7

Context: In Sonar Qube, there exists a custom Quality Gate which is called say abcd. This is NOT the default quality gate. And in Jenkins, I had configured this SonarQube Quality Gate for a set of APIs by using the parameter -Dsonar.QualityGate=abcd and it was working fine.

Recently Sonar Qube was upgraded to version 5.3. Since then, the abcd quality gate is not working and the default quality gate is coming into play instead of the abcd quality gate for all the APIs.

On analysis, I came to know that sonar.QualityGate is deprecated in Version 5.3.

Question: Can you please let me know what is the alternative? And how do I make sure that these set of APIs have abcd as the quality gate and not the default quality gate?

I would prefer a solution such that I can configure something on Jenkins as I have access to Jenkins but not to Sonar Qube configurations.

A_Di-Matteo
  • 26,902
  • 7
  • 94
  • 128
user2608424
  • 183
  • 2
  • 10
  • This parameter was **removed in SonarQube 5.2** (compare [5.1](http://docs.sonarqube.org/display/SONARQUBE51/Analysis+Parameters) with [5.2](http://docs.sonarqube.org/display/SONARQUBE52/Analysis+Parameters) parameters). – agabrys Apr 06 '16 at 11:24
  • I know you've probably moved on from this, but for anyone else why may have the same question, I've posed the question in the community forum to try and understand better: https://community.sonarsource.com/t/automated-scan-on-new-code-how-do-i-specify-the-quality-gate-for-the-first-scan-to-use/95516 – snydergd Jul 11 '23 at 17:33

3 Answers3

4

It's indeed no more possible to set the Quality Gate of a project using a parameter when running an analysis. It's only possible from the UI/WS, where you can specify which Quality Gate should be used for which project.

See the documentation for more information : http://docs.sonarqube.org/display/SONAR/Quality+Gates.

Julien L. - SonarSource Team
  • 2,577
  • 17
  • 15
  • Thabks for the response. How about setting Sonar exclusions? I used to use the parameter "-Dsonar.exclusions". Is that deprecated too? If so what is the alternative? Plz let me know. – user2608424 Apr 06 '16 at 14:16
  • You can indeed use sonar.exclusions, but I don't see how it will solve your isssue. The only way to specify a quality gate for a project is on the UI, or with the WS. Up to you to create a build script that call the WS before launching the analysis. – Julien L. - SonarSource Team Apr 08 '16 at 12:36
  • Hi. Thank you for the response. Appreciate it. Can you plz help me with some other issue. I want to either completely remove or reduce the count for INFO Violations (not other violations) on a particular project only. What is the best way to achieve this in Sonar Qube 5.3? – user2608424 Apr 28 '16 at 15:50
  • @JulienL.-SonarSourceTeam check my answer, one can also set the quality gate dynamically via WEB API, not only from the web UI. Can you confirm it? – A_Di-Matteo Jun 06 '17 at 09:35
  • @a_Di-Matteo, using web service (WS) was also in my answer, so yes your answer is correct. – Julien L. - SonarSource Team Jun 07 '17 at 11:04
  • @JulienL.-SonarSourceTeam ouch, I missed the "/WS" part indeed:) and I bet I was not the only one. Thanks for your clarification. – A_Di-Matteo Jun 07 '17 at 12:13
3

You can still dynamically create an association gate - project via Sonarqube Web API.

From your Sonarqube instance, go to its /web_api URL (e.g. http://my-sonarqube/web_api) and check the list of available operations.

The web_api/api/qualitygates is the set of operations related to quality gates. The web_api/api/qualitygates/select is the operation you need to associate a gate to a project.

Hence, as replacement of the deprecated sonar.qualitygate, you can use either the manual association via the web UI or a dynamic (and automated) association via web API, recommended. The latter case is the way to go in case of Continous Integration jobs (as you mentioned Jenkins in this context) that would need to create dynamically the link (especially useful for branches management).

As a mandatory step for this operation to work, you need to pass some permissions, e.g. an user token, as recommended approach from official Sonarqube documentation on Web API.

