1. Introduction of sonarQube
SonarQube is an automated code review tool for detecting errors, vulnerabilities, and code smells in code. It can be integrated with your existing workflow to support continuous code inspection across project branches and pull requests.
The workflow is as follows:
As shown in Figure SonarQube consists of the following 4 components:
1.SonarQube Server:
- WebServer: for developers and managers to browse high-quality snapshots and configure SonarQube instances
- Search Server: Search Server based on Elasticsearch for back search from the UI (history)
- computeEngine: responsible for processing code analysis reports and saving them in the SonarQube database
2.SonarQube Database:
- SonarQube instance configuration (security, plugin settings, etc.)
- Quality snapshots of projects, views, etc.
** 3. SonarQube Plugins: ** Multiple SonarQube plugins are installed on the server, which may include language, SCM, integration, authentication and management plugins
** 4. SonarScanners: ** A variety of sonar scanning components, run on the build / continuous integration server to analyze the project
For a detailed introduction about sonar, please refer to its official website .
2. Installation of SonarQube
SonarQube provides a variety of installation methods , this article will use the docker image installation method to demonstrate.
1. Pull sonarQube's docker container
$> docker pull sonarqube:8.2-community
2. Create docker data volume
#包含数据文件,例如嵌入式H2数据库和Elasticsearch索引
$> docker volume create --name sonarqube_data
#包含插件,例如语言分析器
$> docker volume create --name sonarqube_extensions
#包含有关访问,Web流程,CE流程和Elasticsearch的SonarQube日志
$> docker volume create --name sonarqube_logs
3. Configure the local database (the example uses postgresql)
If you use postgresql's default schema "public", this step is not necessary. If you want to customize the schema, then execute the following command
ALTER USER mySonarUser SET search_path to <自定义的schema名称>
4. Start sonarQube
$> docker run -d --name sonarqube \
-p 9000:9000 \
#以下为给sonarQube的数据库配置,推荐postgresql
-e SONAR_JDBC_URL=jdbc:postgresql://xxxx:5432/postgres \
-e SONAR_JDBC_USERNAME=... \
-e SONAR_JDBC_PASSWORD=... \
-v sonarqube_data:/opt/sonarqube/data \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
<image_name>
The local browser can be accessed by visiting localhost: 9000.
3. Create a project in sonarQube
Step 1: New project
Step 2: Fill in the project information
Step 3: create token
Step 4: record the token
The creation of the project is completed, and the token is recorded, and the next steps will be used.
4. Jenkins configuration sonarQube plugin
1. Install the sonarQube plugin
2. Add sonarQube configuration
Configure sonar information in jenkins> Manage Jenkins> global configuration, as shown below:
name is a custom name, serverURL is the access address of sonarqube
The last token needs to be added. Click Add, as shown below:
Select Secret text as the type, and fill the token we obtained in the third step into the secret column, and customize the remaining columns. After adding, go back to the previous step Server authentication token and select the token just added.
5. Introduce sonarQube in the project
The following is an example of a maven single module project:
1. Introduce sonarqube plugin:
<!--添加参数,指定projectKey,即在sonar中创建项目时的名称-->
<properties>
<sonar.projectKey>sonar-demo</sonar.projectKey>
</properties>
<!--添加sonarqube插件-->
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.6.0.1398</version>
</plugin>
2. Manual code scanning
Execute the following command
mvn sonar:sonar \
-Dsonar.projectKey=sonar的项目名称 \
-Dsonar.host.url=http://sonar的地址 \
-Dsonar.login=第三步记录的令牌
After the execution is completed, return to the sonarQube interface, you can see the scan records and results:
6. Integration of sonarqube in the jenkins pipeline
Define the stage of code static inspection in the jenkinsfile, as shown below:
The above figure defines two stages, 1. Static code inspection 2. Analysis of inspection results
⚠️ **: In the analysis stage of the inspection result, Jenkins knows the scan result through the callback of sonarqube. You need to configure webhook in sonarqube: **
The webhook domain name is the domain name of the jenkins address.
So far, sonarqube has been successfully integrated in the jenkins pipeline (pipeline), as shown below:
7.sonarQube custom quality valve
1. Create a custom quality valve
2. Configure quality valve
3. Test
For example, when the threshold is too high, the scan result does not meet the threshold requirements, and the scan result will fail.
In the example, we randomly adjust a condition to a value that cannot be reached by the current project
At this time, when the pipeline is running, the code quality check will fail because it does not meet the standard.
⚠️: Therefore, when we customize the threshold of our own project, it depends on the situation of different projects.
8. Summary
This article introduces the integration of sonarQube in the Jenkins multi-branch pipeline, so as to realize the code quality check in continuous integration. Some aspects involved in the article (jenkinsfile, sonarQube detailed use, etc.) are not described in detail, but just quickly passed. sonarQube is a well-known code inspection tool in the industry and a member of the tool ecosystem in ci / cd. Explore it in depth and you will find more useful and interesting features. Code quality inspection is part of the built-in code quality. Integrating code quality inspection in the pipeline can promptly find the problems and defects in the code, so as to fix the problem in time and prevent the accumulation of technical debt When the problem occurs), otherwise the repair cost will become higher and higher when the problem builds up to a certain degree.
Pay attention to the author's public number and push various original / quality technical articles ⬇️ A
java engineer, but not just a java engineer, covering devops, automated testing, ci / cd, agile development, etc. Provide solutions for technical requirements such as automated testing, ci / cd, public account, WeChat (cg8377), and email ([email protected]). Also welcome to do technical exchanges with you.