sonar

JFrog Pipelines Documentation
Products
JFrog Pipelines
Content Type
User Guide
ft:sourceType
Paligo

This Pipelines Task scans the project with given sonar properties and configurations.

This task performs the following:

  • Fetches Code duplication, test coverage, bugs, vulnerability and security hotspot scan results from Sonar provider.

  • Updates the connected CodeAnalysis resource with the scan results.

Prerequisites

  • Pipelines version 1.53.x or above

  • Sonar Integration with Sonar URL and Token

  • CodeAnalysis Resource

  • Sonar task expects sonar-scanner binary must be available in the path at runtime.

  • The Sonar task requires the presence of the sonar-scanner binary in the system's PATH during runtime.

Usage

Scan a Git Branch (with Sonar Org name & Project Key): 

- task: jfrog/sonar@v1.0.0
  id: sonar_scan
  input:
    codeResourceName: codeResourceName
    gitResourceName: gitResourceName
    gitBranch: master
    orgName: orgName
    projectKey: projectKey

Scan a Git Branch (when sonar-project.properties has sonar org name and project key): 

- task: jfrog/sonar@v1.0.0
  id: sonar_scan
  input:
    codeResourceName: codeResourceName
    gitResourceName: gitResourceName
    gitBranch: master

Scan a Git Branch (with different project sub-folders): 

- task: jfrog/sonar@v1.0.0
  id: sonar_scan
  input:
    codeResourceName: codeResourceName
    gitResourceName: gitResourceName
    gitBranch: master
    projectFolder: sub_folder

Scan a Git Pull Request: 

- task: jfrog/sonar@v1.0.0
  id: sonar_scan
  input:
    codeResourceName: codeResourceName
    gitResourceName: gitResourceName
    extraSonarOptions: "-Dsonar.pullrequest.key=<pullrequest_key> -Dsonar.pullrequest.branch=<branch> -Dsonar.pullrequest.base=<branch>"
Input Variables

Name

Required

Default

Description

codeResourceName

true

Static code analysis resource name

gitResourceName

false

Git resource name for which sonar scan is performed, if not provided then the current folder will be used to scan

gitBranch

false

master

Git branch of the current analysis project. Defaults to master

projectFolder

false

 

The base folder where the sonar scanner is to be executed is usually a sub-folder in the Git repo

projectKey

false

 

Project key (if not provided then expected to be added in

sonar-project.properties). It is mandatory.

extraSonarOptions

false

 

Space-separated additional sonar options

extraSonarMetrics

false

Comma-separated additional sonar metrics are to be captured from the cloud provider. Sonar Task fetches the following default metrics:

  • duplicated_lines

  • ncloc

  • duplicated_blocks

  • coverage

  • tests

  • bugs

  • vulnerabilities

  • code_smells

  • security_hotspots

Output Variables

None

Exported Environment Variables

None

How does it work?

This task resolves the Sonar URL and token from the Sonar Integration, ensuring the installation of the sonar-scanner CLI, scanning the repository, and updating the Sonar remote with the scanner CLI report. Subsequently, a predefined set of metrics is retrieved from the Sonar remote, and the connected CodeAnalysis resource is updated based on these insights.