SonarQube plugin

11 minute readExtensibilityDeveloper productivity

SonarQube is an open-source platform used by development teams to manage source code quality. SonarQube has been developed with a main objective in mind: to make code quality management accessible to everyone with minimal effort.

Plugin version 2.1.3.2022121644

Revised on December 16, 2022

Supported versions

The plugin has been tested with the following versions:

  • This plugin supports SonarQube versions 8.7 to 8.9, 9.5, and 9.7.1 including "LTS" versions.

  • This plugin supports SonarCloud.io - the cloud solution for SonarQube.

Prerequisites

CloudBees CD/RO agent version 10.3 or newer is required.

Plugin configurations

Plugin configurations are sets of parameters that can be applied across some, or all, of the plugin procedures. They can reduce the repetition of common values, create predefined parameter sets, and securely store credentials. Each configuration is given a unique name that is entered in the designated parameter for the plugin procedures that use them.

Creating plugin configurations

To create plugin configurations in CloudBees CD/RO, complete the following steps:

  1. Navigate to DevOps Essentials  Plugin Management  Plugin configurations.

  2. Select Add plugin configuration to create a new configuration.

  3. In the New Configuration window, specify a Name for the configuration.

  4. Select the Project that the configuration belongs to.

  5. Optionally, add a Description for the configuration.

  6. Select the appropriate Plugin for the configuration.

  7. Configure the parameters per the descriptions below.

Configuration procedure parameters

Parameter Description

Server configuration

Required. The EC-SonarQube internal configuration name.

Description

The description for the plugin configuration.

Protocol

Required. Specifies whether to prepend the hostname with https:// or http:// .

Host

Required. The host name of the SonarQube server.

URL path of SonarQube

The URL path of SonarQube. For example, /sonar for http://host:9000/sonar. Leave blank if none.

SonarQube server port

Required. The SonarQube server port. For example, 9000.

Ignore SSL errors

Turn SSL verification off for instances with self-signed certificates. Ignore SSL errors works only for REST API calls for procedures Get Last SonarQube Metrics and CollectReportingData .

Organization key

The organization key that is required to identify the organization associated with your project. For instance, it is required to work with SonarCloud.

Auth type

The authentication type; a username with a password or an access token.

Password

The login or authentication token of a SonarQube user with the Execute Analysis permission.

The password that goes with the 'sonar.login' username.

If you use an authentication token, use it in the login field and leave the password blank.

Token

The personal access token.

Debug level

The verbosity level of the output.

HTTP proxy

The proxy that should be used for connections.

Proxy authorization

The username and password for the proxy.

Check connection resource

A resource that is used to check the connection.

Check Connection?

If checked, the connection endpoint and credentials entered as part of the configuration will be tested. If this option is checked, configuration will not be saved if the test fails.

Plugin procedures

CollectReportingData

Collects reporting data from SonarQube and sends it to CloudBees CD/RO reporting server.

By default, the following fields are mapped to the report:

CollectReportingData parameters

Parameter Description

Configuration name

Required. The unique name for the configuration.

Preview mode

This mode is provided to let you perform a WHAT IF analysis before enabling automatic reporting. If selected, no metadata is set and reports are not sent to the reporting server. Instead, detailed information about each object retrieved from SonarQube that includes transformation, mapping, and payload, is included in the summary logs.

Project key

Required. The project key that is unique for each project in SonarQube.

File prefix

If provided, the matching string is removed from the file path before sending the report. For example, if the file path is /opt/repo/file1, file prefix = /opt/repo resolves to /file1. Similarly, file prefix = /opt/repo/ resolves to file1.

Field mapping

Allows you to place custom fields to the payload or modify payload values. For example, "MyApplication":codeQuality.releaseName maps the value "MyApplication" to the code_quality report’s releaseName field.

Transform script

Allows you to provide a Perl script for payload customization. This method is invoked by a plugin with two parameters. The first parameter is the context object and the second parameter is the payload object. Since EC-SonarQube-1.5.2.0 sends two types of reports, the payload is a hash reference with build and payload sections. The method should be named transform and should return the payload object.

