Difference between revisions of "Sonar + maven configuration + Jenkins"

 
(23 intermediate revisions by the same user not shown)
Line 8: Line 8:
 
=Requirements=
 
=Requirements=
  
 +
* Testing libraries: '''jUnit 4.12 or +''' / optional, for static class mocking: '''Powermock 1.7.x or +'''
 
* Maven must run on '''Java 8 or +'''  
 
* Maven must run on '''Java 8 or +'''  
 
* You must use '''Sonarqube 7.x or +'''
 
* You must use '''Sonarqube 7.x or +'''
 +
* Jenkins must be '''v2.164.1 or +''' (LTS version)
  
  
='''Principle'''=
+
=Principle=
  
 
TODO
 
TODO
Line 18: Line 20:
 
You just have to define the configuration once, in the parent POM.
 
You just have to define the configuration once, in the parent POM.
  
 
+
* Jenkins
 +
** Requirements: plugins / setup
 +
** Job configuration
 
* Maven plugins list
 
* Maven plugins list
 
** Reports generation : unit / integration tests
 
** Reports generation : unit / integration tests
Line 28: Line 32:
  
  
=Maven plugins=
+
='''Maven plugins'''=
  
  
Line 168: Line 172:
 
         <!-- Sonar -->
 
         <!-- Sonar -->
 
         <!-- Tell sonar where to look for the binaries coverage files. Property inherited by submodules -->
 
         <!-- Tell sonar where to look for the binaries coverage files. Property inherited by submodules -->
         <sonar.jacoco.reportPaths>${project.basedir}/../target/jacoco.exec</sonar.jacoco.reportPaths>
+
         <sonar.junit.reportPaths>${project.build.directory}/surefire-reports</sonar.junit.reportPaths>
 +
        <sonar.jacoco.reportPath>${project.build.directory}/jacoco.exec</sonar.jacoco.reportPath>
 +
        <sonar.coverage.jacoco.xmlReportPaths>${project.build.directory}/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
 +
        <!-- Integration tests -->
 +
        <sonar.jacoco.itReportPath>${project.build.directory}/jacoco-it.exec</sonar.jacoco.itReportPath>
 
     </properties>
 
     </properties>
  
Line 191: Line 199:
 
                 <configuration>
 
                 <configuration>
 
                     <append>true</append>
 
                     <append>true</append>
 +
                    <!-- Use offline bytecode (with powermock changes) -->
 +
                    <excludes>
 +
                        <exclude>*</exclude>
 +
                    </excludes>
 
                 </configuration>
 
                 </configuration>
 
                 <executions>
 
                 <executions>
 +
                    <!-- Support for PowerMock tests -->
 +
                    <!-- See https://www.igorkromin.net/index.php/2018/03/06/quick-look-at-jacoco-vs-cobertura-performance-and-coverage-results/ -->
 +
                    <execution>
 +
                        <id>jacoco-instrument</id>
 +
                        <goals>
 +
                            <goal>instrument</goal>
 +
                        </goals>
 +
                    </execution>
 +
                    <execution>
 +
                        <id>jacoco-restore-instrumented-classes</id>
 +
                        <goals>
 +
                            <goal>restore-instrumented-classes</goal>
 +
                        </goals>
 +
                    </execution>
 +
 
                     <!-- ## UNIT TESTS ## -->
 
                     <!-- ## UNIT TESTS ## -->
 
                     <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven SUREFIRE plugin is executed. -->
 
                     <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven SUREFIRE plugin is executed. -->
Line 251: Line 278:
 
     <properties>
 
     <properties>
 
         <!-- Sonar -->
 
         <!-- Sonar -->
         <!-- Tell sonar where to look for the binaries coverage files. Property inherited by submodules -->
+
         <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
         <sonar.jacoco.reportPaths>${project.basedir}/../target/jacoco.exec</sonar.jacoco.reportPaths>
+
         <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin>
 +
        <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
 
     </properties>
 
     </properties>
  
Line 264: Line 292:
 
                 <groupId>org.sonarsource.scanner.maven</groupId>
 
                 <groupId>org.sonarsource.scanner.maven</groupId>
 
                 <artifactId>sonar-maven-plugin</artifactId>
 
                 <artifactId>sonar-maven-plugin</artifactId>
 +
                <!-- Do not forget to change version in JenkinsFile as well -->
 
                 <version>3.6.0.1398</version>
 
                 <version>3.6.0.1398</version>
 
             </plugin>
 
             </plugin>
Line 273: Line 302:
  
  
=Maven '''complete POM''' example==
 
  
This is how the '''parent POM''' should look like to use SonarQube with correct coverage:
+
='''Maven complete POM''' example=
 +
 
 +
This is how the '''parent POM''' should look like to use SonarQube with correct coverage in dedicated PROFILE.
 +
 
 +
To execute: <code>mvn clean install -Pquality_control</code>
 +
 
  
<syntaxhighlight lang="XML">
+
<syntaxhighlight lang="xhtml">
  
 
     <properties>
 
     <properties>
Line 284: Line 317:
 
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
         <java.version>1.8</java.version>
 
         <java.version>1.8</java.version>
 
        <!-- Sonar -->
 
        <!-- Tell sonar where to look for the binaries coverage files. Property inherited by submodules -->
 
        <sonar.jacoco.reportPaths>${project.basedir}/../target/jacoco.exec</sonar.jacoco.reportPaths>
 
 
     </properties>
 
     </properties>
  
 +
    <dependencies>
 +
        ... 
 +
        <!-- jUnit -->
 +
        <dependency>
 +
            <groupId>junit</groupId>
 +
            <artifactId>junit</artifactId>
 +
            <version>${junit.version}</version>
 +
            <scope>test</scope>
 +
        </dependency>     
 +
    </dependencies>
  
