Comprehensive Guide for SonarQube with Quality Gate for Jenkins

Configuring JaCoCo code coverage Maven plugin

Including or excluding packages or class

It is a good practice to include only project-specific classes. Otherwise, it tends to have the coverage for 3rd party libraries as well. The way to include/exclude a package is to name it like: com/swayam/demo/springbootdemo/rest/config/**
For including a single class: **/RestFulMicroserviceApplication.class

Prepare Agent

First, we would need to prepare the JaCoCo Agent for instrumentation:
http://www.jacoco.org/jacoco/trunk/doc/prepare-agent-mojo.html

This would set a property having the agent details, which is then passed o to the surefire plugin so that the tests are run with this agent. This is how the surefire plugin is configured:

Generating Report

After the Junit Tests are run, we can specify the directory for generating the coverage report:
http://www.jacoco.org/jacoco/trunk/doc/report-mojo.html

Configuring Sonar Maven plugin

SonarQube’s documentation for configuring a Maven plugin is scant, misleading and difficult to decipher. Its high time that they start hiring some good Tech Writer!

https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Maven

This is how the plugin is configured in your pom.xml. No global setting bullshit in settings.xml. Whoever suggested that is an idiot! The global settings.xml should kept as pristine as possible.

Apart from this, SonarQube also expects certain properties to be set.
https://docs.sonarqube.org/display/SONAR/Analysis+Parameters

It is recommended to pass this from the Maven plugin. I have included this under the sonar profile as below:

Including or excluding packages or class

Remember that Sonar works on Java source code. The way to include/exclude a package is to name it like: **/com/swayam/demo/springbootdemo/rest/config/**
Similarly, you can exclude individual class like this: **/RestFulMicroserviceApplication.java

Running SonarQube Analysis and Fetching the results of QualityGate

Run the Maven command:

mvn clean install sonar:sonar -P sonar

This will create the file: target/sonar/report-task.txt

There are the below 2 urls that has to be read from here:
1. serverUrl=http://192.168.1.4:9000
2. ceTaskUrl=http://192.168.1.4:9000/api/ce/task?id=AWE3eRSZAEMe8tTgpicn

Read the response from the ceTaskUrl using curl, and save it to a file ceTask.json:

curl http://192.168.1.4:9000/api/ce/task?id=AWE3eRSZAEMe8tTgpicn -o ceTask.json

The element we are interested in is task.analysisId:
“analysisId”: “AWE3eRcyxJqMzJgr501D”

We need to read the response of the url: $serverUrl/api/qualitygates/project_status?analysisId=$analysisId

curl http://192.168.1.4:9000/api/qualitygates/project_status?analysisId=AWE3eRcyxJqMzJgr501D -o qualityGate.json

If the Json value projectStatus.status is ERROR, the project has failed QualityGate.

Integration with Jenkins

To start with, we would need to install the below Jenkins plugins:

Sonar Quality Gates Plugin

https://plugins.jenkins.io/sonar-quality-gates
https://github.com/arkanjoms/sonar-quality-gates-plugin/blob/master/README.md

SonarQube Scanner for Jenkins

https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Jenkins

Specifying Sonar Qube Installation

We would need to tell Jenkins about our SonarQube installation. This is done by logging into Jenkins and then navigating to Manage Jenkins -> Configure System

Step 1

Step 2

Click on Add Sonar instance and give a unique name: MySonarQubeLocal. This would be used later for Jenkins Pipeline Project.

Integration with Jenkins Freestyle Project

Go to the Build section -> Add build step -> Execute SonarQube Scanner

You can specify the sonar properties either as a separate file in the section Path to project properties or in the section Analysis properties. Both of these approaches are equally bad. Instead, the properties should be passed through a Maven plugin in the build step as shown above:

clean install sonar:sonar -P sonar

In the Jenkins Freestyle Project, thats all the configuration you need.

Integration with Jenkins Pipeline Project

The SonarQube Scanner plugin has support for Jenkins Pipeline. It can be used as follows:

To determine whether the project has passed the QualityGate, we need to use the logic stated in the section Running SonarQube Analysis and Fetching the results of QualityGate. Since we are using Groovy DSL, it is very easy for us to do this. I am pasting the full content of the Jenkinsfile:

Appendix

Sample report-task.txt

Sample ceTask.json

Sample qualityGate.json for PASS

 

Sample qualityGate.json for FAIL

 

Sources

The complete sources can be found here: https://github.com/paawak/spring-boot-demo/tree/master/restful-microservice

Leave a Reply

Your email address will not be published. Required fields are marked *