In this example, the myCustomField field is added to the codeQuality payload object and to each codeQualityFile payload object:

sub transform {
    my ($context, $payload) = @_;
    # $payload->{codeQuality}->{myCustomField} = 1;
    # for my $p (@{$payload->{codeQualityFile}}) {
    #     $p->{myCustomField2} = 2;
    # }
    return $payload;
}
sub one {
    my ($context) = @_;
    return time();
}

Metadata property path

The property sheet where run metadata is stored. If omitted, /mySchedule/EC-SonarQube-%JobName%-%Report Object Type% is used for schedule context. For all other contexts, the root is /myProject."

Base URL for drill-down

The base URL for SonarQube. If empty, it is set to %url_from_configuration%/dashboard?id=%Project\Key%.

Debug

If selected, the summary logs are written with the highest verbosity for the entire procedure.

Get Last SonarQube Metrics

Retrieves the last metrics from SonarQube based on specified parameters.

Retrieves the last run metrics from SonarQube server. If Sonar task ID is specified, then it waits for the SonarQube server to finish processing and retrieves metrics that could be used in gates.

This procedure supports propertySheet, XML and JSON outputs.

Get Last SonarQube Metrics parameters

Parameter Description

Configuration name

Required. The unique name for the configuration.

Sonar task ID

The task ID that is passed to this procedure from the run of SonarScanner, initiated by third-party software. If it is set, this procedure waits for SonarQube to process the task, download analysis data, and process metrics. If this parameter is not passed, then only the metrics check for the specified SonarQube project is ran.

Project key

Required. The project key that is unique for each project in SonarQube.

Project name

Required. The name of the project that is displayed in the SonarQube web interface.

Project version

The project version in SonarQube.

Sonar timeout

The timeout, in minutes, to wait for the task to be completed. The default timeout is 60 minutes.

Type of stored result

Set the result property format.

Property to store results

Set the result property where run metadata is stored. If omitted, /myJob/getLastSonarMetrics is used.

Metrics: Complexity

The metrics to store. The options are All, New, or None.

Metrics: Documentation

The metrics to store. The options are All, New, or None.

Metrics: Duplications

The metrics to store. The options are All, New, or None.

Metrics: Issues

The metrics to store. The options are All, New, or None.

Metrics: Maintainability

The metrics to store. The options are All, New, or None.

Metrics: QualityGates

The metrics to store. The options are All, New, or None.

Metrics: Reliability

The metrics to store. The options are All, New, or None.

Metrics: Security

The metrics to store. The options are All, New, or None.

Metrics: General

The metrics to store. The options are All, New, or None.

Metrics: Tests

The metrics to store. The options are All, New, or None.

Initiate Scanning Process

Scans the specified directory with code and gets data with analysis metrics from the SonarQube server. Additionally, the heap size is configurable to support large codebase analysis. You can also enable debug mode for a scanner. If the debug level of the plugin is 2 and higher, the scanner debug mode is enabled automatically.

This procedure supports propertySheet, XML and JSON outputs. Task_id (analysis that was initiated) is being returned, so it may be used by the Get Last SonarQube Metrics procedure.

Initiate Scanning Process parameters

Parameter Description

Configuration name

Required. The unique name for the configuration.

Work directory

Set the working directory.

Source encoding

Set the source file encoding. For example, ISO-8859-1.

Project key

Required. The project key that is unique for each project in SonarQube.

Project name

Required. The name of the project that is displayed in the SonarQube web interface.

Project version

Required. The project version in SonarQube.

Local path to sources

Required. Comma-separated paths to directories that contain source files. For example, ./library, ./lib, ./gf_tool.pl.

Sonar timeout

The timeout, in minutes, to wait for the task to be completed. The default timeout is 60 minutes.

Custom values for SonarScanner

The SonarScanner custom settings. For example, "key=value" or new pair on each line, as in the common SonarScanner configuration.

Enable SonarScanner debug mode

Enable debug mode for SonarScanner.

Heap space (MB)

The heap size, in megabytes. For example, 512.

Set this property if you get Java heap space or java.lang.OutOfMemoryError errors on scanner run. SonarScanner retrieves this additional parameter via environment variable to prevent such errors.

Type of stored result

Set the result property format.

Property to store results

Set the result property where run metadata is stored. If omitted, /myJob/initiateScanner is used.

Run Sonar Scanner

Runs SonarScanner on the specified directory with code and retrieves data with analysis metrics from the SonarQube server. Additionally, the heap size is configurable to support large codebase analysis. You can also enable debug mode for a scanner. If the debug level of the plugin is 2 and higher, the scanner debug mode is enabled automatically.

