sonarqubescan

[T1mey]

Issue Description (Mandatory)

How to execute a sonar scan ? Documentation says:

https://github.com/SAP/cloud-s4-sdk-pipeline/blob/master/configuration.md#sonarqubescan

The pipeline is not executing the stage: sonarqubescan Even if I configure sonarExecuteScan it's getting skipped.

Log Output (Mandatory)

Stage "SonarQube Scan" skipped due to when conditional

[fwilhe]

Hi @T1mey,

I assume you're not on the productive branch.

Two options:

Either push to your productive branch and it will be executed.

Or enable runInAllBranches. Note that this requires the commercial version of sonar qube.

I think we can make this more clear in the docs. See code if you're interested in the implementation.

Best,

Florian

[T1mey]

Found the invocation problem... did not had sonarQubeScan in stages.. was in steps. Thanks for info about sonar version. I assume that we have only non commercial... must check this.

Have another problem downloading the binaries

Execution failed - Download of sonar-scanner failed: HTTP GET request to https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102-linux.zip failed with error: error calling https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102-linux.zip: Get https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.3.0.2102-linux.zip: dial tcp: lookup binaries.sonarsource.com on 10.96.0.10:53: no such host

Are you using curl or httRequest ?

[fwilhe]

I'm not too familiar with this step as it was developed in another team, but it seems to use the go http client, cf if you're interested in the implementation.

You might try using a sonar docker image which avoids the need to download the binaries as part of your pipeline.

stages:
  sonarQubeScan:
    dockerImage: sonarsource/sonar-scanner-cli:latest

Try this config. Be aware that this contains a very outdated version of node.js if this is an issue for you.

Hope this helps.

[T1mey]

Thanks for the hint. Is the go client using a proxy or can I specify one over params?

Will try the docker image first. Maybe need to build an own one because of selfsigned certs in chain.

What I did'nt get if I have to configure stage sonarQubeScan and step exexuteSonarScan ?!?

[T1mey]

@fwilhe Seems that loading certs is somehow suported but not documented:

[fwilhe]

@fwilhe Seems that loading certs is somehow suported but not documented:

I can't comment on that, I'm not familiar with that code. Where is this from?

[daniel-kurzynski]

customTlsCertificateLinks: List of comma-separated download links to custom TLS certificates. This is required to ensure trusted connections to instances with custom certificates.

https://sap.github.io/jenkins-library/steps/sonarExecuteScan/

I think that is the only documentation

[fwilhe]

What I did'nt get if I have to configure stage sonarQubeScan and step exexuteSonarScan ?!?

This might depend on the individual option. Mostly this is due to historic reasons, and we try to harmonize it with project "Piper" as far as possible.

[T1mey]

I created an own docker image and was able to upload to sonarqube. As we have installed the OWASP dependency plugin in sonarqube I would like to invoke the dependency check file generation. One option is to use maven for this.

mvn clean package dependency-check:aggregate

In my opinion not the best option because we need it for NodeJS and maybe other languages as well.

Is there any way to invoke the dependency check tool in a common way?

[fwilhe]

Is there any way to invoke the dependency check tool in a common way?

I'm not sure if I understand what you need. Some way to abstract maven/npm? "common" between what?

[T1mey]

To be able to identify 3rd party libs which have vulnerabilities we would like to use

https://github.com/jeremylong/DependencyCheck

Sonarqube has a plugin installed which is able to visualize them and the sonar-scanner-cli is able to upload it. Therfore some files have to be generated before the sonar-scanner-cli runs in the pipeline.

Options would be (as I understand it)

Dependency-Check is available as a:

Command-line utility (as docker) Ant Task Gradle Plugin Jenkins Plugin Maven Plugin SonarQube Plugin

see https://github.com/dependency-check/dependency-check-sonar-plugin

[fwilhe]

We currently don't have support for that, and I don't know the tool well enough to say anything about it. You might try a stage level extension for the build stage where you run the cli tool, or the maven plugin.

Very roughly (and untested(!)), this might look similar to something like this

.pipeline/extensions/build.groovy

void call(Map params) {
  params.originalStage()

  sh 'sonar-cli.sh' // for a shell script

  // for a maven plugin
    mavenExecute(
        script: parameters.script,
        flags: '--batch-mode',
        pomPath: 'application/pom.xml',
        m2Path: s4SdkGlobals.m2Directory,
        goals: ['dependency-check:aggregate'],
    )
}
return this

[T1mey]

I will try the stage level extension later. For now I have it nearly running with maven. Just one piece is missing. My generated files are not stashed for sonar. I tried this:

stashIncludes: ['buildResult': '**/target/*.jar, **/*.mtar, checkmarx:**/*.js, **/*.scala, **/*.py, **/*.go, **/*.d, **/*.di, **/*.xml, **/*.html', 'classFiles': '**/target/classes/**/*.class, **/target/test-classes/**/*.class', 'sonar':'**/jacoco*.exec, **/sonar-project.properties, dependency-check-report.*'] But I'm struggeling with the syntax.

Docu just says:

How do I override the sonar stash correctly ?

[fwilhe]

Docu just says:

I don't know which documentation you refer to. Also what you're currently trying to do is not as of now a feature we support. Sorry, but I don't even know what you're trying to do, which pipeline you're using. I can't offer support for that.

[T1mey]

@fwilhe

The piper docu for step pipelineStashFilesAfterBuild

https://sap.github.io/jenkins-library/steps/pipelineStashFilesAfterBuild/

[daniel-kurzynski]

We are currently not using pipelineStashFilesAfterBuild in our pipeline. Furthermore, you would also have to take care about unstashing the files in the sonar qube stage. As an alternative you could also extend the sonar qube stage and might not have to deal with stashing. However, I am not sure if all required files are there.