Sonar Code Quality Gate Integration with CI – Part 2

Configuration for Jenkins and Gitlab

First and foremost, you have to configure the Jenkins CI and Gitlab to make sure they have permission to access each other. You can find the detailed guide to set them up properly from this website: https://docs.gitlab.com/ee/integration/jenkins.html#grant-jenkins-access-to-gitlab-project.

I used the webhook to notify Jenkins from Gitlab once any events are triggered. On the Jenkins, modify the project’s configuration and generate a random secret token.

Fill in the blank URL area with your Jenkins server address in the Gtilab webhook configuration and paste the secret token to the next line.

After you finish the configuration you can take a test to verify the functionality. If everything goes well, you can get the status code 200 from Gitlab.

You can even go through the request and response packet to see what happened if you will.

The Jenkins job we just created is a pipeline job, which allows us to define our build tasks through the groovy script. There are some additional work you should do to allow Jenkins to trigger the build job from the Jenkinsfile from your repository.

Tigger the Jenkins Pipeline

Create the Jenkinsfile file under the root directory of your repository, and add the build script:

1


2


3


4


5


6


7


8


9


10


11


12


13


14


pipeline {


agent any



stages {


stage(

'gitlab'

) {

steps {


echo

'Notify GitLab'


updateGitlabCommitStatus

name:

'build'

,

state:

'pending'


sh

"make"


updateGitlabCommitStatus

name:

'build'

,

state:

'success'


}


}


}


}


The repository we’re gonna use is the same as we created previously in this post: https://recursively.review/2021/07/28/Sonar-Code-Qualitygate-Integration-with-CI-Part-1/.

Commit your changes and push them to the remote repository to trigger the Jenkins pipeline. After a while, you can switch to Jenkins dashboard to check the build result.

Integrate the Code Scanning

Let’s first try using the cppcheck to perform the code scanning. This time we’re gonna use the cppcheck plugin in Jenkins directly for convenience. Just install the cppcheck plugin and we’re good to go.

1


2


3


4


5


6


7


8


9


10


11


12


13


14


15


16


17


18


19


20


21


22


pipeline {


agent any



stages {


stage(

'gitlab'

) {

steps {


echo

'Notify GitLab'


updateGitlabCommitStatus

name:

'build'

,

state:

'pending'


sh

"make"


updateGitlabCommitStatus

name:

'build'

,

state:

'success'


}


}


stage(

'scan'

) {

steps {


echo

'Scan beginning'


updateGitlabCommitStatus

name:

'scan'

,

state:

'running'


sh

"cppcheck --xml --xml-version=2 --enable=all ./ 2> cppcheck-report.xml"


updateGitlabCommitStatus

name:

'scan'

,

state:

'success'


}


}


}


}


Take a look at the Jenkins building dashboard to check the status.

Now that we have scanned our project successfully with cppcheck, it will not be difficult to integrate the Sonarqube in order to establish our quality gate. Before that, we need to install the Sonar-scanner plugin in Jenkins. When the installation is finished, go to Manage Jenkins > Configure System and scroll down to the SonarQube servers section. Click the Add SonarQube button to add the new configuration.

To use the Sonar-scanner command in the pipeline script, we have to firstly add a new Sonar-scanner tool in Jenkins.

Quality Gate Integration

It’s pretty easy to add the quality gate to our CI, let’s make some changes to the sonar configuration file sonar-project.properties:

1


2


3


4


5


6


7


8


9


10


11


12


13


14


15


16


17


18


19


20


21


22


23


24


25


26


27


28


29



sonar.projectKey

=test

sonar.login

=

50

b94782744687df5d5b04863b6a3c2198b3361a

sonar.host.url

=http://

172.20

.

1.135

:

9000


sonar.qualitygate.wait

=

true











sonar.sources

=.








sonar.cxx.file.suffixes

=.h,.cpp,.c






sonar.cxx.cppcheck.reportPaths

=cppcheck-report.xml

For the Jenkinsfile:

1


2


3


4


5


6


7


8


9


10


11


12


13


14


15


16


17


18


19


20


21


22


23


24


25


26


27


28


29


30


31


32


pipeline {


agent any



stages {


stage(

'gitlab'

) {

steps {


echo

'Notify GitLab'


updateGitlabCommitStatus

name:

'build'

,

state:

'pending'


sh

"make"


updateGitlabCommitStatus

name:

'build'

,

state:

'success'


}


}


stage(

'scan'

) {

steps {


echo

'Scan beginning'


updateGitlabCommitStatus

name:

'scan'

,

state:

'running'


sh

"cppcheck --xml --xml-version=2 --enable=all ./ 2> cppcheck-report.xml"


updateGitlabCommitStatus

name:

'scan'

,

state:

'success'


}


}


stage(

'SonarQube analysis & quality gate'

) {

environment {


scannerHome = tool

'SonarScanner'


}


steps {


withSonarQubeEnv(

'SonarQube'

) {

sh

"${scannerHome}/bin/sonar-scanner"


}


}


}


}


}


Now that we have finished setting up the configuration regardingly. If we push our changes to the remote repository the CI quality gate check process will take effect.

Merge Request Combination

Firstly make some changes to the Jenkins pipeline script in order to modify the merge request status during the pipeline progress.

1


2


3


4


5


6


7


8


9


10


11


12


13


14


15


16


17


18


19


20


21


22


23


24


25


26


27


28


29


30


pipeline {


agent any



stages {


stage(

'gitlab'

) {

steps {


echo

'Notify GitLab'


updateGitlabCommitStatus

name:

'build'

,

state:

'running'


sh

"make"


}


}


stage(

'scan'

) {

steps {


echo

'Scan beginning'


sh

"cppcheck --xml --xml-version=2 --enable=all ./ 2> cppcheck-report.xml"


}


}


stage(

'SonarQube analysis & quality gate'

) {

environment {


scannerHome = tool

'SonarScanner'


}


steps {


withSonarQubeEnv(

'SonarQube'

) {

sh

"${scannerHome}/bin/sonar-scanner"


}


updateGitlabCommitStatus

name:

'build'

,

state:

'success'


}


}


}


}


To check the merge request scanning status, we need to enable the option below in the Gitlab:

If the merge request was triggered, the merge request status will be limited unless the CI pipeline succeeds a moment later.

References

https://docs.gitlab.com/ee/integration/jenkins.html#grant-jenkins-access-to-gitlab-project

https://about.gitlab.com/handbook/customer-success/demo-systems/tutorials/integrations/create-jenkins-pipeline/