Sonar™ Analysis Configuration

Owned by Christian Ott
Last updated: Jun 03, 2024
5 min read

Include Code Quality for Bitbucket never triggers a SonarQube™ analysis.

The most common scenario is an integration of the SonarQube™ analysis into your build pipeline.

A recommended flow with Include Code Quality for Bitbucket looks like:

  1. New code changes pushed to Bitbucket (or new pull request is created)

    1. Bitbucket triggers your build pipeline for code changes

  2. Your build pipeline must trigger the Sonar™ analysis

    1. and executes the Sonar™Scanner or one of its build system-dependent alternatives.

    2. see below for required parameters

  3. SonarQube™ informs Include Code Quality for Bitbucket over a Webhook about a new analysis report.

    1. Include Code Quality for Bitbucket annotates existing pull requests with the issues found in the analysis.

 

Whichever external system you use to execute the Sonar™ scan, you need to run it with the correct parameters for your SonarQube™ application. Use the analysis parameter matrix below to find yours.

Analysis Parameter Matrix

The table shows the minimally necessary parameters to get Include Code Quality for Bitbucket to work with Sonar™Scanner. Look at the SonarQube™ documentation for additional parameters or different scanning methods.

 

Developer Edition or higher

Community Edition

SonarCloud™ https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/overview/

 

Developer Edition or higher

Community Edition

SonarCloud™ https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/overview/

Common Parameters

sonar-scanner \ -Dsonar.projectKey=<SONAR_PROJECT_KEY> \ -Dsonar.host.url=<SONAR_SERVER_URL>

 

sonar-scanner \ -Dsonar.projectKey=<SONAR_PROJECT_KEY_PREFIX:BRANCH_NAME> \ -Dsonar.host.url=<SONAR_SERVER_URL>

SonarQube™ versions 7.9.x and 8+ only allow certain characters [0-9a-zA-Z:-_.] in their project keys. Branch names typically contain / and cannot be used.

Use the same character as configured in the SonarQube™ server configuration under ‘Branch renaming for Sonar™ Project Keys’.

To replace illegal characters with the replacement character, the following sed expression can be used in your CI/CD configuration:

sed s/[^0-9a-zA-Z:_.\-]/'<YOUR_CONFIGURED_CHAR>'/g

sonar-scanner \ -Dsonar.projectKey=<SONAR_PROJECT_KEY> \ -Dsonar.host.url=https://sonarcloud.io \ -Dsonar.organization=<SONAR_CLOUD_ORGANIZATION>

 

Branch Analysis

Parameter not supported, branch included in Sonar™ project key asBRANCH_NAME

See Developer Edition or higher

Pull Request Analysis

See: https://docs.sonarqube.org/latest/analysis/pull-request/

Take the source branch name of pull requests for BRANCH_NAME in Sonar™ project key

See Developer Edition or higher

Only SonarQube™ 7.7

Not needed

Build Systems

Bamboo

We provide a first class integration for Bamboo with our Include Code Quality for Bamboo plugin. See our dedicated wiki page for more information.

Jenkins

  1. Use https://plugins.jenkins.io/atlassian-bitbucket-server-integration/ to connect Jenkins to Bitbucket.

  2. Install the the https://plugins.jenkins.io/sonar/ Jenkins plugin, follow the instructions on the Sonar™ Scanner for Jenkins Wiki to configure your analysis.

  3. [Community Edition] Install the https://plugins.jenkins.io/envinject/ plugin.

Community Edition: Freestyle Job

  1. New 'Freestyle Job'

  2. Select 'Bitbucket Server' for source code management

  3. Select repository: enter */<yourMainBranch> as 'Branch specifier' in 'Branches to build'

  4. Select "Bitbucket webhook trigger" and enable the pull request events

  5. Add build steps

    1. Write out the sanitized SONAR_BRANCH to a file by adding a 'Execute Shell' task with content:

    2. Inject this variable with an 'Inject environment variable' step: select `sonar-branch` as 'Properties filepath'

    3. Add 'Execute SonarQube Scanner' step: override project key and project name in the 'Analysis Properties' field like:

  6. Save configuration

  7. Trigger analysis with 'Build Now', it should successfully analyze your main branch

  8. Change the 'Branch specifier' to ** to listen to all branches

  9. Create a Pull Request in Bitbucket and verify an analysis is triggered

Community Edition: Multibranch Pipeline

  1. Add a 'Multibranch Pipeline'

  2. Select 'Bitbucket Server' for 'Branch Sources' and add a Repository

  3. Add 'Bitbucket webhook trigger' to 'Scan Multibranch Pipeline Triggers' → enable push/pull-request events

  4. Save

Add a Jenkinsfile to the repository. It needs needs to calculate the sonar.projectKey for the current branch (See Sonar™ Analysis Configuration | Analysis Parameter Matrix)

Below is an example of such a pipeline:

Developer Edition or higher: Multibranch Pipeline

  1. Add a 'Multibranch Pipeline'

  2. Select 'Bitbucket Server' for 'Branch Sources' and add a Repository

  3. Add 'Bitbucket webhook trigger' to 'Scan Multibranch Pipeline Triggers' → enable push/pull-request events

  4. Save

Use this Jenkinsfile for inspiration:

 

Problems During Setup

We at Mibex Software are happy to help you in our support desk or at support@mibexsoftware.com

 

SONAR™, SONARQUBE™ and SONARCLOUD™ are independent and trademarked products and services of SonarSource SA: see sonarsource.com, sonarqube.org, sonarcloud.io.