     <build>
+
     <profiles>
         <plugins>
+
         <profile>
             <!-- Build settings -->
+
            <id>quality_control</id>
            <plugin>
+
             <activation>
                 <groupId>org.apache.maven.plugins</groupId>
+
                <activeByDefault>true</activeByDefault>
                 <artifactId>maven-compiler-plugin</artifactId>
+
            </activation>
                 <version>3.3</version>
+
            <properties>
                 <configuration>
+
                <!-- SonarQube and Jacoco tests reports -->
                    <source>${java.version}</source>
+
                <surefire.version>2.22.2</surefire.version>
                    <target>${java.version}</target>
+
                <jacoco.version>0.8.3</jacoco.version>
                 </configuration>
+
                <!-- Sonar global configuration -->
             </plugin>
+
                <sonar.language>java</sonar.language>
 +
                <sonar.sourceEncoding>${project.reporting.outputEncoding}</sonar.sourceEncoding>
 +
                 <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
 +
                <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin>
 +
                 <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
 +
                <!-- Dependencies checks (OWASP) reports -->
 +
                 <!-- sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath -->
 +
                <!-- Tell sonar where to look for the UNIT coverage files. Property inherited by submodules -->
 +
                 <sonar.junit.reportPaths>${project.build.directory}/surefire-reports</sonar.junit.reportPaths>
 +
                <sonar.jacoco.reportPath>${project.build.directory}/jacoco.exec</sonar.jacoco.reportPath>
 +
                <sonar.coverage.jacoco.xmlReportPaths>${project.build.directory}/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
 +
                 <!-- Integration tests -->
 +
                <sonar.jacoco.itReportPath>${project.build.directory}/jacoco-it.exec</sonar.jacoco.itReportPath>
 +
             </properties>
  
             <!-- Always generate the source, it is better for debugging -->
+
             <!-- To generate units and integrations test reports -->
            <plugin>
+
            <build>
                <groupId>org.apache.maven.plugins</groupId>
+
                <plugins>
                <artifactId>maven-source-plugin</artifactId>
+
                    <!-- To run UNIT tests and generate execution reports. These reports are required for SonarQube -->
                <version>3.0.1</version>
+
                    <plugin>
                <executions>
+
                        <groupId>org.apache.maven.plugins</groupId>
                    <execution>
+
                        <artifactId>maven-surefire-plugin</artifactId>
                        <id>attach-sources</id>
+
                        <version>${surefire.version}</version>
                        <goals>
+
                        <configuration>
                            <goal>jar-no-fork</goal>
+
                            <excludes>
                        </goals>
+
                                <exclude>**/*TestAPI</exclude>
                    </execution>
+
                                <exclude>**/*IntegrationTest</exclude>
                    <execution>
+
                             </excludes>
                        <id>attach-test-sources</id>
+
                         </configuration>
                        <goals>
+
                     </plugin>
                             <goal>test-jar-no-fork</goal>
 
                         </goals>
 
                     </execution>
 
                </executions>
 
            </plugin>
 
  
            <!-- To run UNIT tests and generate execution reports. These reports are required for SonarQube -->
+
                    <!-- To run INTEGRATION tests and generate execution reports. These reports are required for SonarQube -->
            <plugin>
+
                    <plugin>
                <groupId>org.apache.maven.plugins</groupId>
+
                        <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
+
                        <artifactId>maven-failsafe-plugin</artifactId>
                <version>2.22.1</version>
+
                        <version>${surefire.version}</version>
                <configuration>
+
                        <configuration>
                    <excludes>
+
                            <includes>
                        <exclude>**/*TestAPI</exclude>
+
                                <include>**/*TestAPI</include>
                        <exclude>**/*IntegrationTest</exclude>
+
                                <include>**/*IntegrationTest</include>
                    </excludes>
+
                            </includes>
                </configuration>
+
                        </configuration>
            </plugin>
+
                        <executions>
 +
                            <execution>
 +
                                <id>default-integration-test</id>
 +
                                <goals>
 +
                                    <goal>integration-test</goal>
 +
                                </goals>
 +
                            </execution>
 +
                        </executions>
 +
                    </plugin>
  
            <!-- To run INTEGRATION tests and generate execution reports. These reports are required for SonarQube -->
+
                     <!-- JACOCO test coverage plugin.
            <plugin>
+
                        Use it to compile SUREFIRE (unit tests) and FAILSAFE (integration tests) reports for SonarQube
                <groupId>org.apache.maven.plugins</groupId>
+
                        (i) attach that plugin to Maven TEST phase
                <artifactId>maven-failsafe-plugin</artifactId>
+
                        Reports are generated in "${project.build.directory}/site/jacoco/*" by default
                <version>2.22.1</version>
+
                        Good documentations:
                <configuration>
+
                            https://wiki.onap.org/display/DW/Implementing+Code+Coverage
                     <includes>
+
                            https://www.devcon5.ch/en/blog/2015/05/29/multi-module-integration-test-coverage-sonar-jacoco/
                        <include>**/*TestAPI</include>
+
                            https://www.eclemma.org/jacoco/trunk/doc/maven.html
                        <include>**/*IntegrationTest</include>
+
                        -->
                    </includes>
+
                    <plugin>
                </configuration>
+
                        <groupId>org.jacoco</groupId>
                <executions>
+
                        <artifactId>jacoco-maven-plugin</artifactId>
                    <execution>
+
                        <version>${jacoco.version}</version>
                        <id>default-integration-test</id>
 
                        <goals>
 
                            <goal>integration-test</goal>
 
                        </goals>
 
                    </execution>
 
                </executions>
 
            </plugin>
 
 
 
            <!-- JACOCO test coverage plugin.
 
                Use it to compile SUREFIRE (unit tests) and FAILSAFE (integration tests) reports for SonarQube
 
                (i) attach that plugin to Maven TEST phase
 
                Reports are generated in "${project.build.directory}/site/jacoco/*" by default
 
                Good documentations:
 
                    https://wiki.onap.org/display/DW/Implementing+Code+Coverage
 
                    https://www.devcon5.ch/en/blog/2015/05/29/multi-module-integration-test-coverage-sonar-jacoco/
 
                    https://www.eclemma.org/jacoco/trunk/doc/maven.html
 
                -->
 
            <plugin>
 
                <groupId>org.jacoco</groupId>
 
                <artifactId>jacoco-maven-plugin</artifactId>
 
                <version>0.8.3</version>
 
                <configuration>
 
                    <append>true</append>
 
                </configuration>
 
                <executions>
 
                    <!-- ## UNIT TESTS ## -->
 
                    <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven SUREFIRE plugin is executed. -->
 
                    <execution>
 
                        <id>pre-unit-tests</id>
 
                        <goals>
 
                            <goal>prepare-agent</goal>
 
                        </goals>
 
                    </execution>
 
                    <!-- Create reports -->
 
                    <execution>
 
                        <id>report-unit-tests</id>
 
                        <goals>
 
                            <goal>report</goal>
 
                        </goals>
 
                    </execution>
 
                    <!-- ## INTEGRATION TESTS ## -->
 
                    <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven FAILSAFE plugin is executed. -->
 
