SonarQube Integration (Beta)

The SonarQube integration makes it possible to include in the SonarQube dashboard results from the source code analysis by Packmind. We use the feature "Generic issue import format" for that, allowing external issues to be integrated into the SonarQube reports.

This page introduces how to use the Packmind CLI to generate a report that SonarQube will ingest.

We didn't develop a classic plugin for SonarQube since this approach is more appropriate with a pre-defined set of coding rules. Packmind does not work like this, as each customer will create its own set of coding standards.

There are some limitations to this mechanism, according to the SonarQube documentation:

You can't manage them within SonarQube. For example, you can't mark them as false positives. But you can change the issue type (Bug, Vulnerability, Code Smell) or the severity (Minor, ...).
You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.

Integration

The key concept is simple: you can use either the Docker/Npm/Maven version of the Packmind CLI to generate one or multiple output files using the sonarqube formatter (check the CLI options).

Then, the Sonar Scanner CLI must ingest the output files using the argument:

-Dsonar.externalIssuesReportPaths=<your_path>

With the Maven Plugin

This will make sense if you use the SonarScanner for Maven. Check the Packmind Maven Plugin documentation to set the plugin up and ready.

Here is an example of configuration for a Gitlab CI pipeline:

stages:
  - quality

quality-check:
  stage: quality
  image: maven:3.6.3-jdk-11
  script:
      - mvn install
      - mvn com.promyze:scanner:scan -Dpromyze.formatters=console,sonarqube
      - mvn sonar:sonar -Dsonar.externalIssuesReportPaths=target/promyze-scan.json

With the Npm/Docker CLI

stages:
    - promyze
    - sonarqube

# Assume PROMYZE_API_KEY and PROMYZE__URL are set as CI/CD Variables
promyze-detect:
  stage: promyze
  image:
    name: promyze/promyze-cli:latest
    entrypoint: [""]
  artifacts:
    paths:
      - promyze-scan.json
  script:
    - promyze-scanner scan . --formatters=console,sonarqube --output=promyze-scan.json

# Assume SONAR_HOST_URL and SONAR_LOGIN are set as CI/CD Variables
sonarqube-scan:
  stage: sonarqube
  image:
    name: sonarsource/sonar-scanner-cli:latest
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  
  cache:
    key: ${CI_COMMIT_REF_SLUG}
    paths:
      - promyze-scan.json
  allow_failure: true
  script:
    - sonar-scanner -Dsonar.projectKey=your-key -Dsonar.qualitygate.wait=true -Dsonar.externalIssuesReportPaths=promyze-scan.json
```

More suggestions?

Share a feature request with us; we'll be to discuss it with you.

PreviousRun on Windows/Linux/Mac NextRun in Gitlab CI

Last updated 10 months ago