This section is focused on describing how CI is connected to our different scanning tools and how the code scan generates the
resulting reports.
Currently, we have 3 code scan tools linked in our Jenkins CI:
| NexusIQ | WhiteSource | Sonarcloud | |
|---|---|---|---|
| URL | https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/management/view/organization/a044ccf18614413dbe45464a5524f784 | https://saas.whitesourcesoftware.com/ | https://sonarcloud.io/organizations/onap/projects |
| Purpose | License and vulnerability | License and vulnerability | Code coverage from testing |
| Access | Automatic for all committer groups. Not in a group? Contact support.linuxfoundation.org | On case basis. Contact support.linuxfoundation.org | Automatic if part of the ONAP GitHub org Contact support.linuxfoundation.org for GitHub invite (Include GitHub ID) |
| Jenkins | https://jenkins.onap.org/view/CLM/ All projects must have Nexus IQ scans: | https://jenkins.onap.org/view/WhiteSource/ Only few projects are implemented. Rest of the projects is still under discussion. https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-whitesource-jobs.html | https://jenkins.onap.org/view/All-Sonar/ All projects must have Sonar scans: |
| Frequency and triggers | Once per week (Saturdays) Via Gerrit comments: run-clm | Once per week (Saturdays) Via Gerrit comments: run-whitesource | Via Gerrit comments: run-sonar |
Overall process | |||