Journey to Integrate SonarQube Analysis on every pull request - Part 2
Akansh Singhal
Posted on August 2, 2024
In this we will continue with implementing SonarQube with github pull Request. If you want to learn more about SonarQube and its integration with Github, please refer to my previous blog.
This solution involves integrating Jenkins, SonarQube, and GitHub. Let's divide this problem into two parts:
Triggering SonarQube analysis from Jenkins to GitHub as soon as a PR is raised.
- Reporting issues found on the GitHub PR.
- We will start by addressing the first part.
We are trying to solve animated part 1st.
You can start Jenkins on your local using resource.
Once Jenkins is ready we have to create Jenkins job of MultiBranch Pipeline
Now configure your pipeline as per below image:
Now after setting Jenkins job and adding below pipeline in code base, we are able to execute sonar analysis on this code base.
#!groovy
pipeline {
agent any
parameters {
string(name: 'REPO_OWNER', defaultValue: 'Akansh09', description: 'Git Repo Owner?')
string(name: 'REPO_NAME', defaultValue: 'sonar-analysis', description: 'Git Repo Name?')
string(name: 'SONAR_PROJECT', defaultValue: 'sonar-analysis', description: 'Sonar Project?')
string(name: 'TARGET_BRANCH', defaultValue: 'develop', description: 'Target branch?')
}
triggers {
pollSCM('*/5 * * * *')
}
stages {
stage('SonarQube Analysis') {
steps {
def gitCommitHash = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
sh "$MAVEN_HOME/bin/mvn clean verify sonar:sonar -Dsonar.projectKey=Akansh09_sonar-analysis_15fb42fe-8cb3-459f-86ea-7eb5b2e2db21 -Dsonar.projectName=${params.SONAR_PROJECT} -Dsonar.host.url=$SONARQUBE_URL -Dsonar.token=$SONARQUBE_LOGIN -Dsonar.projectVersion=$gitCommitHash"
}
}
}
}
Include MAVEN_HOME, SONARQUBE_LOGIN & SONARQUBE_URL in environment variable of your jenkins node.
Now part second of this solution is to have this issues persisted on the Github PR which we solve in next part of this blog.
Now we have to fetch issues from Sonarqube and comment on Github. We have to use APIs for it
curl --location 'http://127.0.0.1:9000/api/issues/search?componentKeys=${SONAR_PROJECT_KEY}&sinceLeakPeriod=true' \
--header 'Authorization: Basic ${SONAR_BASIC_TOKEN}'
This will give you all new issues come in new code changes.
curl --location 'https://api.github.com/repos/${GIT_REPO_OWNER}/${GIT_REPO_NAME}/pulls/${PR_ID}/reviews' \
--header 'Authorization: Bearer ${GIT_TOKEN}' \
--header 'Content-Type: application/json' \
--data '{
"body": "ddd",
"event": "REQUEST_CHANGES"
}'
The above API will comment on the pull request. Now that we know the APIs to perform both steps, there is still one more challenge: the SonarQube API does not provide context about which issues are associated with specific commit IDs. Therefore, there is no direct mapping between Commit ID <> Issue or PR <> Issue.
In Part 3 of this series, we will stitch these APIs together and create a complete solution by writing a wrapper over the SonarQube API.
If you have any questions or need further information, feel free to contact me at akanshsinghal7@gmail.com.
Posted on August 2, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.