                    <execution>
 
                        <id>pre-integration-tests</id>
 
                        <goals>
 
                            <goal>prepare-agent-integration</goal>
 
                        </goals>
 
 
                         <configuration>
 
                         <configuration>
                            <!-- Only 1 destination file to aggregate ALL integration tests reports -->
 
                            <!-- the "session.executionRootDirectory" = parent folder that is being build by Jenkins -->
 
                            <destFile>${session.executionRootDirectory}/target/jacoco-it.exec</destFile>
 
 
                             <append>true</append>
 
                             <append>true</append>
 +
                            <!-- Use offline bytecode (with powermock changes) -->
 +
                            <excludes>
 +
                                <exclude>*</exclude>
 +
                            </excludes>
 
                         </configuration>
 
                         </configuration>
                    </execution>
+
                        <executions>
                    <!-- Create reports -->
+
                            <!-- Support for PowerMock tests -->
                    <execution>
+
                            <!-- See https://www.igorkromin.net/index.php/2018/03/06/quick-look-at-jacoco-vs-cobertura-performance-and-coverage-results/ -->
                        <id>report-integration-tests</id>
+
                            <execution>
                        <goals>
+
                                <id>jacoco-instrument</id>
                             <goal>report-integration</goal>
+
                                <goals>
                         </goals>
+
                                    <goal>instrument</goal>
                     </execution>
+
                                </goals>
                 </executions>
+
                            </execution>
             </plugin>
+
                            <execution>
 +
                                <id>jacoco-restore-instrumented-classes</id>
 +
                                <goals>
 +
                                    <goal>restore-instrumented-classes</goal>
 +
                                </goals>
 +
                            </execution>
 +
                            <!-- ## UNIT TESTS ## -->
 +
                            <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven SUREFIRE plugin is executed. -->
 +
                            <execution>
 +
                                <id>pre-unit-tests</id>
 +
                                <goals>
 +
                                    <goal>prepare-agent</goal>
 +
                                </goals>
 +
                            </execution>
 +
                            <!-- Create reports -->
 +
                            <execution>
 +
                                <id>report-unit-tests</id>
 +
                                <goals>
 +
                                    <goal>report</goal>
 +
                                </goals>
 +
                            </execution>
 +
                            <!-- ## INTEGRATION TESTS ## -->
 +
                            <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven FAILSAFE plugin is executed. -->
 +
                            <execution>
 +
                                <id>pre-integration-tests</id>
 +
                                <goals>
 +
                                    <goal>prepare-agent-integration</goal>
 +
                                </goals>
 +
                             </execution>
 +
                            <!-- Create reports -->
 +
                            <execution>
 +
                                <id>report-integration-tests</id>
 +
                                <goals>
 +
                                    <goal>report-integration</goal>
 +
                                </goals>
 +
                            </execution>
 +
                            <!-- ## MERGE ALL TESTS reports ## -->
 +
                            <execution>
 +
                                <id>merge</id>
 +
                                <goals>
 +
                                    <goal>merge</goal>
 +
                                </goals>
 +
                                <configuration>
 +
                                    <!-- Only 1 destination file to aggregate ALL integration tests reports -->
 +
                                    <!-- the "session.executionRootDirectory" = parent folder that is being build by Jenkins -->
 +
                                    <destFile>${session.executionRootDirectory}/target/jacoco-it.exec</destFile>
 +
                                    <fileSets>
 +
                                        <fileSet implementation="org.apache.maven.shared.model.fileset.FileSet">
 +
                                            <directory>${project.build.directory}</directory>
 +
                                            <includes>
 +
                                                <include>**/*.exec</include>
 +
                                            </includes>
 +
                                        </fileSet>
 +
                                    </fileSets>
 +
                                </configuration>
 +
                            </execution>
 +
                        </executions>
 +
                    </plugin>
 +
 
 +
                    <!-- SonarQube engine -->
 +
                    <plugin>
 +
                         <groupId>org.sonarsource.scanner.maven</groupId>
 +
                        <artifactId>sonar-maven-plugin</artifactId>
 +
                        <!-- Do not forget to change version in JenkinsFile as well -->
 +
                        <version>3.6.0.1398</version>
 +
                     </plugin>
 +
                 </plugins>
 +
             </build>
 +
        </profile>
 +
 
 +
 
 +
 
 +
</syntaxhighlight>
 +
 
 +
='''Jenkins'''=
 +
 
 +
 
 +
==Jenkins plugins==
 +
 
 +
 
 +
To work with SonarQube, Jenkins requires the following plugins to be installed and enabled:
 +
* Maven Integration plugin
 +
* SonarQube scanner for Jenkins. See [https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Jenkins SonarQube documentation]
 +
 
 +
 
 +
Actions:
 +
* Log into Jenkins as an administrator
 +
* Go to '''Manage Jenkin''' > '''Manage plugins'''
 +
 
 +
 
 +
 
 +
[[File:Jenkins settings plugins 2.PNG|1024px|Jenkins settings # Maven Integration plugin]]
 +
 
 +
[[File:Jenkins settings plugins 1.PNG|1024px|Jenkins settings # SonarQube scanner for Jenkins]]
 +
 
 +
 
 +
 
 +
 
 +
==Global configuration==
 +
 
 +
* Log into Jenkins as an administrator
 +
* Go to '''Manage Jenkins''' > '''Configure System'''
 +
* Scroll to the '''SonarQube servers section'''
 +
* Check ''Enable injection of SonarQube server configuration as build environment variables''
 +
 
 +
 
 +
[[File:Jenkins settings global.PNG|1024px|Jenkins Global configuration # SonarQube]]
 +
 
 +
 
 +
 
 +
 
 +
==Job configuration==
 +
 
 +
Now that you can generate these reports, especially the integration tests results, you need to configure Jenkins to use them!
 +
 
 +
 
 +
===Maven build (legacy)===
 +
 
 +
This explain how to configure a '''Maven build''' (legacy) with SonarQube Runner.
 +
 
 +
 
 +
In the '''Build Environment''' section > check ''Prepare SonarQube Scanner environment''
 +
 
