Enabling Jenkins job sonar-verify

Owned by Kevin Sandi
Last updated: Mar 15, 2022
2 min read

In order to be "security by design" ready, the ONAP code must be analyzed before the merge. Here are the steps to enable the Jenkins job called "{PROJECT_NAME}-sonar-verify" which will allow you run proactive SonarCloud scans for your project on every new code patch-set through Gerrit.

Requirements

  • global-jjb >= v0.71.0

Steps

  • clone the ci-management repo: https://gerrit.onap.org/r/admin/repos/ci-management

  • enter the jjb folder of your project (e.g. ci-management/jjb/cps/)

  • edit or create the yaml file with the JJB templates (e.g. cps.yaml)

  • add a new project section with the following configuration (update the fields based on the project name you are editing, this example is for CPS project)

    https://gerrit.onap.org/r/c/ci-management/+/125534

    - project: name: cps-sonar-verify java-version: openjdk11 mvn-version: "mvn36" maven-version: "mvn36" jobs: - gerrit-maven-sonar-verify sonarcloud: true sonarcloud-project-organization: '{sonarcloud_project_organization}' sonarcloud-api-token: '{sonarcloud_api_token}' sonarcloud-project-key: '{sonarcloud_project_organization}_{project-name}' sonar-mvn-goal: '{sonar_mvn_goal}' build-node: centos7-docker-8c-8g project: 'cps' project-name: 'cps' branch: 'master' mvn-settings: 'cps-settings' mvn-goals: 'clean install' mvn-opts: '-Xmx1024m -XX:MaxPermSize=256m'



  • OPTIONAL (Quality Gate result can block the merge):

    • if you are ready to get more restrictive proactive scans that will block a merge if code quality issues are found, then set the field sonarcloud-qualitygate-wait to 'true'

    • example: https://gerrit.onap.org/r/c/ci-management/+/126562

      sonarcloud-project-organization: '{sonarcloud_project_organization}' sonarcloud-api-token: '{sonarcloud_api_token}' sonarcloud-project-key: '{sonarcloud_project_organization}_{project-name}' + sonarcloud-qualitygate-wait: true sonar-mvn-goal: '{sonar_mvn_goal}' build-node: centos7-docker-8c-8g project: 'cps'



  • save your work with git and push a change to Gerrit with git-review

  • now your project will get a new "{PROJECT_NAME}-sonar-verify" Jenkins job that will execute SonarCloud scans every time there is a new code patchset