Open WadeBarnes opened 5 years ago
@wenzowski, Here you go. @ShellyXueHan, Alec asked me to tag you so the two of you could document the process more completely.
Thanks
Ideally if @ShellyXueHan has time, we can screenshot the process and commit here. However, we still need to confirm if the additional administrative burden of SonarCloud use is acceptable. As a result, I expect to resolve this ticket by either creating docs as requested or by migration of CAS projects away from SonarCloud as it is currently only transitionally deployed.
@wenzowski just to remind us that a journey (with pros and cons) is also included in the doc.
revisiting this ticket @wenzowski
I was thinking of taking this opportunity to give sonarcloud-circleci-orb a spin as well. This will give me a chance to try pulling the CLI directly into a python/java base image. If that works well then we might be able to get away with hosting the various cli zip file versions on arifactory and not maintaining a whole bunch of jenkins slave images.
(oh yes, we already tried the same approach but using gradle)
Just did this. Here are the steps:
.sonarcloud.properties
file to your project rootExample:
sonar.projectName=ppr
# Path to sources
sonar.sources=ppr-api/src,ppr-ui/src,ims-api/src/main/java
#sonar.exclusions=
#sonar.inclusions=
# Path to tests
sonar.tests=ppr-api/tests,ppr-ui/tests/unit,ims-api/src/test/java
#sonar.test.exclusions=
#sonar.test.inclusions=
# Source encoding
sonar.sourceEncoding=UTF-8
# Exclusions for copy-paste detection
#sonar.cpd.exclusions=
If you want to invoke the scan manually, you'll need a sonar cloud token.
Use of a scan image rather than the .sonarcloud.properties
file resurfaced yesterday in the discussion of OWASP ZAP organized by @garywong-bc and may benefit from an example integrating the zaproxy-report.xml
into sonar-server & sonarcloud (same api)
@rstens, @wenzowski , Any chance you guys can formalize this documentation in a section or two of the main ReadMe and submit a PR?
Done my piece, over to others. See readme.
Thanks. Reviewed. Asked @wenzowski if he'd like to add anything.
commented BCDevOps/sonarqube#21
If ZAP were part of our STRA I think our team would be empowered to put more resources here. As it stands, our STRA requires a manual scan and thus this ticket and the coupled exploration of how a full ZAP scan might meet security needs has been relegated to "nice-to-have" status: possibly valuable in future but not urgent and of minimal impact as we prepare for our first release deadline.
As a result, our team has continued to use the Automatic Analysis feature provided by SonarCloud and has not yet completed exploration of zaproxy-report.xml
or line coverage integration. We have yet to hit the point where the Sonar status check on our Quality Gate has blocked merge of a PR as our pre-commit checks appears to be producing similar static analysis feedback at an earlier stage in our pipeline process.
cc @NickCorcoran
SonarCloud and SonarQube Server are essentially the same. Project teams that are not bound to using a private instance of SonarQube Server are encouraged to use SonarCloud due to the reduction in administration overhead (upgrades, updates, etc).
Add a section describing the steps a team must take in order to use SonarCloud in place of SonarQube Server.
Recommend placing this section near the top above the SonarQube Server section.