 +
[[File:Jenkins_build_maven_1.PNG|770px|Jenkins Build configuration #1]]
 +
 
 +
 
 +
 
 +
Then, set the '''Build''' command line:
 +
 
 +
[[File:Jenkins_build_maven_2.PNG|1024px|Jenkins Build configuration #2]]
 +
 
 +
 
 +
Adjust the SonarQube server URL + path to integration tests reports!
 +
 
 +
* Maven build: <code>clean install</code> or <code>clean deploy</code>
 +
* Use SonarQube
 +
** Enable plugin: <code>$SONAR_MAVEN_GOAL</code>
 +
** Set SonarQube server URL: <code>-Dsonar.host.url=http://localhost:9000/sonarqube</code>
 +
** Give path of Integration tests: <code>-Dsonar.jacoco.itReportPath=/var/lib/jenkins/workspace/Flow.e.r.s/target/jacoco-it.exec</code>
 +
 
 +
 
 +
 
 +
 
 +
=JenkinsFile (Pipelines)=
 +
 
 +
'''Requirements''': have a local SonarQube instance configured in Jenkins, called "''sonarqube''"
 +
 
 +
<syntaxhighlight lang="groovy">
 +
pipeline {
 +
 
 +
    parameters {
 +
        booleanParam(defaultValue: false, description: 'Enable quality control', name: 'qualityControlEnabled')
 +
        booleanParam(defaultValue: false, description: 'Enable Maven dependencies checks (missing declaration / unused libraries / etc.)', name: 'mvnDependenciesChecksEnabled')
 +
        booleanParam(defaultValue: false, description: 'Enable OWASP checks (search for known vulnerabilities in libraries)', name: 'owaspChecksEnabled')
 +
    }
 +
 
 +
 
 +
    stages {
 +
        stage('Checkout') {
 +
            steps {
 +
                checkout scm
 +
            }
 +
        }
 +
 
 +
        stage('MVN dependencies checks') {
 +
            when {
 +
                expression { params.mvnDependenciesChecksEnabled }
 +
            }
 +
            steps {
 +
                withMaven(
 +
                        maven: 'Maven 3.5.2',
 +
                        mavenLocalRepo: '.repository'
 +
                ) {
 +
                    echo "MVN dependencies checks [unused / missing / bad scope / etc.]"
 +
                    sh "mvn org.apache.maven.plugins:maven-dependency-plugin:analyze-report"
 +
                }
 +
            }
 +
        }
 +
 
 +
        stage('OWASP vulnerabilities checks') {
 +
            when {
 +
                expression { params.owaspChecksEnabled }
 +
            }
 +
            steps {
 +
                withMaven(
 +
                        maven: 'Maven 3.5.2',
 +
                        mavenLocalRepo: '.repository'
 +
                ) {
 +
                    echo "OWASP vulnerabilities checks [lib. with security issue(s)]"
 +
                    sh "mvn org.owasp:dependency-check-maven:check"
 +
                    // sh "mvn org.owasp:dependency-check-maven:aggregate"
 +
 
 +
                    // Publish report in Jenkins
 +
                    dependencyCheckPublisher failedTotalHigh: '0', unstableTotalHigh: '1', failedTotalNormal: '2', unstableTotalNormal: '5'
 +
                }
 +
            }
 +
        }
 +
 
 +
        stage('Build') {
 +
            /*
 +
            when {
 +
                //  optional: my condition(s)
 +
            }
 +
            */
 +
            steps {
 +
                withMaven(
 +
                        maven: 'Maven 3.5.2',
 +
                        mavenLocalRepo: '.repository'
 +
                ){
 +
                    script {
 +
                        if (params.qualityControlEnabled) {
 +
                            // On human request only
 +
                            echo "Building with QUALITY controls from ${BRANCH_NAME} ..."
 +
                            sh "mvn clean install -Pquality_control"
 +
                        } else {
 +
                            // Default case - for automatic builds
 +
                            echo "Standard build"
 +
                            sh "mvn clean install"
 +
                        }
 +
                    }
 +
                }
 +
            }
 +
        }
  
             <!-- SonarQube engine -->
+
        stage('SonarQube') {
            <plugin>
+
            when {
                <groupId>org.sonarsource.scanner.maven</groupId>
+
                expression { params.qualityControlEnabled }
                <artifactId>sonar-maven-plugin</artifactId>
+
            }
                <version>3.6.0.1398</version>
+
             steps {
             </plugin>
+
                withMaven(
         </plugins>
+
                        maven: 'Maven 3.5.2',
     </build>
+
                        mavenLocalRepo: '.repository'
 +
                ){
 +
                    withSonarQubeEnv('sonarqube') {
 +
                        echo "Static code analysis with SonarQube runner"
 +
                        // TODO ensure the version of the plugin matches the one in the PARENT pom
 +
                        sh "mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.6.0.1398:sonar -Dsonar.projectName=\"my_project ($BRANCH_NAME)\" -Dsonar.projectKey=my_project:$BRANCH_NAME -Pquality_control"
 +
                    }
 +
                }
 +
             }
 +
         }
 +
     }
  
     <dependencies>
+
     post {
         ...
+
         always {
 
+
            echo 'Cleaning workspace'
        <!-- jUnit -->
+
            deleteDir()
         <dependency>
+
         }
            <groupId>junit</groupId>
+
     }
            <artifactId>junit</artifactId>
 
            <version>${junit.version}</version>
 
            <scope>test</scope>
 
        </dependency>     
 
     </dependencies>
 
  
 
</syntaxhighlight>
 
</syntaxhighlight>
Line 440: Line 676:
  