An example of what a CI step may look like just before invoking the sonar:sonar step:

curl -u ${sonar.password.token}: ${sonar.setqualitygate.url} \
-d "gateId=${sonar.gate.id}&projectKey=${sonar.project.key}:${planRepository.branch}"

Where:

  • sonar.password.token is a token you need to generate from the Sonarqube User management page, for a technical user (e.g. a Jenkins user used to make the connection between the component)
  • sonar.setqualitygate.url the URL of the REST API endpoint (e.g. http://your.sonarqube.domain/api/qualitygates/select)
  • sonar.gate.id is the gate id, you can find it easily on the URL of the concerned gate (e.g. http://your.sonarqube.domain/quality_gates/show/<id>)
  • sonar.project.key and planRepository.branch here we are building dynamically the name of the project for a certain branch as well, you can skip this step if you don't want to handle branches dynamically (e.g. easy to do in Bamboo, a bit more tricky in Jenkins)
A_Di-Matteo
  • 26,902
  • 7
  • 94
  • 128
  • You say that you may call curl command to assign Quality Gate to the Project, but how this will be achievable if this project has not been analyzed before? You will receive response from API: "msg":"Component key 'com.acme:project:my_branch' not found". It does not make a sense running project analysis without gate specified, it will just take a default one, which is probably not what you need. – stinger Apr 12 '18 at 13:57
  • @stinger the approach above is used in our CI env since months and it is doing its job: you can dynamically assign a different quality gate to a project. Indeed, in our case the approach is used for feature branches (applying a different gate to them) while the develop branch has already been analyzed with a different gate, assigned manually. I need to check this case. – A_Di-Matteo Apr 12 '18 at 14:24
  • When you starting analysis of a feature branch, Sonar will create a new separate project for it (of course, if you don't using paid branching plugin). Let's assume you've created a new feature, push it and how would you assign a gate using API to a brand new project PRIOR it's been analyzed? There is yet no such project inside Sonar. – stinger Apr 12 '18 at 14:40
  • @stinger yet it is doing its job correctly. Are you sure about the msg error mentioned above? Did you try it? Which version of Sonarqube are you using? I'm on 6.2 and no problem, the association is done prior to analysis for the first time for a branch and it's then maintained during the analysis, no default gate is associated but correctly the one requested. – A_Di-Matteo Apr 12 '18 at 14:52
  • Yes, i tried it. I'm using sonar 7.0. I don't know your circumstances, but from Sonar's point of view it makes sense: when attempting to assign a gate for yet non-existent project, i get an error response. – stinger Apr 12 '18 at 14:55
2

Using approach, suggested by A_Di-Matteo , I faced an issue: when trying to select a gate for brand new feature branch, Sonar throw an error saying that project does not exist. So one can assign a gate only after project has been created. In this case, i use a hack: manually create a project using Sonar Web API just before assigning a gate, and only then performing mvn sonar:sonar step. Here is creation of dummy new project:

def createNewProject(def config, def branch) {
    String projectName = new XmlSlurper().parseText(readFile('pom.xml')).name as String
    def url = "${config.sonarHost}/api/projects/create"
    sh "curl -u ${config.sonarToken}: ${url} -d 'name=${projectName}&project=${projectKey()}&branch=${branch}'"
}

Next step is assigning a Gate for this dummy project:

def setSonarQualityGate(def config, def projectFullName, def gateId) {
    def url = "${config.sonarHost}/api/qualitygates/select"
    sh "curl -u ${config.sonarToken}: ${url} -d 'gateId=${gateId}&projectKey=${projectFullName}'"
}

And only after that I execute analysis itself:

def runSonarAnalysis(def config, def branch) {
    echo "Run Sonar analysis"
    sh "mvn sonar:sonar -Dsonar.host.url=${config.sonarHost} -Dsonar.branch=${branch}"
}
stinger
  • 3,790
  • 1
  • 19
  • 30