Jenkins integration with SonarQube

Jenkins integration with SonarQube

We are in the modern world, our life wants to have better quality and provide complex solutions in the easier introduction. I would say that SonarQube one of the engine which helps to increase project quality and prevent future unpredictable issues when your project grows.

Unfortunately, it was difficult to find out real guide how to setup and integrate SonarQube with Jenkins. Almost all guides have outdated for the 2021, that is one of the reason why this topic was created.

I will explain how you can easy integrate your CI/CD tool Jenkins with SonarQube for evaluation your sources.

Overview

Jenkins is a free and open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands.

SonarQube® is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.

SonarQube configuration

Generating a token

SonarQube UI interface can generate new tokens using settings at User > My Account > Security

The form at the bottom of the page allows you to generate new tokens. Once you click the Generate button, you will see the generated token value. Copy it shortly; once you dismiss the notification you will not be able to see and change it.

Jenkins configuration

First of all need to install SonarQube Scanner plugin https://plugins.jenkins.io/sonar/

The easiest way of installing plugins is through the UI Manage Jenkins > Manage Plugins view, available to administrators of a Jenkins environment.

When SonarQube Scanner plugin installed need to add Sonar credentials with generated token. From the Jenkins page click Manage Jenkins > Manage Credentials

Manage Jenkins > Configure System > SonarQube servers

You should add SonarQube server URL without / at the end and chose token name

Manage Jenkins > Global Tool Configuration

Installation of the Sonar-scanner

Jenkins pipeline example

Here is example of the Jenkins maven pipeline that has ability to build code, analyze and compare with SonarQube Quality Gate.

In case code don’t pass Quality Gate, build will fail.

#!groovy
pipeline {
agent any
environment {
GIT_COMMIT_SHORT = sh(
script: "printf \$(git rev-parse --short ${GIT_COMMIT})",
returnStdout: true
)
}
tools {
maven 'maven'
jdk 'java'
}
stages {
stage('Build project') {
steps {
sh '''mvn install'''
}
}
stage('SonarQube analysis') {
environment {
SCANNER_HOME = tool 'Sonar-scanner'
}
steps {
withSonarQubeEnv(credentialsId: 'sonar-credentialsId', installationName: 'Sonar') {
sh '''$SCANNER_HOME/bin/sonar-scanner \
-Dsonar.projectKey=projectKey \
-Dsonar.projectName=projectName \
-Dsonar.sources=src/ \
-Dsonar.java.binaries=target/classes/ \
-Dsonar.exclusions=src/test/java/****/*.java \
-Dsonar.java.libraries=/var/lib/jenkins/.m2/**/*.jar \
-Dsonar.projectVersion=${BUILD_NUMBER}-${GIT_COMMIT_SHORT}'''
}
}
}
stage('SQuality Gate') {
steps {
timeout(time: 1, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
}
}

Results:

As a result you will see the SonarQube dashboard with analyzed results

As you can see in the existing topic, SonarQube is easy to setup and configure. Example shows how to integrate it with existing CI/CD process. Start from the initial build SonarQube evaluates you application. It defines gaps, bugs and shows the best practices of the coding in several programming languages (java, .Net, js, etc).

SonarQube helps to make your project more secure, prevent vulnerable and make your code with better quality.

URLs:

https://www.jenkins.io/
https://en.wikipedia.org/wiki/Jenkins
https://www.jenkins.io/doc/book/using/using-credentials/
https://plugins.jenkins.io/sonar/
https://www.sonarqube.org/
https://docs.sonarqube.org/latest/user-guide/user-token/
https://docs.sonarqube.org/latest/setup/get-started-2-minutes/