  
 +
See [https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Jenkins#AnalyzingwithSonarQubeScannerforJenkins-AnalyzinginaJenkinspipeline SonarQube documentation]
 +
 +
='''SonarQube'''=
 +
 +
 +
By default there will be '''1 sonarqube''' entry for every Jenkins '''artifactId'' that is build (parent name).
 +
 +
 +
==How to see the code coverage by module?==
 +
 +
To have a quick glance of the project's modules:
 +
 +
* SonarQube > project > '''Code'''
 +
 +
[[File:Sonarqube results 2.PNG|1024px|SonarQube view results #1]]
 +
 +
 +
* SonarQube > project > '''Measures''' > ''Expand'' '''coverage'' > '''Conditions coverage'''
 +
 +
[[File:Sonarqube results 1.PNG|1024px|SonarQube view results #2]]
 +
 +
 +
 +
==How to see measures by module?==
 +
 +
By default SonarQube display measures for all the project's modules. This is sometimes not convenient... The old "code" dashboard has been removed, but you can still see the measure by sub-module with a little trick.
 +
 +
 +
1. Select a module to analyze from the "code" menu
 +
 +
[[File:Sonarqube module selection 1.PNG|1024px|SonarQube select module, step 1]]
 +
 +
 +
2. Notice the SonarQube URL and the selection parameter
 +
 +
[[File:Sonarqube module selection 2.PNG|800px|SonarQube select module, step 2]]
 +
 +
 +
3. Copy that <code>&selected=..</code> parameter
 +
 +
 +
4. Parse the value on the measures page
 +
 +
[[File:Sonarqube module selection 3.PNG|925px|SonarQube select module, step 3]]
 +
 +
 +
5. All good! You can browse the measures for that particular module.
 +
 +
 +
 +
==SonarQube plugins==
 +
 +
Go to SonarQube > Administration > Marketplace > "All"
 +
 +
 +
I advised you to install:
 +
* Code smells
 +
* FindBugs
 +
* Git
 +
* JaCoCo (mandatory)
 +
* PMD
 +
 +
 +
 +
=How to disable rule(s) in SonarQube=
 +
 +
(i) This operation is only for logged user with administrators rights.
 +
 +
 +
==Quality profile==
 +
 +
First of all you have to create a custom quality profile.
 +
* Go to '''Quality profiles'''
 +
* Click on the '''wheel''' of the quality profile you'd like to adjust > '''copy'''
 +
* Name the new profile > Click on the '''wheel''' top right > '''set as default'''
 +
 +
 +
[[File:Create quality profile.png|750px|SonarQube # create quality profile]]
  
  
  
='''Jenkins''' configuration=
+
==Disable / Enable rule for quality profile==
  
Now that you can generate these reports, especially the integration results, you need to configure Jenkins to use them!
+
* Go to '''Rules'''
 +
* Search for the rule you want to modify
 +
* Click on the rule name
  
[[File:SonarQube jenkins configuration.png|900px|Jenkins SonarQube configuration]]  
+
[[File:Disable rule 1.PNG|1024px|SonarQube # disable rule screen 1]]  
  
 +
* Scroll down to the quality profile view
 +
* Disable rule for particular quality profile(s)
  
To set up the Sonar Jenkins plugin to process already generated JaCoCo data files, the following properties must be specified in the "Additional properties" text box, under the Sonar installation being configured:
+
[[File:Disable rule 2.PNG|1024px|SonarQube # disable rule screen 2]]
  
* <code>-Dsonar.dynamicAnalysis=reuseReports</code> ==> Tells SonarQube to reuse existing reports for unit tests execution and coverage reports
 
* <code>-Dsonar.jacoco.itReportPath=${ABSOLUTE_PATH_TO_JENKINS}/workspace/${JENKINS_JOB}/target/reports/jacoco-it.exec</code> => integration tests report to process
 
  
  
  
 +
=Other=
  
 +
==jUnit tests ordering==
  
===Java===
+
Since jUnit 4.11 you can set the order of your tests. '''If you have to use that it means something is probably wrong with your tests design'''!
  
Since jUnit 4.11 you can set the order of your tests.
 
  
 
* Set order to the Class level: https://github.com/junit-team/junit/wiki/Test-execution-order
 
* Set order to the Class level: https://github.com/junit-team/junit/wiki/Test-execution-order
* Set custom order: http://memorynotfound.com/run-junit-tests-method-order/  
+
* Set custom order: http://memorynotfound.com/run-junit-tests-method-order/
 +
 
  
  
Line 470: Line 788:
 
=References=
 
=References=
  
This article is based on my daily work in VEHCO + European Parliament.
+
This article is based on my daily work in VEHCO + European Parliament + LuxTrust.
 +
 
 +
This article is based on a lot of research and code browsing. Following articles are very good:
 +
* [https://wiki.onap.org/display/DW/Implementing+Code+Coverage ONAP wiki: how to setup code coverage for a lot of languages: including java, python & javascript]
 +
* [https://www.devcon5.ch/en/blog/2015/05/29/multi-module-integration-test-coverage-sonar-jacoco/ Multi module integration test coverage with Sonar and Jacoco]
 +
* [https://www.eclemma.org/jacoco/trunk/doc/maven.html Jacoco official documentation]
 +
 
 +
PowerMock support
 +
* [https://www.igorkromin.net/index.php/2018/02/20/jacoco-reports-missing-code-coverage-for-tests-using-powermock/ How to include PowerMock tests coverage into JaCoCo]
 +
* [https://snmaddula.github.io/tuning-jacoco-for-powermock/ PowerMock with Jacoco]
 +
 
  
To update to SonarQube I used the following articles and code examples:
+
Other article that are relevant for older versions of Sonar (versions < 6.x with Java 7)
* http://www.aheritier.net/maven-failsafe-sonar-and-jacoco-are-in-a-boat/
 
* VERY good GitHub example, provided by the same author: https://github.com/dgageot/coverage
 
 
* http://stackoverflow.com/questions/26253277/jacoco-agent-for-integration-tests-on-remote-machine
 
* http://stackoverflow.com/questions/26253277/jacoco-agent-for-integration-tests-on-remote-machine
 
* Nice tutorial: https://www.petrikainulainen.net/programming/maven/creating-code-coverage-reports-for-unit-and-integration-tests-with-the-jacoco-maven-plugin/
 
* Nice tutorial: https://www.petrikainulainen.net/programming/maven/creating-code-coverage-reports-for-unit-and-integration-tests-with-the-jacoco-maven-plugin/
 
Jenkins configuration:
 
* http://blog.ccbill.com/2014/07/code-coverage-with-surefire-and-jacoco.html
 
 
StackOverflow
 
* http://stackoverflow.com/questions/31388856/jacoco-reports-path-not-found-by-sonar-runner
 

Latest revision as of 08:18, 22 May 2019


This article explains how to configure your maven projects to produce reports + how to configure Jenkins with SonarQube, bringing both Unit and Integration tests coverage.


Requirements

  • Testing libraries: jUnit 4.12 or + / optional, for static class mocking: Powermock 1.7.x or +
  • Maven must run on Java 8 or +
  • You must use Sonarqube 7.x or +
  • Jenkins must be v2.164.1 or + (LTS version)


Principle

TODO

You just have to define the configuration once, in the parent POM.

  • Jenkins
    • Requirements: plugins / setup
    • Job configuration
  • Maven plugins list
    • Reports generation : unit / integration tests
    • Jacoco binaries : many unit tests "jacoco.exec" / 1 single aggregation for "jacoco-it.exec"
    • SonarQube plugin
  • Jenkins usage



Maven plugins

Surefire UNIT Tests

Surefire is for UNIT tests = tests that should only use: plain java / Mockito / PowerMock / etc.


