Shulou(Shulou.com)06/03 Report--

This article focuses on "what are the problems with the use of SonarQube Community Edition". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what are the problems with the use of SonarQube Community Edition"?

1 introduction

The following problems may be encountered when scanning code on a large scale using the SonarQube platform

SonarQube platform data problem (open source version does not support different branches)

SonarQube scan rule question (how does a new project specify a new rule when the default rule is configured?)

SonarQube project authorization issue (how to configure permissions for new production projects?)

2 solve the data problem of SonarQube platform

When we are using SonarQube for code quality checking on a large scale, we need to let developers see the scan analysis data of the current feature branch every time, in order to solve the problematic code as soon as possible and improve the quality of the code. The open source version will cause some problems, because the multi-branch form of a project is not supported, so we generate the corresponding scan project according to the name of the feature branch. (there will be a lot of Sonarqube projects)

For example: the service name is demo-abcd-service

Our previous practice was not to distinguish between branches and to specify the same sonar project when scanning all branches. This is the root cause of the instability of the project data on the SonarQube platform.

The current practice is: if this project has a feature branch such as F1Magee F2, each time the feature branch is scanned, the sonar scan parameter (projectName) will be configured as "current service name _ feature branch name", so that each feature branch corresponds to a scan project, and the data will not be a problem.

Although it solves the problem of data instability, it also brings some problems indirectly.

Each feature branch generates a project. What if the feature branch is deleted? Or are there many branches?

It is difficult for SonarQube administrators to manage, adding to the burden of tasks.

Sum up how to solve the problem?

The most direct way in the long run is, of course, to buy a development version.

Now that SonarQube has a multi-branch plug-in, you can use it in your own testing.

Change the mode of code scanning, such as associating the data scanned by each feature branch to the submitted commit information.

In short, the easiest way is to pay for the development version and the enterprise version. Small teams can also be managed by generating multiple projects.

3 solve the problem of SonarQube scanning rules

After building the SonarQube platform, the "Sonar Way" quality configuration for each language has been configured. In large-scale use, we have made some customizations to scan Java project rules, there are some new rules and some discarded rules, in short, most of them are default java rules, which are configured and set as default rules. Dozens of these teams are using default rules, and later individual teams are required to use the new JAVA project quality. How to automatically configure the corresponding quality for the new project?

Analysis.

Projects in the SonarQube platform do not need to be created separately, but are generated during the Jenkins build process.

When we need to specify a new quality configuration for a project, it is usually configured in Sonar WebUi.

The quality name to be used for each branch cannot be specified in the "- Dsonar.xxxx" way.

Deal with

Since SonarQube projects are generated after pipeline scanning, add steps to the pipeline.

Before each scan, determine whether the project exists, then specify a new quality, and then perform a code scan.

The implementation is mainly done through RESTAPI

Create a project: api/projects/create

Update quality: api/qualityprofiles/add_project

Find items: api/projects/search

The reference for JenkinsFile (ShareLibrary) is as follows:

Package com.devops / / Http req uses the method encapsulated by the Jenkins plug-in def HttpReq (reqType,reqUrl,reqBody) {result = httpRequest authentication:'my credential ID', httpMode: reqType, contentType: "APPLICATION_JSON", consoleLogResponseBody: true, ignoreSslErrors: true, requestBody: reqBody / / responseHandle: 'NONE', url: reqUrl / / quiet: true return result} / / find the project def SearchProject (projectName) {apiUrl = "http:// my sonar server address / api/projects/search?projects=$ {projectName}" resultInfo = HttpReq ("GET", apiUrl) '') def result = readJSON text: "" ${resultInfo.content} "" if (result ["paging"] ["total"] = 0) {return "false"} else {return result}} / / create the project def CreateProject (projectName) {apiUrl = "http:// my sonar server address / api/projects/create?name=$ {projectName} & project=$ {projectName}" resultInfo = HttpReq ("POST", apiUrl) '')} / / Update language rule set def UpdateQuality (language,qualityProfile,projectName) {apiUrl = "http:// my sonar server address / api/qualityprofiles/add_project?language=$ {language} & qualityProfile=$ {qualityProfile} & project=$ {projectName}" resultInfo = HttpReq ("POST", apiUrl,'')} / / Project Authorization def ApplyTemplate (projectKey TemplateName) {apiUrl = "http:// my sonar server address / api/permissions/apply_template?projectKey=$ {projectName} & templateName=$ {templateName}" resultInfo = HttpReq ("POST", apiUrl,'')}

4. Authorization of SonarQube project

We solved some of the problems before the SonarQube scan earlier, and now we are starting to solve the authorization issue.

Authorization configuration of Sonarqube

Users first log in to the SonarQube platform (we have done GitlabSSO/LDAP integration)

Create a group according to different business groups

Then add the user to the corresponding group

Create the corresponding permission template according to the abbreviation of the business

Add groups and administrators to the permissions template

Then apply the permission template to the project of the business in batch.

Test: the newly generated project still needs to apply the permission template before the corresponding project team members can access it.

Solution: after the project is scanned, call the API to apply the corresponding permission template to the current project.

Project authorization (apply permission template): api/permissions/apply_template

At this point, I believe you have a deeper understanding of "what are the problems with the use of SonarQube Community Edition"? you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.