I am using Jenkins to kick off Sonar-runner for analyzing projects.
Now I use the Build Breaker plugin.
This breaks a build when a quality gate is reporting that the quality is below/above given values.
I'd like to change the quality gate used by the Sonar-Runner, on a per-job basis in Jenkins.
Looking up at Analysis Parameters documentation:
**sonar.profile** parameter is to change the language to analyse
I would thought that for the gate: sonar.gate would work (it doesn't)
Question:
What parameter for sonar-runner has to be used to change the "Quality Gate"?
Used versions:
Jenkins 1.598
Sonar 4.5.1 (LTS)
The property is sonar.qualitygate.
It was not documented because this is generally not a good idea to change the quality gate that should be used during a standard analysis - but it's true that it can be useful with the build breaker on preview analyses.
I updated the documentation.
I tried above solution but it did not work for me. Finally I figured out that with new version of sonar-scanner we can achieve it only from Sonar-Qube UI.
Follow below steps:
Login to Sonar Quber server as administrator and select projects. Search for the project name you want to add the quality gate for. Select the searched project and below screen screen would appear.
Navigate to Administration > Quality Gates
Select the quality gate from the drop-down which you want to use for this project (A default quality gate is assigned by-default for all the projects).
Hope this helps. Thanks!
Related
we are using pitest plugin in sonarqube and set up a quality gate on mutation coverage, since it is much more valuable than other coverage measurements.
Only, when a project is pushed that does not use pitest, the quality gate is not triggerd at all.
Is it possible to define a quality gate to detect that pitest is not defined for a project at all?
Thank you
Simple answer to your question: no, it's not. Quality gate conditions can not be triggered by the absence of a metric. So a metric has to be computed.
But the most recent version of sonar-pitest-plugin (0.9) does only compute coverage information when Mutation Analysis data is present (= a pitest report exists).
The change however is not overly complicated, if you need an urgent fix, check the PitestComputer class at line 84 and add the following else block:
if (mutationsTotal != null) {
...
} else {
context.addMeasure(PitestMetrics.MUTATIONS_KILLED_PERCENT_KEY, 0.0);
}
Compile it and install it manually to your instance.
That said, I want to give you a short heads up, that there is a newer plugin addressing Mutation Analysis in SonarQube (full disclosure: I'm the author), with several new features, rules etc.
The plugin is available via the market place (named "Mutation Analysis").
The plugin has the same limitation as the sonar-pitest-plugin, but I just created a new issue addressing your problem:
https://github.com/devcon5io/mutation-analysis-plugin/issues/13
Edit:
This feature is implemented in version 1.3
apologies if this has been covered, there have been a couple similar questions on SE - but struggling to find an explicit solution:
Does anyone know how to access the reports from SonarQube? I want to put some logic in Jenkins that will only proceed to do more stuff if quality gates are passed. This is something I wish to automate, and not login to sonarqube manually.
I have seen references to a possible, Gerrit plugin solution or using a curl step to use the API but neither explained how to replicate that approach.
You've got to use the SonarQube Scanner for Jenkins.
Specifically, check the "Analyzing in a Jenkins pipeline" section: it allows you to run a SonarQube analysis, and wait for the Quality Gate to be available so that you can decide (in your pipeline script) what to do based on the status of the quality gate.
sonarqube reports can be extracted using webapi
for example : http://sonarserver:9010/api/issues/search?componentKeys=sonarProject&severities=BLOCKER,CRITICAL,MAJOR,MINOR,INFO&s=SEVERITY&asc=false&ps=100
convert the json output to csv and to xls using online tools
http://convertcsv.com/json-to-csv.htm
I'm running a number of static analysis tools and I want to track the results from build to build. For example, if a commit to a branch increases the number of security vulnerabilities, I want to send an email to the committer. I know there are plugins like Sonar and Analysis Collector, but they don't cover all of the areas of analysis I want and they don't seem to have the ability to trigger actions based on build trends (correct me if I'm wrong).