By default, the Surefire Plugin will automatically include all test classes with the following wildcard patterns:

  • **/Test*.java - includes all of its subdirectories and all Java filenames that start with "Test".
  • **/*Test.java - includes all of its subdirectories and all Java filenames that end with "Test".
  • **/*Tests.java - includes all of its subdirectories and all Java filenames that end with "Tests".
  • **/*TestCase.java - includes all of its subdirectories and all Java filenames that end with "TestCase".

If the test classes do not follow any of these naming conventions, then configure Surefire Plugin and specify the tests you want to include.

See Maven Surefire plugin documentation


(i) It is safer to exclude the integration tests patterns as well, depending on your own development setup:

  • **/*TestAPI.java
  • **/*IntegrationTest.java


Results are saved in each Maven module, in XML and TXT formats: $module/target/surefire-reports/*


    <properties>
        <!-- Set the reporting settings -->
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    </properties>


    <build>
        <plugins>
            <!-- To run UNIT tests and generate execution reports. These reports are required for SonarQube -->
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.22.1</version>
                <configuration>
                    <excludes>
                        <exclude>**/*TestAPI</exclude>
                        <exclude>**/*IntegrationTest</exclude>
                    </excludes>
                </configuration>
            </plugin>

            ...
        </plugins>
    </build>



Failsafe INTEGRATION tests

Failsafe will process the Integration Tests = tests that should use Spring test / black box tests / etc.


By default, the Failsafe Plugin will automatically include all test classes with the following wildcard patterns:

  • **/IT*.java - includes all of its subdirectories and all Java filenames that start with "IT".
  • **/*IT.java - includes all of its subdirectories and all Java filenames that end with "IT".
  • **/*ITCase.java - includes all of its subdirectories and all Java filenames that end with "ITCase".

If the test classes do not follow any of these naming conventions, then configure Failsafe Plugin and specify the tests you want to include.


Results are saved in each Maven module:

  • Results are saved in XML and TXT formats in $module/target/failsafe-reports/*
  • Results are saved in BINARY (jacoco format) in $module/target/jacoco-it.exec


Notes:

  • No tests will be run if mvn clean install -DskipIntegrationTests
  • The exclusion | inclusion list is something that depends on your own situation


    <properties>
        <!-- Set the reporting settings -->
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    </properties>


    <build>
        <plugins>

            <!-- To run INTEGRATION tests and generate execution reports. These reports are required for SonarQube -->
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-failsafe-plugin</artifactId>
                <version>2.22.1</version>
                <configuration>
                    <includes>
                        <include>**/*TestAPI</include>
                        <include>**/*IntegrationTest</include>
                    </includes>
                </configuration>
                <executions>
                    <execution>
                        <id>default-integration-test</id>
                        <goals>
                            <goal>integration-test</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

            ...
        </plugins>
    </build>



Jacoco code coverage

Jacoco is a plugin that will:

  1. Parse SUREFIRE and FAILSAFE results
  2. Extract and generate code coverage reports (XML format)
  3. Convert the XML into binaries (*.exec) for SonarQube


Jacoco will generate the following binaries reports:

  • 1 unit test report per project, for every module: $parent/$module/target/jacoco.exec
  • 1 centralized integration test report: $parent/target/jacoco-it.exec


    <properties>
        <!-- Project configuration -->
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <!-- Sonar -->
        <!-- Tell sonar where to look for the binaries coverage files. Property inherited by submodules -->
        <sonar.junit.reportPaths>${project.build.directory}/surefire-reports</sonar.junit.reportPaths>
        <sonar.jacoco.reportPath>${project.build.directory}/jacoco.exec</sonar.jacoco.reportPath>
        <sonar.coverage.jacoco.xmlReportPaths>${project.build.directory}/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
        <!-- Integration tests -->
        <sonar.jacoco.itReportPath>${project.build.directory}/jacoco-it.exec</sonar.jacoco.itReportPath>
    </properties>


    <build>
        <plugins>
            ... 

            <!-- JACOCO test coverage plugin.
                 Use it to compile SUREFIRE (unit tests) and FAILSAFE (integration tests) reports for SonarQube
                 (i) attach that plugin to Maven TEST phase
                 Reports are generated in "${project.build.directory}/site/jacoco/*" by default
                 Good documentations:
                    https://wiki.onap.org/display/DW/Implementing+Code+Coverage
                    https://www.devcon5.ch/en/blog/2015/05/29/multi-module-integration-test-coverage-sonar-jacoco/
                    https://www.eclemma.org/jacoco/trunk/doc/maven.html
                 -->
            <plugin>
                <groupId>org.jacoco</groupId>
                <artifactId>jacoco-maven-plugin</artifactId>
                <version>0.8.3</version>
                <configuration>
                    <append>true</append>
                    <!-- Use offline bytecode (with powermock changes) -->
                    <excludes>
                        <exclude>*</exclude>
                    </excludes>
                </configuration>
                <executions>
                    <!-- Support for PowerMock tests -->
                    <!-- See https://www.igorkromin.net/index.php/2018/03/06/quick-look-at-jacoco-vs-cobertura-performance-and-coverage-results/ -->
                    <execution>
                        <id>jacoco-instrument</id>
                        <goals>
                            <goal>instrument</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>jacoco-restore-instrumented-classes</id>
                        <goals>
                            <goal>restore-instrumented-classes</goal>
                        </goals>
                    </execution>

                    <!-- ## UNIT TESTS ## -->
                    <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven SUREFIRE plugin is executed. -->
                    <execution>
                        <id>pre-unit-tests</id>
                        <goals>
                            <goal>prepare-agent</goal>
                        </goals>
                    </execution>
                    <!-- Create reports -->
                    <execution>
                        <id>report-unit-tests</id>
                        <goals>
                            <goal>report</goal>
                        </goals>
                    </execution>
                    <!-- ## INTEGRATION TESTS ## -->
                    <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven FAILSAFE plugin is executed. -->
                    <execution>
                        <id>pre-integration-tests</id>
                        <goals>
                            <goal>prepare-agent-integration</goal>
                        </goals>
                        <configuration>
                            <!-- Only 1 destination file to aggregate ALL integration tests reports -->
                            <!-- the "session.executionRootDirectory" = parent folder that is being build by Jenkins -->
                            <destFile>${session.executionRootDirectory}/target/jacoco-it.exec</destFile>
                            <append>true</append>
                        </configuration>
                    </execution>
                    <!-- Create reports -->
                    <execution>
                        <id>report-integration-tests</id>
                        <goals>
                            <goal>report-integration</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

        </plugins>
    </build>



SonarQube plugin

SonarQube released a maven plugin to work with SONAR. This plugin already includes most of the configuration and default behavior is correct.