After scanning, it waits for the SonarQube server to finish processing and retrieves metrics that could be used in gates.

Run Sonar Scanner parameters

Parameter Description

Configuration name

Required. The unique name for the configuration.

Work directory

Set the working directory.

Source encoding

Set the source file encoding. For example, ISO-8859-1.

Project key

Required. The project key that is unique for each project in SonarQube.

Project name

Required. The name of the project that is displayed in the SonarQube web interface.

Project version

Required. The project version in SonarQube.

Local path to sources

Required. Comma-separated paths to directories that contain source files. For example, ./library, ./lib, ./gf_tool.pl.

Sonar timeout

The timeout, in minutes, to wait for the task to be completed. The default timeout is 60 minutes.

Custom values for SonarScanner

The SonarScanner custom settings. For example, "key=value" or new pair on each line, like in the common SonarScanner configuration.

Enable SonarScanner debug mode

Enable debug mode for SonarScanner.

Heap space (MB)

The heap size, in megabytes. For example, 512. Set this property if you get Java heap space or java.lang.OutOfMemoryError errors on scanner run. SonarScanner retrieves this additional parameter via environment variable to prevent such errors.

Type of stored result

Set the result property format.

Property to store results

Set the result property where run metadata is stored. If omitted, /myJob/runSonarScanner is used.

Metrics: Complexity

The metrics to store. The options are All, New, or None.

Metrics: Documentation

The metrics to store. The options are All, New, or None.

Metrics: Duplications

The metrics to store. The options are All, New, or None.

Metrics: Issues

The metrics to store. The options are All, New, or None.

Metrics: Maintainability

The metrics to store. The options are All, New, or None.

Metrics: QualityGates

The metrics to store. The options are All, New, or None.

Metrics: Reliability

The metrics to store. The options are All, New, or None.

Metrics: Security

The metrics to store. The options are All, New, or None.

Metrics: General

The metrics to store. The options are All, New, or None.

Metrics: Tests

The metrics to store. The options are All, New, or None.

Use cases

Gate configuration example

Parameters for the EC-SonarQube job to initiate analysis

Parameter Description

Configuration

Uses the name of the configuration of the plugin (Server credentials and URL).

Work directory

Source code directory.

Property to store results

Used to configure where run data is stored. This data may be used within gate configurations.

Project key

The project key unique for each project in SonarQube.

Project name

Name of the project displayed on the web interface of SonarQube.

Project version

The project version in SonarQube.

Local path to sources

Comma-separated paths to directories that contain source files. For example: ./library, ./lib, ./gf_tool.pl.

Custom values for SonarScanner

Custom settings of SonarScanner. For example, use of "key=value" or a new pair on each line, like in the common SonarScanner configuration.

Metrics

Configures storing All, New only, or None parameters for each section of metrics of SonarQube.

Analysis data is saved for each run. All available SonarQube parameters depend on the list of installed plugins and can be checked in the log after the job runs.

Job configuration

When your workflow launches, code is processed locally on the agent by SonarScanner in the Work directory. If this is an initial run or the configuration of your SonarQube server was changed, SonarScanner downloads all plugins from the SonarQube server. The Job configuration gives all required parameters for the scanner to initiate an analysis.

Pipeline configuration

To configure the SonarQube plugin in a pipeline:

  1. Clone your repository into a Work directory.

  2. Configure Run Sonar Scanner to run as a task targeting the Work directory.

  3. Remove the Work directory, if necessary.

After fetching the code, the SonarQube plugin triggers SonarScanner to initiate analysis by checking the code in the working directory against the given list of parameters. After the analysis runs, results are saved and may be used as gate parameters for follow-on steps.

Known issues

  • The Java code of SonarQube scanner doesn’t allow connection to an instance if it detects a broken SSL certificate. For example, when using self-signed certificates.

    • A workaround is to add your certificate to the Java Keystore. This plugin includes a basic validator for SSL certificate issues, which may detect such issues.

  • Authorized proxy access is supported in SonarQube versions starting from 6.x due to limitations for proxy handling in old versions of the sonar-scanner-engine-shaded.

Release notes

EC-SonarQube 2.1.3

  • Fixed issue with Ignore SSL option for REST based procedures ("Get Last SonarQube Metrics" and "CollectReportingData")

EC-SonarQube 2.1.2

  • Updated the SonarScanner CLI version to 4.7.0.2747.

