...
Currently, we have 3 code scan tools linked in our Jenkins CI:
| NexusIQ | WhiteSource | Sonarcloud | |
|---|---|---|---|
| URL | https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/management/view/organization/a044ccf18614413dbe45464a5524f784 | https://saas.whitesourcesoftware.com/ | https://sonarcloud.io/organizations/onap/projects |
| Purpose | License and vulnerability | License and vulnerability | Code coverage from testing |
| Access | Automatic for all committer groups. Not in a group? Contact support.linuxfoundation.org with LFID | On case basis. Contact support.linuxfoundation.org and provide email address to send the invitation to. | Automatic if part of the ONAP GitHub org Contact support.linuxfoundation.org for GitHub invite (Include GitHub ID) |
| Jenkins | https://jenkins.onap.org/view/CLM/ All projects must have Nexus IQ scans: | https://jenkins.onap.org/view/WhiteSource/ Only few projects are implemented. Rest of the projects is still under discussion. https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-whitesource-jobs.html | https://jenkins.onap.org/view/All-Sonar/ All projects must have Sonar scans: |
| Frequency and triggers | Once per week (Saturdays) Via Gerrit comments: run-clm | Once per week (Saturdays) Via Gerrit comments: run-whitesource | Via Gerrit comments: run-sonar |
Overall process | Example job: https://jenkins.onap.org/view/CLM/job/aai-aai-common-maven-clm-master/
| Example job: https://jenkins.onap.org/view/WhiteSource/job/aai-aai-common-whitesource-scan-master/
| Example job: https://jenkins.onap.org/view/All-Sonar/job/aai-aai-common-sonar/
|
| Quality Gates | High thread violations need to be addressed and investigated in case they are false. | Currently this is not a release blocker. The reports are being used for testing purposes. | Quality Gate must be above 55% to pass. Test coverage is managed by tech teams |
| Example report | https://saas.whitesourcesoftware.com/Wss/WSS.html#!project;id=1387312 |