  • Sonar will read Jacoco "exec" binaries files
  • Sonar will process the Surefire & Failsafe reports


    <properties>
        <!-- Sonar -->
        <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
        <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin>
        <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
    </properties>


    <build>
        <plugins>
            ..

            <!-- SonarQube engine -->
            <plugin>
                <groupId>org.sonarsource.scanner.maven</groupId>
                <artifactId>sonar-maven-plugin</artifactId>
                <!-- Do not forget to change version in JenkinsFile as well -->
                <version>3.6.0.1398</version>
            </plugin>
        </plugins>
    </build>



Maven complete POM example

This is how the parent POM should look like to use SonarQube with correct coverage in dedicated PROFILE.

To execute: mvn clean install -Pquality_control


    <properties>
        <!-- Project configuration -->
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        ...  
        <!-- jUnit -->
        <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
             <version>${junit.version}</version>
             <scope>test</scope>
        </dependency>      
    </dependencies>

    <profiles>
        <profile>
            <id>quality_control</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <!-- SonarQube and Jacoco tests reports -->
                <surefire.version>2.22.2</surefire.version>
                <jacoco.version>0.8.3</jacoco.version>
                <!-- Sonar global configuration -->
                <sonar.language>java</sonar.language>
                <sonar.sourceEncoding>${project.reporting.outputEncoding}</sonar.sourceEncoding>
                <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
                <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin>
                <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
                <!-- Dependencies checks (OWASP) reports -->
                <!-- sonar.dependencyCheck.reportPath>${project.build.directory}/dependency-check-report.xml</sonar.dependencyCheck.reportPath -->
                <!-- Tell sonar where to look for the UNIT coverage files. Property inherited by submodules -->
                <sonar.junit.reportPaths>${project.build.directory}/surefire-reports</sonar.junit.reportPaths>
                <sonar.jacoco.reportPath>${project.build.directory}/jacoco.exec</sonar.jacoco.reportPath>
                <sonar.coverage.jacoco.xmlReportPaths>${project.build.directory}/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
                <!-- Integration tests -->
                <sonar.jacoco.itReportPath>${project.build.directory}/jacoco-it.exec</sonar.jacoco.itReportPath>
            </properties>

            <!-- To generate units and integrations test reports -->
            <build>
                <plugins>
                    <!-- To run UNIT tests and generate execution reports. These reports are required for SonarQube -->
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <version>${surefire.version}</version>
                        <configuration>
                            <excludes>
                                <exclude>**/*TestAPI</exclude>
                                <exclude>**/*IntegrationTest</exclude>
                            </excludes>
                        </configuration>
                    </plugin>

                    <!-- To run INTEGRATION tests and generate execution reports. These reports are required for SonarQube -->
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-failsafe-plugin</artifactId>
                        <version>${surefire.version}</version>
                        <configuration>
                            <includes>
                                <include>**/*TestAPI</include>
                                <include>**/*IntegrationTest</include>
                            </includes>
                        </configuration>
                        <executions>
                            <execution>
                                <id>default-integration-test</id>
                                <goals>
                                    <goal>integration-test</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>

                    <!-- JACOCO test coverage plugin.
                         Use it to compile SUREFIRE (unit tests) and FAILSAFE (integration tests) reports for SonarQube
                         (i) attach that plugin to Maven TEST phase
                         Reports are generated in "${project.build.directory}/site/jacoco/*" by default
                         Good documentations:
                            https://wiki.onap.org/display/DW/Implementing+Code+Coverage
                            https://www.devcon5.ch/en/blog/2015/05/29/multi-module-integration-test-coverage-sonar-jacoco/
                            https://www.eclemma.org/jacoco/trunk/doc/maven.html
                         -->
                    <plugin>
                        <groupId>org.jacoco</groupId>
                        <artifactId>jacoco-maven-plugin</artifactId>
                        <version>${jacoco.version}</version>
                        <configuration>
                            <append>true</append>
                            <!-- Use offline bytecode (with powermock changes) -->
                            <excludes>
                                <exclude>*</exclude>
                            </excludes>
                        </configuration>
                        <executions>
                            <!-- Support for PowerMock tests -->
                            <!-- See https://www.igorkromin.net/index.php/2018/03/06/quick-look-at-jacoco-vs-cobertura-performance-and-coverage-results/ -->
                            <execution>
                                <id>jacoco-instrument</id>
                                <goals>
                                    <goal>instrument</goal>
                                </goals>
                            </execution>
                            <execution>
                                <id>jacoco-restore-instrumented-classes</id>
                                <goals>
                                    <goal>restore-instrumented-classes</goal>
                                </goals>
                            </execution>
                            <!-- ## UNIT TESTS ## -->
                            <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven SUREFIRE plugin is executed. -->
                            <execution>
                                <id>pre-unit-tests</id>
                                <goals>
                                    <goal>prepare-agent</goal>
                                </goals>
                            </execution>
                            <!-- Create reports -->
                            <execution>
                                <id>report-unit-tests</id>
                                <goals>
                                    <goal>report</goal>
                                </goals>
                            </execution>
                            <!-- ## INTEGRATION TESTS ## -->
                            <!-- Configure JaCoCo runtime agent. It is passed as VM argument when Maven FAILSAFE plugin is executed. -->
                            <execution>
                                <id>pre-integration-tests</id>
                                <goals>
                                    <goal>prepare-agent-integration</goal>
                                </goals>
                            </execution>
                            <!-- Create reports -->
                            <execution>
                                <id>report-integration-tests</id>
                                <goals>
                                    <goal>report-integration</goal>
                                </goals>
                            </execution>
                            <!-- ## MERGE ALL TESTS reports ## -->
                            <execution>
                                <id>merge</id>
                                <goals>
                                    <goal>merge</goal>
                                </goals>
                                <configuration>
                                    <!-- Only 1 destination file to aggregate ALL integration tests reports -->
                                    <!-- the "session.executionRootDirectory" = parent folder that is being build by Jenkins -->
                                    <destFile>${session.executionRootDirectory}/target/jacoco-it.exec</destFile>
                                    <fileSets>
                                        <fileSet implementation="org.apache.maven.shared.model.fileset.FileSet">
                                            <directory>${project.build.directory}</directory>
                                            <includes>
                                                <include>**/*.exec</include>
                                            </includes>
                                        </fileSet>
                                    </fileSets>
                                </configuration>
                            </execution>
                        </executions>
                    </plugin>

