Improving Code Analysis Workflow with Jenkins, Sonar, and Gerrit

Enhance code analysis processes by analyzing source code before merging, enabling analysis in branches, and triggering Jenkins jobs. Sonar.cloud provides options to analyze branches using Maven build, while the proposal suggests using Jenkins plugin for code review. Addressing challenges with Gerrit change numbers and post-build actions are also presented, along with utilizing web services and webhooks for efficient code scanning.

• Code Analysis
• Jenkins
• Sonar
• Gerrit
• Workflow

clover Follow

Uploaded on Jul 17, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Jenkins, Gerrit and Sonar 2021-02-22 Thierry Alleno

2. What implemented Start code analysis of master content Gerrit event 2 1 3 Verified +1/-1 1 per day @Daily Git push/review on master 1 When user push content to gerrit, Sonar does not analyse the content of the new source code but the content of the master. Content of branch are not analyse in Sonar.

3. Proposal (1/5) What would be better Analyse proposition of source code before merge and don t enable commit of bad code Analyse source code in branches Triggered jenkins jobs when Patch set are created and analyse the content of the short-lived branch Analyse every days the content of all in-live branches ( master , guillin , honolulu , )[Only master at the moment]

4. sonarcloud Sonar cloud offer the possibility to analyse branches and short-lived branches using simple options in maven build : -Dsonar.analysis.gerritProjectName="$PROJECT" \ -Dsonar.branch.name="$GERRIT_SHORT_LIVED_BRANCH" \ -Dsonar.branch.target="$GERRIT_BRANCH" for example :[GERRIT_SHORT_LIVED_BRANCH=${GERRIT_CHANGE_NUMBER}- ${GERRIT_PATCHSET_NUMBER}]

5. Proposal (2/5) with Jenkins plugin Start code analysisof git commit content Gerrit event 3 2 4 7 Build failed -> Verified -1 Code-Review -1 -> Verified -1 Code-Review +1 -> Verified +1 Get report.json 5 6 Git push/review on master/branch 1 Use Jenkins Plugin : Sonar Gerrit Plugin Inspectreport and Set code-review+1/-1 According to settings. For example: -1 only for critical violation

6. Proposal (3/5) When using Sonar Gerrit Plugin in a jenkins jobs we need to have a Gerrit Change number, this number is not present in a Daily execution, and status of job is failed is this number is not present. A simple solution Duplicate Sonar Jobs or a new SCA (checkmarx etc ) : In the new job don t activate daily execution In jobs executed on master or branch deactivate triggering on gerrit events The best solution Don t execute the Post build action Post SonarQube issues as Gerrit comments when it is a daily execution [At the moment i don t have a solution to do it]

7. Proposal (4/5) Using webservises and webhook Start code analysisof git commit content Gerrit event 2 3 4 Webhook Build failed -> Verified -1 Build ok -> Verified +1 POST Comment on gerrit patch POST Result of scan 1 Git push/review on master/branch Scan nok -> Verified 0 Scan ok -> Verified +1 1 2 Inspect according to settings. For example : -1 only for critical violation And do nothing if the result correspond to a scan of master or main branches Webservice Example : mediawiki

8. Proposal (5/5) We don t perform the full test with the webservices develop for the mediawiki CI project., because we are facing two problems : - Our platform is not connected to internet in order to user sonarcloud webhook, - Analyze of branches in sonar available from the developer edition version and we don t have licence To test we need a sonar developer edition or the possibility to host webservice on internet After analyze, it seems that the WS develop by mediawiki project can be used after some modifications (only hardcoded URLs). https://github.com/wikimedia/labs-tools-sonarqubebot.git The principle of the webservices is : 1. receive a POST request from sonar webhook, 2. introspect POST request 3. send a POST request to gerrit in the corresponding patch set and set Verify to 0 or 1 according to scan result (Result of scan is set according to quality gates settings in sonarcloud see next slide)

9. Sonarcloud quality gates

10. Next steps Test the webservices(by us if we have a solution) Implementation by LFN of the webservices POC : Implement on one of ONAP project - Setting and adapt a new quality gate Generalize to all projects

11. Jenkins modifications(1/2) 1. Declare a new environment variable and add additional parameters in maven build GERRIT_SHORT_LIVED_BRANCH=${GERRIT_CHANGE_NUMBER}-${GERRIT_PATCHSET_NUMBER} -Dsonar.analysis.gerritProjectName="$PROJECT" -Dsonar.branch.name="$GERRIT_SHORT_LIVED_BRANCH" \ -Dsonar.branch.target="$GERRIT_BRANCH" Install Plugin Sonar Gerrit Plugin 3. Add a shell script step add sonar buitd to retrieve report using curl (plugin is not compatible with Sonar 7.7 and later because -Dsonar.analysis.mode=preview was removed ) 2. curl -u ${API_TOKEN}: -L -o ${WORKSPACE}/target/sonar/sonar-report.json \ "${SONAR_HOST_URL}/api/issues/search?componentKeys=${PROJECT_KEY}&branch=${GER RIT_BRANCH}&resolved=false&facets=severities"

12. Jenkins modifications(2/2) 4. In Plugin configuration add REST API credentials for Gerrit 5. Add and configure a post build step : Post SonarQube issues as Gerrit comments