[FOLIO-386] Incorporate SonarQube into CI process Created: 10/Nov/16  Updated: 12/Nov/18  Resolved: 28/Sep/17

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: John Malconian Assignee: John Malconian
Resolution: Done Votes: 0
Labels: ci, sprint22
Remaining Estimate: Not Specified
Time Spent: 1 day, 3 hours, 30 minutes
Original estimate: Not Specified

Sprint:

 Description   

Julian recommends Sonarqube for code quality management (http://www.sonarqube.org/). It looks fairly comprehensive and there are plugins for Jenkins integration as well including a quality gate plugin that will "fail" a build if a threshold of errors is crossed.

https://sonar.gbv.de (Julian's site)



 Comments   
Comment by John Malconian [ 10/Nov/16 ]

experimented with Sonarqube implementation running in Docker container.

Comment by Magda Zacharska [ 29/Aug/17 ]

Starting with setting up mod-circulation. After the changes are reviewed by John we can identify next projects.

Comment by Magda Zacharska [ 07/Sep/17 ]

Created pull request for mod-circulation. Awaiting approval.

Comment by John Malconian [ 07/Sep/17 ]

Rather than host our own SonarQube installation, I opted for for the SonarQube hosted version. It is free for public, OS projects.

https://sonarcloud.io/organizations/folio-org/projects

There are a few different ways to run the publish results:

For Maven-based projects, the easiest way is to run is:

mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent package sonar:sonar \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.organization=folio-org \
-Dsonar.login=SECRET

This is simple because it does not require updating project POMs or any extra special configs.

The SonarQube "scanner", I guess, is a standalone tool. It requires a "properties" or configuration file located with the project's source. I imagine it allows for more granular configuration.

https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

The "scanner" can be used for all sorts of projects, including JavaScript, so we can also utilize this for Stripes/UI stuff as well.

The next step for me is the integration between Jenkins and SonarQube. There is a SonarQube scanner plugin for Jenkins that I've installed on our the FOLIO Jenkins system. I've configured it to publish results to the SonarQube site above. Each project/job requires a step that will run the scanner and publish results.

I'm in the process of developing shared pipeline libraries for Jenkins. I will experiment with adding a SonarQube step to the library so that it is run for each project rather than configuring it manually for each project.

Comment by Magda Zacharska [ 07/Sep/17 ]

I will drop my PR then. Using properties file might be indeed a better way of configuring the project if needed.
Does gradle allow for executing plugins in the command line? mod-circulation is a gradle project (at least for now) and I think there are some other gradle projects as well.

Comment by Julian Ladisch [ 07/Sep/17 ]

No: https://stackoverflow.com/questions/17862307/running-gradle-plugin-directly-from-command-line

As a software developer I would like to run sonar for the module I'm working on (and reporting to my local sonar server) so I would like to have the sonar plugin in the build.gradle.

Comment by John Malconian [ 12/Sep/17 ]

I've integrated SonarQube with the CI builds of the master branch for all FOLIO backend modules except the two Gradle projects - mod-circulation and mod-inventory. You can see them in the SonarQube dashboard here:

https://sonarcloud.io/organizations/folio-org/projects

Projects left to do:

  • Okapi
  • UI modules
  • Some other miscellaneous projects.

Also, we will want SonarQube analysis/feedback for non-master branches and PRs without updating results in the database. I'll circle back to this after setting up the remaining modules. Some info on setting that up here:

https://blog.sonarsource.com/analysis-vs-preview-vs-incremental-preview-in-sonarqube/
https://docs.sonarqube.org/display/PLUG/GitHub+Plugin

Comment by John Malconian [ 18/Sep/17 ]

All current folio-org projects now have corresponding sonarqube projects except mod-circulation and mod-inventory.

Comment by John Malconian [ 19/Sep/17 ]

I've enabled a branch called 'pr-sonarqube' of the shared jenkins pipeline library to trigger sonarqube analysis of PRs and post analysis of results back to GitHub. Experimental at this time and only enabled for folio-org/okapi and folio-org/mod-notes. Let's see how this works out before enabled across all projects.

TODO: Magda has also reminded to enable analysis for stripes-* projects.

Comment by John Malconian [ 28/Sep/17 ]

All software projects have been added to Sonarqube with the exception of mod-inventory and mod-circulation (See CIRC-30 Closed ). Additional Sonarqube activities are being tracked in additional issues ( FOLIO-844 Closed , FOLIO-864 In Progress , and FOLIO-858 Open ).

Generated at Thu Feb 08 23:05:23 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.