  • Fixed issue related to Test connection when using an authentication token.

  • Deprecated support for SonarQube 6.7. To use SonarQube 6.7, you must use CD agent 10.10 or lower.

EC-SonarQube 2.1.1

  • Added URL path support.

EC-SonarQube 2.1.0

  • Added the Ignore SSL Errors option to the plugin configuration.

EC-SonarQube 2.0.0

  • Upgraded from Perl 5.8 to Perl 5.32. The plugin is not backward compatibility with releases prior CloudBees CD/RO 10.3. Starting with this release, a new agent is required to run the plugin procedures.

  • Ported the plugin to PDK.

EC-SonarQube 1.5.2

  • Fixed a security issue.

EC-SonarQube 1.5.1

  • Fixed a security issue.

EC-SonarQube 1.5.0

  • Added support for new plugin configurations.

  • Added support for token credentials.

  • Updated supported versions of SonarQube. The plugin now supports SonarQube server versions 6.7 to 8.9.

  • Fixed an issue with checking the connection to SonarCloud.

EC-SonarQube 1.4.2

  • Fixed an issue where older setups of EditConfiguration did not work properly.

EC-SonarQube 1.4.1

  • Updated the plugin documentation.

EC-SonarQube 1.4.0

  • Updated supported versions of SonarQube. The plugin now supports SonarQube server versions 6.7 to 8.5.

  • Added support for external credential management.

  • In the Get Last SonarQube Metrics procedure, the Project version parameter has been updated, and is now an optional parameter.

  • Fixed a bug with proxy credentials that remained after a configuration was deleted.

EC-SonarQube 1.3.3

  • The documentation has been migrated to the main documentation site.

EC-SonarQube 1.3.2

  • Fixed saving a report URL in the pipeline context.

EC-SonarQube 1.3.1

  • Rebranding to "CloudBees CD/RO".

EC-SonarQube 1.3.0

  • Added the option to check a connection when creating or editing a configuration.

  • Added support for HTTP proxy. Customers who use HTTP proxy can specify proxy information (host, port and credentials at the configuration level) and all procedures use the proxy as second credentials for authentication.

EC-SonarQube 1.2.1

  • Renaming to "CloudBees".

EC-SonarQube 1.2.0

  • Improved plugin promotion time.

EC-SonarQube 1.1.3

  • Fixed URL for reports.

  • Added support for creating configurations by users with an @ sign in a name.

EC-SonarQube 1.1.2

  • Added metadata that is required for the 9.0 release.

EC-SonarQube 1.1.1

  • Added the SonarQube logo icon.

EC-SonarQube 1.1.0

  • A new procedure named CollectReportingData has been added to support predictive analytics.

  • Changes were made to support the ability to view and manage plugin configurations from within Deploy without having to navigate to the Automation Platform UI.

EC-SonarQube 1.0.4

  • Fixed an error during plugin promotion on the ElectricFlow instance that is running on Windows.

  • Configured the plugin to allow the ElectricFlow UI to render the plugin procedure parameters entirely using the configured form XMLs.

  • Enabled the plugin for managing the plugin configurations inline when defining an application process step or a pipeline stage task.

EC-SonarQube 1.0.3

  • Added SonarCloud.io support.

  • Changed the list of required parameters for procedures to support versions from 5.4 to the latest version.

  • Added validators to some procedure parameters for easier configuration.

  • Added SonarQube authorization token support.

  • Added testing connection functionality to the configuration page.

  • Added support for the SonarQube server from version 6.4.

  • Updated the plugin procedures documentation.

  • Improved debug output.

  • Provided fixes for the reported list of bugs.

EC-SonarQube 1.0.2

  • Added support for the InitiateScanner procedure for initiating analysis only.

  • Added support for the GetLastSonarMetrics procedure to retrieve metrics from the last analysis.

  • Fixed a problem with authorization on the SonarQube side.

  • Added support for the SonarQube server from version 5.4.

  • Fixed potential problems with running SonarScanner on Windows operating systems.

  • Added output in JSON and XML format.

  • Fixed a problem with the result property output.

EC-SonarQube 1.0.1

  • Applied the last version of SonarScanner.

  • Added filters for metric groups.

EC-SonarQube 1.0.0

  • Added support for the complete RunSonarScanner procedure.

  • Added SonarQube server configuration.