Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

The SonarQube analysis has to be run outside of Bitbucket. The most common scenario is an integration of the analysis into the build pipeline. A typical Sonar analysis has the following steps:

  1. New code changes pushed to a branch, or a pull request that has been created in Bitbucket

  2. The build pipeline is triggered and informed of the new changes

  3. A build is run, which triggers the Sonar analysis and executes the SonarScanner or one of its build system-dependent alternatives.

  4. The results of the analysis are sent to SonarQube

  5. SonarQube informs Sonar for Bitbucket over a webhook that a new analysis is complete. Sonar for Bitbucket annotates the pull request with the issues found in the analysis.

Whichever external system you use to execute the Sonar scan, you need to run it with the correct parameters for your SonarQube application. Use the analysis parameter matrix below to find yours.

Analysis Parameter Matrix

The table shows the minimally necessary parameters to get Sonar for Bitbucket to work with SonarScanner. Look at the SonarQube documentation for additional parameters or different scanning methods.

Developer Edition or higher

Community Edition

SonarCloud

Common Parameters

sonar-scanner \
  -Dsonar.projectKey=<SONAR_PROJECT_KEY> \ 
  -Dsonar.host.url=<SONAR_SERVER_URL>

sonar-scanner \
  -Dsonar.projectKey=<SONAR_PROJECT_KEY_PREFIX:BRANCH_NAME> \
  -Dsonar.host.url=<SONAR_SERVER_URL>

SonarQube versions 7.9.x and 8.x only allow certain characters [0-9a-zA-Z:-_.] in their project keys. Branch names typically contain / and cannot be used.

Use the same character as configured in the SonarQube server configuration under ‘Branch renaming for Sonar Project Keys’.

To replace illegal characters with the replacement character, the following sed expression can be used in your CI/CD configuration:

sed s/[^0-9a-zA-Z:_.\-]/'<YOUR_CONFIGURED_CHAR>'/g

sonar-scanner \
  -Dsonar.projectKey=<SONAR_PROJECT_KEY> \
  -Dsonar.host.url=https://sonarcloud.io \
  -Dsonar.organization=<SONAR_CLOUD_ORGANIZATION>

Branch Analysis

  -Dsonar.branch.name=<branch_name> 

Parameter not supported, branch included in sonar project key asBRANCH_NAME

See Developer Edition or higher

Pull Request Analysis

  -Dsonar.pullrequests.key=<pull request identifier from Bitbucket>
  -Dsonar.pullrequest.branch=<source branch name of pull request>
  -Dsonar.pullrequest.base=<destination branch name of pull request>

Take the source branch name of pull requests for BRANCH_NAME in sonar project key

See Developer Edition or higher

Only SonarQube 7.7

  -Dsonar.analysis.scmRevision=COMMIT_ID
  -Dsonar.analysis.scmRevision=COMMIT_ID

Not needed

Build Systems

Bamboo

We provide a first class integration for Bamboo with our Sonar for Bamboo plugin. See our dedicated wiki page for more information.

Jenkins

  1. Use Bitbucket Webhook to Jenkins or any other app to notify Jenkins about new code changes. See these instructions on how to set it up. It is important enabling the setting "Omit SHA1 Hash Code" in the repository settings of the app (see this issue on Github for more details).

  2. Follow the instructions on the Sonar Scanner for Jenkins Wiki to set up the SonarScanner configuration.

  3. The Jenkins Git plugin includes the origin/ prefix in branch names, which has to be removed. Use a Jenkins freestyle job.

    echo SONAR_BRANCH=$(printf '%s' $GIT_BRANCH | cut -d'/' -f 2-) > sonar-branch
  4. SonarQube versions 7.9.x and 8.x need to replace illegal branch characters.
    Use the following command to export the sanitized branch name to a file:

    echo SONAR_BRANCH=$(printf '%s' $GIT_BRANCH | cut -d'/' -f 2- | sed s/[^0-9a-zA-Z:_.\-]/'<YOUR_CONFIGURED_CHAR>'/g) > sonar-branch

To inject the environment variable from the file sonar-branch , you also need to install the Jenkins EnvInject Plugin.

You can then use this environment variable to trigger the Sonar analysis with -Dsonar.projectKey=<SONAR_PROJECT_KEY_PREFIX>:$SONAR_BRANCH

Problems During Setup

We at Mibex Software are happy to help you in our support desk or at support@mibexsoftware.com

  • No labels