Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In order to be "security by design" ready, the ONAP code must be analyzed before the merge. Here are the steps to enable the Jenkins job called "maven{PROJECT_NAME}-sonar-verify" which will allow us to you run proactive SonarCloud scans :for your project on every new code patch-set through Gerrit.

Requirements

...

  • global-jjb to >= v0.71.0

Steps

...

  • clone the ci-management repo: https://gerrit.onap.org/r/admin/repos/ci-management
  • enter the jjb folder of the project you want to active the proactive scans your project (e.g. ci-management/jjb/cps/)
  • edit or create the yaml file with the JJB templates (e.g. cps.yaml)
  • add a new project section with the following configuration (update the fields based on the project name you are editing, this example is for CPS project)

    Code Block
    titlehttps://gerrit.onap.org/r/c/ci-management/+/125534
    - project:
        name: cps-sonar-verify
        java-version: openjdk11
        mvn-version: "mvn36"
        maven-version: "mvn36"
        jobs:
          - gerrit-maven-sonar-verify
        sonarcloud: true
        sonarcloud-project-organization: '{sonarcloud_project_organization}'
        sonarcloud-api-token: '{sonarcloud_api_token}'
        sonarcloud-project-key: '{sonarcloud_project_organization}_{project-name}'
        sonar-mvn-goal: '{sonar_mvn_goal}'
        build-node: centos7-docker-8c-8g
        project: 'cps'
        project-name: 'cps'
        branch: 'master'
        mvn-settings: 'cps-settings'
        mvn-goals: 'clean install'
        mvn-opts: '-Xmx1024m -XX:MaxPermSize=256m'


  • OPTIONAL (Quality Gate result can block the merge):
    • if you are ready to get more restrictive proactive scans that will block a merge if code quality issues are found, then set the field sonarcloud-qualitygate-wait to 'true'
    • example: https://gerrit.onap.org/r/c/ci-management/+/126562

       

      Code Block
           sonarcloud-project-organization: '{sonarcloud_project_organization}'
           sonarcloud-api-token: '{sonarcloud_api_token}'
           sonarcloud-project-key: '{sonarcloud_project_organization}_{project-name}'
      +    sonarcloud-qualitygate-wait: true
           sonar-mvn-goal: '{sonar_mvn_goal}'
           build-node: centos7-docker-8c-8g
           project: 'cps'


  • save your work with git and push a change to Gerrit with git-review
  • now your project will get a new "{PROJECT_NAME}-sonar-verify" Jenkins job that will execute SonarCloud scans every time there is a new code patchset

...