You can use the Groovy Postbuild Plugin:
https://wiki.jenkins-ci.org/display/JENKINS/Groovy+Postbuild+Plugin
It lets you extract data (such as number of vulnerabilities detected) from the current build's buildlog with num_vul = manager.getLogMatcher(regexp)
And compare that to previous builds, by extracting info from their buildlog, e.g.:
currentBuildNumber = manager.build.number
manager.setBuildNumber(currentBuildNumber - 1)
prev_num_vul = manager.getLogMatcher(regexp)
Then, if the number of vulnerabilities had gone up, I would call manager.buildFailure() which sets the build status to FAILURE, and then have the next PostBuild step be to the Email-ext plugin which allows you to send email to the committer in the event of a failure.
I would recommend the SonarQube tool, which does just what you describe. You mention that you already looked at it, but maybe you missed the Notifications feature or the Build Breaker Plugin. There are more SonarQube features centered around Jenkins integration. SonarQube is free to use.
If you are still missing something, it might be worthwhile asking specifically how that aspect could be covered by SonarQube. Just my two cents.
I am using sonar for the last few months and want to know that do sonar works in an incremental way or not i.e if i do soanr analysis for the first time on my project code it will definitely analyze all the code but if i do some enhancement on my core source code and update some files then after updation do sonar analysis again on the same code then will sonar analyze all the files OR only analyze files which i have updated?
I am using "Sonar way with Findbugs" as my default quality profile.
Is there any way to use sonar in an incremental way, to analyze only updated files?
Is this possible in sonar or not?
Kindly revert your help will be appreciated..
Thanks in advance..
Sonar does not currently handle incremental analyses.
If you want, you can watch and vote for the following ticket: http://jira.codehaus.org/browse/SONAR-2815
If your task if code quality metrics in a general way, then you can use these tools directly on Jenkins. See FindBugs Plugin , PMD plugin or Checkstyle Plugin. They independently give what you need in the form of "incremental code" reports. But if you have to use SONAR only, then Fabrice's answer is the correct one.
Here the post where the ticket that #fabrice-sonar-team comments was born:
does Sonar support Incremental code quality analysis
You can read Freddy Mallet's explanation about why this functionality is not trivial to be implemented. It requires lot of effort, so as Fabrice said, vote for the ticket! :)
Just adding on since this is the first google result for 'Sonar incremental preview analysis' in stack, and the answers are way too old.
Sonar has plugins available for IDEs such as Eclipse and NetBeans that can run incremental analysis on the changed files alone. This still needs a connection the SonarQube server though.
You may also run the analysis right from Jenkins by passing an additional sonar analysis property - sonar.analysis.mode=incrementalin your Sonar scan build step. This will report the code quality in a full report - will all code issues as well as a light report containing only new issues (since last full scan as recorded in server).
To take one step further use sonar.issuesReport.html.enable=true and publish the generated html reports to your Jenkins build page - Neat and Trim
Sonar documentation here
This question is a bit round about, but I'll get to that in a minute. When someone changes the build's quality in TFS (we're on 2005) what exactly happens? Does this affect changesets or workitems, notifications??
Now the reason I ask: I want to be able to generate a changeset list between builds. As such selecting a build on Jan 1 and comparing it to a build on March 29, I want all the changesets between those builds. Perhaps there is another way to do this but I do think the build is the starting point.
Out of the box, it's just meta data about the build. The intent being you can use it in your development process to indicate when a build has progressed through certain quality gates.
It should be noted that the open source TFSDeployer project relies on the build quality as a trigger mechanism to run deployments scripts.
In TFS 2012, you can set a quality threshold on builds to say which ones can be used by Microsoft Test Manager for testing.
In MTM, in the Testing Center, under the Plan tab, under the Properties subtab, there is a section called Builds. You set a quality threshold with "Filter for builds" and then any builds that conform to the filter will show up when you click Modify under the "Build in use" line.
On a side note, I have found some interesting info here about automatically updating build quality through XAML.
I think it is just a notes field. I see it show up on some reports, but nothing else of value.