navigate to the pipeline/job • If your build is still in the history ◦ Open it ◦ Select Retrigger • Else if your build has been deleted ◦ Go to Jenkins homepage ◦ Click on Query and Trigger Gerrit Patches ◦ In Query String, put your change-id ◦ Click SEARCH ◦ Select the change ◦ Click TRIGGER SELECTED

Make sure I’ve got all the relevant new rules in my profile

Each time a language plugin update is released, new rules are added, but they won’t appear automatically in your profile unless you’re using a built-in profile such as Sonar way.

If you’re not using a built-in profile, you can compare your profile to the built-in profile to see what new on- by-default rules you’re missing.

6 Another option is to go to the Rules space, and use the Available Since search facet to see what rules have been added to the platform since the day you upgraded the relevant plugin.

And finally, the profile interface itself will help you be aware of rules added in a new plugin version in the Latest New Rules section on the right of the interface.

7