DEV Community

Cover image for Journey to Integrate SonarQube Analysis on every pull request - Part 2
Akansh Singhal
Akansh Singhal

Posted on • Edited on

Journey to Integrate SonarQube Analysis on every pull request - Part 2

In this we will continue with implementing SonarQube with github pull Request. If you want to learn more about SonarQube and its integration with Github, please refer to my previous blog.

This solution involves integrating Jenkins, SonarQube, and GitHub. Let's divide this problem into two parts:

Triggering SonarQube analysis from Jenkins to GitHub as soon as a PR is raised.

  • Reporting issues found on the GitHub PR.
  • We will start by addressing the first part.

We are trying to solve animated part 1st.

Animated Part we are solving first

You can start Jenkins on your local using resource.

Once Jenkins is ready we have to create Jenkins job of MultiBranch Pipeline

Jenkins Pipeline

Now configure your pipeline as per below image:

Configuring pipeline

Configuring pipeline1

Now after setting Jenkins job and adding below pipeline in code base, we are able to execute sonar analysis on this code base.

#!groovy
pipeline {
    agent any
    parameters {
            string(name: 'REPO_OWNER', defaultValue: 'Akansh09', description: 'Git Repo Owner?')
            string(name: 'REPO_NAME', defaultValue: 'sonar-analysis', description: 'Git Repo Name?')
            string(name: 'SONAR_PROJECT', defaultValue: 'sonar-analysis', description: 'Sonar Project?')
            string(name: 'TARGET_BRANCH', defaultValue: 'develop', description: 'Target branch?')
    }

    triggers {
        pollSCM('*/5 * * * *')
    }

    stages {
      stage('SonarQube Analysis') {
       steps {
           def gitCommitHash = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
           sh "$MAVEN_HOME/bin/mvn clean verify sonar:sonar -Dsonar.projectKey=Akansh09_sonar-analysis_15fb42fe-8cb3-459f-86ea-7eb5b2e2db21 -Dsonar.projectName=${params.SONAR_PROJECT} -Dsonar.host.url=$SONARQUBE_URL -Dsonar.token=$SONARQUBE_LOGIN -Dsonar.projectVersion=$gitCommitHash"
        }
      }
   }
}
Enter fullscreen mode Exit fullscreen mode

Include MAVEN_HOME, SONARQUBE_LOGIN & SONARQUBE_URL in environment variable of your jenkins node.

Sonar Analysis after phase 1

Now part second of this solution is to have this issues persisted on the Github PR which we solve in next part of this blog.

2nd Part of problem

Now we have to fetch issues from Sonarqube and comment on Github. We have to use APIs for it

curl --location 'http://127.0.0.1:9000/api/issues/search?componentKeys=${SONAR_PROJECT_KEY}&sinceLeakPeriod=true' \
--header 'Authorization: Basic ${SONAR_BASIC_TOKEN}'
Enter fullscreen mode Exit fullscreen mode

This will give you all new issues come in new code changes.

curl --location 'https://api.github.com/repos/${GIT_REPO_OWNER}/${GIT_REPO_NAME}/pulls/${PR_ID}/reviews' \
--header 'Authorization: Bearer ${GIT_TOKEN}' \
--header 'Content-Type: application/json' \
--data '{
    "body": "ddd",
    "event": "REQUEST_CHANGES"
}'
Enter fullscreen mode Exit fullscreen mode

The above API will comment on the pull request. Now that we know the APIs to perform both steps, there is still one more challenge: the SonarQube API does not provide context about which issues are associated with specific commit IDs. Therefore, there is no direct mapping between Commit ID <> Issue or PR <> Issue.

In Part 3 of this series, we will stitch these APIs together and create a complete solution by writing a wrapper over the SonarQube API.

If you have any questions or need further information, feel free to contact me at akanshsinghal7@gmail.com.

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay