[FOLIO-386] Incorporate SonarQube into CI process Created: 10/Nov/16 Updated: 12/Nov/18 Resolved: 28/Sep/17 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | John Malconian | Assignee: | John Malconian |
| Resolution: | Done | Votes: | 0 |
| Labels: | ci, sprint22 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | 1 day, 3 hours, 30 minutes | ||
| Original estimate: | Not Specified | ||
| Sprint: |
| Description |
|
Julian recommends Sonarqube for code quality management (http://www.sonarqube.org/). It looks fairly comprehensive and there are plugins for Jenkins integration as well including a quality gate plugin that will "fail" a build if a threshold of errors is crossed. https://sonar.gbv.de (Julian's site) |
| Comments |
| Comment by John Malconian [ 10/Nov/16 ] |
|
experimented with Sonarqube implementation running in Docker container. |
| Comment by Magda Zacharska [ 29/Aug/17 ] |
|
Starting with setting up mod-circulation. After the changes are reviewed by John we can identify next projects. |
| Comment by Magda Zacharska [ 07/Sep/17 ] |
|
Created pull request for mod-circulation. Awaiting approval. |
| Comment by John Malconian [ 07/Sep/17 ] |
|
Rather than host our own SonarQube installation, I opted for for the SonarQube hosted version. It is free for public, OS projects. https://sonarcloud.io/organizations/folio-org/projects There are a few different ways to run the publish results: For Maven-based projects, the easiest way is to run is: mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent package sonar:sonar \ This is simple because it does not require updating project POMs or any extra special configs. The SonarQube "scanner", I guess, is a standalone tool. It requires a "properties" or configuration file located with the project's source. I imagine it allows for more granular configuration. https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner The "scanner" can be used for all sorts of projects, including JavaScript, so we can also utilize this for Stripes/UI stuff as well. The next step for me is the integration between Jenkins and SonarQube. There is a SonarQube scanner plugin for Jenkins that I've installed on our the FOLIO Jenkins system. I've configured it to publish results to the SonarQube site above. Each project/job requires a step that will run the scanner and publish results. I'm in the process of developing shared pipeline libraries for Jenkins. I will experiment with adding a SonarQube step to the library so that it is run for each project rather than configuring it manually for each project. |
| Comment by Magda Zacharska [ 07/Sep/17 ] |
|
I will drop my PR then. Using properties file might be indeed a better way of configuring the project if needed. |
| Comment by Julian Ladisch [ 07/Sep/17 ] |
|
No: https://stackoverflow.com/questions/17862307/running-gradle-plugin-directly-from-command-line As a software developer I would like to run sonar for the module I'm working on (and reporting to my local sonar server) so I would like to have the sonar plugin in the build.gradle. |
| Comment by John Malconian [ 12/Sep/17 ] |
|
I've integrated SonarQube with the CI builds of the master branch for all FOLIO backend modules except the two Gradle projects - mod-circulation and mod-inventory. You can see them in the SonarQube dashboard here: https://sonarcloud.io/organizations/folio-org/projects Projects left to do:
Also, we will want SonarQube analysis/feedback for non-master branches and PRs without updating results in the database. I'll circle back to this after setting up the remaining modules. Some info on setting that up here: https://blog.sonarsource.com/analysis-vs-preview-vs-incremental-preview-in-sonarqube/ |
| Comment by John Malconian [ 18/Sep/17 ] |
|
All current folio-org projects now have corresponding sonarqube projects except mod-circulation and mod-inventory. |
| Comment by John Malconian [ 19/Sep/17 ] |
|
I've enabled a branch called 'pr-sonarqube' of the shared jenkins pipeline library to trigger sonarqube analysis of PRs and post analysis of results back to GitHub. Experimental at this time and only enabled for folio-org/okapi and folio-org/mod-notes. Let's see how this works out before enabled across all projects. TODO: Magda has also reminded to enable analysis for stripes-* projects. |
| Comment by John Malconian [ 28/Sep/17 ] |
|
All software projects have been added to Sonarqube with the exception of mod-inventory and mod-circulation (See
|