Sonar™ Analysis Configuration

Owned by Christian Ott
Last updated: Jun 03, 2024
5 min read

Include Code Quality for Bitbucket never triggers a SonarQube™ analysis.

The most common scenario is an integration of the SonarQube™ analysis into your build pipeline.

A recommended flow with Include Code Quality for Bitbucket looks like:

  1. New code changes pushed to Bitbucket (or new pull request is created)

    1. Bitbucket triggers your build pipeline for code changes

  2. Your build pipeline must trigger the Sonar™ analysis

    1. and executes the Sonar™Scanner or one of its build system-dependent alternatives.

    2. see below for required parameters

  3. SonarQube™ informs Include Code Quality for Bitbucket over a Webhook about a new analysis report.

    1. Include Code Quality for Bitbucket annotates existing pull requests with the issues found in the analysis.

 

Whichever external system you use to execute the Sonar™ scan, you need to run it with the correct parameters for your SonarQube™ application. Use the analysis parameter matrix below to find yours.

Analysis Parameter Matrix

The table shows the minimally necessary parameters to get Include Code Quality for Bitbucket to work with Sonar™Scanner. Look at the SonarQube™ documentation for additional parameters or different scanning methods.

 

Developer Edition or higher

Community Edition

SonarCloud™ https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/overview/

 

Developer Edition or higher

Community Edition

SonarCloud™ https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/overview/

Common Parameters

sonar-scanner \ -Dsonar.projectKey=<SONAR_PROJECT_KEY> \ -Dsonar.host.url=<SONAR_SERVER_URL>

 

sonar-scanner \ -Dsonar.projectKey=<SONAR_PROJECT_KEY_PREFIX:BRANCH_NAME> \ -Dsonar.host.url=<SONAR_SERVER_URL>

SonarQube™ versions 7.9.x and 8+ only allow certain characters [0-9a-zA-Z:-_.] in their project keys. Branch names typically contain / and cannot be used.

Use the same character as configured in the SonarQube™ server configuration under ‘Branch renaming for Sonar™ Project Keys’.

To replace illegal characters with the replacement character, the following sed expression can be used in your CI/CD configuration:

sed s/[^0-9a-zA-Z:_.\-]/'<YOUR_CONFIGURED_CHAR>'/g

sonar-scanner \ -Dsonar.projectKey=<SONAR_PROJECT_KEY> \ -Dsonar.host.url=https://sonarcloud.io \ -Dsonar.organization=<SONAR_CLOUD_ORGANIZATION>

 

Branch Analysis

Parameter not supported, branch included in Sonar™ project key asBRANCH_NAME

See Developer Edition or higher

Pull Request Analysis

See: Pull request analysis & SonarQube

Take the source branch name of pull requests for BRANCH_NAME in Sonar™ project key

See Developer Edition or higher

Only SonarQube™ 7.7

Not needed

Build Systems

Bamboo

We provide a first class integration for Bamboo with our Include Code Quality for Bamboo plugin. See our dedicated wiki page for more information.

Jenkins

  1. Use Bitbucket Server Integration to connect Jenkins to Bitbucket.

  2. Install the the SonarQube Scanner Jenkins plugin, follow the instructions on the Sonar™ Scanner for Jenkins Wiki to configure your analysis.

  3. [Community Edition] Install the Environment Injector plugin.

Community Edition: Freestyle Job

  1. New 'Freestyle Job'

  2. Select 'Bitbucket Server' for source code management

  3. Select repository: enter */<yourMainBranch> as 'Branch specifier' in 'Branches to build'

  4. Select "Bitbucket webhook trigger" and enable the pull request events

  5. Add build steps

    1. Write out the sanitized SONAR_BRANCH to a file by adding a 'Execute Shell' task with content:

    2. Inject this variable with an 'Inject environment variable' step: select `sonar-branch` as 'Properties filepath'

    3. Add 'Execute SonarQube Scanner' step: override project key and project name in the 'Analysis Properties' field like:

  6. Save configuration

  7. Trigger analysis with 'Build Now', it should successfully analyze your main branch

  8. Change the 'Branch specifier' to ** to listen to all branches

  9. Create a Pull Request in Bitbucket and verify an analysis is triggered

Community Edition: Multibranch Pipeline

  1. Add a 'Multibranch Pipeline'

  2. Select 'Bitbucket Server' for 'Branch Sources' and add a Repository

  3. Add 'Bitbucket webhook trigger' to 'Scan Multibranch Pipeline Triggers' → enable push/pull-request events

  4. Save

Add a Jenkinsfile to the repository. It needs needs to calculate the sonar.projectKey for the current branch (See Sonar™ Analysis Configuration | Analysis Parameter Matrix)

Below is an example of such a pipeline:

Developer Edition or higher: Multibranch Pipeline

  1. Add a 'Multibranch Pipeline'

  2. Select 'Bitbucket Server' for 'Branch Sources' and add a Repository

  3. Add 'Bitbucket webhook trigger' to 'Scan Multibranch Pipeline Triggers' → enable push/pull-request events

  4. Save

Use this Jenkinsfile for inspiration:

 

Problems During Setup

We at Mibex Software are happy to help you in our support desk or at support@mibexsoftware.com

 

SONAR™, SONARQUBE™ and SONARCLOUD™ are independent and trademarked products and services of SonarSource SA: see sonarsource.com, sonarqube.org, sonarcloud.io.