The Evidence Collection service can convert Sonar attestations generated by SonarQube into JFrog evidence. All forms of evidence subjects are supported, including artifacts, packages, builds, and Release Bundles. A sample command is shown below:
jf evd create --build-name build_name --build-number build_number --integration sonar --key path-to-key --key-alias key_alias
Prerequisites
SONAR_TOKENorSONARQUBE_TOKENenvironment variable for fetching the data from Sonarreport-task.txtwhich contains the output of the Sonar code scan. These are the default locations for this file:
Type | Default Location |
|---|---|
maven |
|
gradle |
|
cli |
|
msbuild |
|
Configuration Options
You can use either environment variables or a YAML file to set configuration options for Sonar evidence. The YAML file, which is called evidence.yaml, should be placed in the following folder: .jfrog/evidence/evidence.yaml
Environment variable | YAML parameter | Description |
|---|---|---|
|
| The Sonar URL. When the URL cannot be resolved from report-task.txt, the default value is https://sonarcloud.io. |
|
| The location of the output produced by Sonar. Default locations are described in the table above. |
|
| The maximum number of calls to the Sonar server to retrieve the report-task.txt file. |
|
| The interval in milliseconds between polling attempts. |
Sample evidence.yaml file
sonar: url: https://sonarcloud.io reportTaskFile: /path/to/report-task.txt pollingMaxRetries: 30 pollingRetryIntervalMs: 5000
Note
Environment variables override the values defined in evidence.yaml. To see a sample GitHub pipeline for creating Sonar evidence, go tohttps://github.com/jfrog/Evidence-Examples/blob/main/.github/workflows/sonar-evidence-example.yml. Additional information about Sonar evidence can be found under Sonar Evidence Example.