Journey to Integrate SonarQube Analysis on every pull request - Part 2

akansh09

Akansh Singhal

Posted on August 2, 2024

Journey to Integrate SonarQube Analysis on every pull request - Part 2

In this we will continue with implementing SonarQube with github pull Request. If you want to learn more about SonarQube and its integration with Github, please refer to my previous blog.

This solution involves integrating Jenkins, SonarQube, and GitHub. Let's divide this problem into two parts:

Triggering SonarQube analysis from Jenkins to GitHub as soon as a PR is raised.

  • Reporting issues found on the GitHub PR.
  • We will start by addressing the first part.

We are trying to solve animated part 1st.
Animated Part we are solving first

You can start Jenkins on your local using resource.

Once Jenkins is ready we have to create Jenkins job of MultiBranch Pipeline

Jenkins Pipeline

Now configure your pipeline as per below image:

Configuring pipeline

Configuring pipeline1

Now after setting Jenkins job and adding below pipeline in code base, we are able to execute sonar analysis on this code base.

#!groovy
pipeline {
    agent any
    parameters {
            string(name: 'REPO_OWNER', defaultValue: 'Akansh09', description: 'Git Repo Owner?')
            string(name: 'REPO_NAME', defaultValue: 'sonar-analysis', description: 'Git Repo Name?')
            string(name: 'SONAR_PROJECT', defaultValue: 'sonar-analysis', description: 'Sonar Project?')
            string(name: 'TARGET_BRANCH', defaultValue: 'develop', description: 'Target branch?')
    }

    triggers {
        pollSCM('*/5 * * * *')
    }

    stages {
      stage('SonarQube Analysis') {
       steps {
           def gitCommitHash = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
           sh "$MAVEN_HOME/bin/mvn clean verify sonar:sonar -Dsonar.projectKey=Akansh09_sonar-analysis_15fb42fe-8cb3-459f-86ea-7eb5b2e2db21 -Dsonar.projectName=${params.SONAR_PROJECT} -Dsonar.host.url=$SONARQUBE_URL -Dsonar.token=$SONARQUBE_LOGIN -Dsonar.projectVersion=$gitCommitHash"
        }
      }
   }
}
Enter fullscreen mode Exit fullscreen mode

Include MAVEN_HOME, SONARQUBE_LOGIN & SONARQUBE_URL in environment variable of your jenkins node.

Sonar Analysis after phase 1

Now part second of this solution is to have this issues persisted on the Github PR which we solve in next part of this blog.

2nd Part of problem

Now we have to fetch issues from Sonarqube and comment on Github. We have to use APIs for it

curl --location 'http://127.0.0.1:9000/api/issues/search?componentKeys=${SONAR_PROJECT_KEY}&sinceLeakPeriod=true' \
--header 'Authorization: Basic ${SONAR_BASIC_TOKEN}'
Enter fullscreen mode Exit fullscreen mode

This will give you all new issues come in new code changes.

curl --location 'https://api.github.com/repos/${GIT_REPO_OWNER}/${GIT_REPO_NAME}/pulls/${PR_ID}/reviews' \
--header 'Authorization: Bearer ${GIT_TOKEN}' \
--header 'Content-Type: application/json' \
--data '{
    "body": "ddd",
    "event": "REQUEST_CHANGES"
}'
Enter fullscreen mode Exit fullscreen mode

The above API will comment on the pull request. Now that we know the APIs to perform both steps, there is still one more challenge: the SonarQube API does not provide context about which issues are associated with specific commit IDs. Therefore, there is no direct mapping between Commit ID <> Issue or PR <> Issue.

In Part 3 of this series, we will stitch these APIs together and create a complete solution by writing a wrapper over the SonarQube API.

If you have any questions or need further information, feel free to contact me at akanshsinghal7@gmail.com.

💖 💪 🙅 🚩
akansh09
Akansh Singhal

Posted on August 2, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related