Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to use SonarCloud in place of the self hosted SonarQube Server image #15

Open
WadeBarnes opened this issue Sep 5, 2019 · 13 comments
Open

Document how to use SonarCloud in place of the self hosted SonarQube Server image #15

WadeBarnes opened this issue Sep 5, 2019 · 13 comments
Assignees
@wenzowski @ShellyXueHan

Comments

@WadeBarnes
Copy link
Member

SonarCloud and SonarQube Server are essentially the same. Project teams that are not bound to using a private instance of SonarQube Server are encouraged to use SonarCloud due to the reduction in administration overhead (upgrades, updates, etc).

Add a section describing the steps a team must take in order to use SonarCloud in place of SonarQube Server.

Recommend placing this section near the top above the SonarQube Server section.
@WadeBarnes
Copy link
Member Author

@wenzowski, Here you go. @ShellyXueHan, Alec asked me to tag you so the two of you could document the process more completely.

Thanks

@wenzowski
Copy link
Member

wenzowski commented Sep 10, 2019
edited
Loading

Ideally if @ShellyXueHan has time, we can screenshot the process and commit here. However, we still need to confirm if the additional administrative burden of SonarCloud use is acceptable. As a result, I expect to resolve this ticket by either creating docs as requested or by migration of CAS projects away from SonarCloud as it is currently only transitionally deployed.

@ShellyXueHan
Copy link

@wenzowski just to remind us that a journey (with pros and cons) is also included in the doc.

@ShellyXueHan
Copy link

revisiting this ticket @wenzowski

@wenzowski
Copy link
Member

I was thinking of taking this opportunity to give sonarcloud-circleci-orb a spin as well. This will give me a chance to try pulling the CLI directly into a python/java base image. If that works well then we might be able to get away with hosting the various cli zip file versions on arifactory and not maintaining a whole bunch of jenkins slave images.

@wenzowski
Copy link
Member

(oh yes, we already tried the same approach but using gradle)

@rstens
Copy link
Collaborator

rstens commented Jan 11, 2020

Just did this. Here are the steps:

  1. Make your you are a member of bcgov in github
  2. Sign up for SonarCloud with your github Account
  3. Add a .sonarcloud.properties file to your project root

Example:

sonar.projectName=ppr

# Path to sources
sonar.sources=ppr-api/src,ppr-ui/src,ims-api/src/main/java
#sonar.exclusions=
#sonar.inclusions=

# Path to tests
sonar.tests=ppr-api/tests,ppr-ui/tests/unit,ims-api/src/test/java
#sonar.test.exclusions=
#sonar.test.inclusions=

# Source encoding
sonar.sourceEncoding=UTF-8

# Exclusions for copy-paste detection
#sonar.cpd.exclusions=
  1. Ask Shelly to add your project(s)
  2. Shelly will add you as the admin for your project (you can change that later)
  3. Then go to https://sonarcloud.io/organizations/bcgov-sonarcloud/projects
  4. Find your project and click on "Configure analysis" button
  5. Then click on the large "SonarCloud Automatic Analysis" button
  6. You are all set, every PR with automatically be scanned.

If you want to invoke the scan manually, you'll need a sonar cloud token.

@wenzowski
Copy link
Member

Use of a scan image rather than the .sonarcloud.properties file resurfaced yesterday in the discussion of OWASP ZAP organized by @garywong-bc and may benefit from an example integrating the zaproxy-report.xml into sonar-server & sonarcloud (same api)

@WadeBarnes
Copy link
Member Author

@rstens, @wenzowski , Any chance you guys can formalize this documentation in a section or two of the main ReadMe and submit a PR?

rstens added a commit to rstens/sonarqube that referenced this issue Mar 11, 2020
@rstens
Document how to use SonarCloud in place of the self hosted SonarQube …
4987ce1 
…Server image BCDevOps#15
rstens added a commit to rstens/sonarqube that referenced this issue Mar 11, 2020
@rstens
Document how to use SonarCloud in place of the self hosted SonarQube …
96aba33 
…Server image BCDevOps#15
@rstens rstens removed their assignment Mar 11, 2020
@rstens
Copy link
Collaborator

rstens commented Mar 11, 2020

Done my piece, over to others. See readme.

@WadeBarnes
Copy link
Member Author

Thanks. Reviewed. Asked @wenzowski if he'd like to add anything.

@wenzowski
Copy link
Member

commented #21

@wenzowski
Copy link
Member

wenzowski commented Mar 23, 2020
edited
Loading

If ZAP were part of our STRA I think our team would be empowered to put more resources here. As it stands, our STRA requires a manual scan and thus this ticket and the coupled exploration of how a full ZAP scan might meet security needs has been relegated to "nice-to-have" status: possibly valuable in future but not urgent and of minimal impact as we prepare for our first release deadline.

As a result, our team has continued to use the Automatic Analysis feature provided by SonarCloud and has not yet completed exploration of zaproxy-report.xml or line coverage integration. We have yet to hit the point where the Sonar status check on our Quality Gate has blocked merge of a PR as our pre-commit checks appears to be producing similar static analysis feedback at an earlier stage in our pipeline process.

cc @NickCorcoran

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wenzowski wenzowski

@ShellyXueHan ShellyXueHan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wenzowski @WadeBarnes @rstens @ShellyXueHan