Code Scanning Tools and CI
- Jessica Gonzalez
This section is focused on describing how CI is connected to our different scanning tools and how the code scan generates the
resulting reports.
Currently, we have 3 code scan tools linked in our Jenkins CI:
NexusIQ | WhiteSource | Sonarcloud | |
|---|---|---|---|
URL | |||
Purpose | License and vulnerability | License and vulnerability | Code coverage from testing |
Access | Automatic for all committer groups. Not in a group? Contact support.linuxfoundation.org with LFID | On case basis. Contact support.linuxfoundation.org and provide email address to send the invitation to. | Automatic if part of the ONAP GitHub org Contact support.linuxfoundation.org for GitHub invite (Include GitHub ID) |
Jenkins | https://jenkins.onap.org/view/CLM/ All projects must have Nexus IQ scans: | https://jenkins.onap.org/view/WhiteSource/ Only few projects are implemented. Rest of the projects is still under discussion. https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-whitesource-jobs.html | https://jenkins.onap.org/view/All-Sonar/ All projects must have Sonar scans: |
Frequency and triggers | Once per week (Saturdays) Via Gerrit comments: run-clm | Once per week (Saturdays) Via Gerrit comments: run-whitesource | Via Gerrit comments: run-sonar |
Overall process | Example job: https://jenkins.onap.org/view/CLM/job/aai-aai-common-maven-clm-master/
| Example job: https://jenkins.onap.org/view/WhiteSource/job/aai-aai-common-whitesource-scan-master/
| Example job: https://jenkins.onap.org/view/All-Sonar/job/aai-aai-common-sonar/
|
Quality Gates | High thread violations need to be addressed and investigated in case they are false. | Currently this is not a release blocker. The reports are being used for testing purposes. | Quality Gate must be above 55% to pass. Test coverage is managed by tech teams |
Example report | https://saas.whitesourcesoftware.com/Wss/WSS.html#!project;id=1387312 |