                    <!-- SonarQube engine -->
                    <plugin>
                        <groupId>org.sonarsource.scanner.maven</groupId>
                        <artifactId>sonar-maven-plugin</artifactId>
                        <!-- Do not forget to change version in JenkinsFile as well -->
                        <version>3.6.0.1398</version>
                    </plugin>
                </plugins>
            </build>
        </profile>

Jenkins

Jenkins plugins

To work with SonarQube, Jenkins requires the following plugins to be installed and enabled:


Actions:

  • Log into Jenkins as an administrator
  • Go to Manage Jenkin > Manage plugins


Jenkins settings # Maven Integration plugin

Jenkins settings # SonarQube scanner for Jenkins



Global configuration

  • Log into Jenkins as an administrator
  • Go to Manage Jenkins > Configure System
  • Scroll to the SonarQube servers section
  • Check Enable injection of SonarQube server configuration as build environment variables


Jenkins Global configuration # SonarQube



Job configuration

Now that you can generate these reports, especially the integration tests results, you need to configure Jenkins to use them!


Maven build (legacy)

This explain how to configure a Maven build (legacy) with SonarQube Runner.


In the Build Environment section > check Prepare SonarQube Scanner environment

Jenkins Build configuration #1


Then, set the Build command line:

Jenkins Build configuration #2


Adjust the SonarQube server URL + path to integration tests reports!

  • Maven build: clean install or clean deploy
  • Use SonarQube
    • Enable plugin: $SONAR_MAVEN_GOAL
    • Set SonarQube server URL: -Dsonar.host.url=http://localhost:9000/sonarqube
    • Give path of Integration tests: -Dsonar.jacoco.itReportPath=/var/lib/jenkins/workspace/Flow.e.r.s/target/jacoco-it.exec



JenkinsFile (Pipelines)

Requirements: have a local SonarQube instance configured in Jenkins, called "sonarqube"

pipeline {

    parameters {
        booleanParam(defaultValue: false, description: 'Enable quality control', name: 'qualityControlEnabled')
        booleanParam(defaultValue: false, description: 'Enable Maven dependencies checks (missing declaration / unused libraries / etc.)', name: 'mvnDependenciesChecksEnabled')
        booleanParam(defaultValue: false, description: 'Enable OWASP checks (search for known vulnerabilities in libraries)', name: 'owaspChecksEnabled')
    }


    stages {
        stage('Checkout') {
            steps {
                checkout scm
            }
        }

        stage('MVN dependencies checks') {
            when {
                expression { params.mvnDependenciesChecksEnabled }
            }
            steps {
                withMaven(
                        maven: 'Maven 3.5.2',
                        mavenLocalRepo: '.repository'
                ) {
                    echo "MVN dependencies checks [unused / missing / bad scope / etc.]"
                    sh "mvn org.apache.maven.plugins:maven-dependency-plugin:analyze-report"
                }
            }
        }

        stage('OWASP vulnerabilities checks') {
            when {
                expression { params.owaspChecksEnabled }
            }
            steps {
                withMaven(
                        maven: 'Maven 3.5.2',
                        mavenLocalRepo: '.repository'
                ) {
                    echo "OWASP vulnerabilities checks [lib. with security issue(s)]"
                    sh "mvn org.owasp:dependency-check-maven:check"
                    // sh "mvn org.owasp:dependency-check-maven:aggregate"

                    // Publish report in Jenkins
                    dependencyCheckPublisher failedTotalHigh: '0', unstableTotalHigh: '1', failedTotalNormal: '2', unstableTotalNormal: '5'
                }
            }
        }

        stage('Build') {
            /*
            when {
                 //  optional: my condition(s)
            }
            */
            steps {
                withMaven(
                        maven: 'Maven 3.5.2',
                        mavenLocalRepo: '.repository'
                ){
                    script {
                        if (params.qualityControlEnabled) {
                            // On human request only
                            echo "Building with QUALITY controls from ${BRANCH_NAME} ..."
                            sh "mvn clean install -Pquality_control"
                        } else {
                            // Default case - for automatic builds
                            echo "Standard build"
                            sh "mvn clean install"
                        }
                    }
                }
            }
        }

        stage('SonarQube') {
            when {
                expression { params.qualityControlEnabled }
            }
            steps {
                withMaven(
                        maven: 'Maven 3.5.2',
                        mavenLocalRepo: '.repository'
                ){
                    withSonarQubeEnv('sonarqube') {
                        echo "Static code analysis with SonarQube runner"
                        // TODO ensure the version of the plugin matches the one in the PARENT pom
                        sh "mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.6.0.1398:sonar -Dsonar.projectName=\"my_project ($BRANCH_NAME)\" -Dsonar.projectKey=my_project:$BRANCH_NAME -Pquality_control"
                    }
                }
            }
        }
    }

    post {
        always {
            echo 'Cleaning workspace'
            deleteDir()
        }
    }


See SonarQube documentation

SonarQube

By default there will be 1 sonarqube' entry for every Jenkins artifactId that is build (parent name).


How to see the code coverage by module?

To have a quick glance of the project's modules:

  • SonarQube > project > Code

SonarQube view results #1


  • SonarQube > project > Measures' > Expand coverage > Conditions coverage

SonarQube view results #2


How to see measures by module?

By default SonarQube display measures for all the project's modules. This is sometimes not convenient... The old "code" dashboard has been removed, but you can still see the measure by sub-module with a little trick.


1. Select a module to analyze from the "code" menu

SonarQube select module, step 1


2. Notice the SonarQube URL and the selection parameter

SonarQube select module, step 2


3. Copy that &selected=.. parameter


4. Parse the value on the measures page

SonarQube select module, step 3


5. All good! You can browse the measures for that particular module.


SonarQube plugins

Go to SonarQube > Administration > Marketplace > "All"


I advised you to install:

  • Code smells
  • FindBugs
  • Git
  • JaCoCo (mandatory)
  • PMD


How to disable rule(s) in SonarQube

(i) This operation is only for logged user with administrators rights.


Quality profile

First of all you have to create a custom quality profile.

  • Go to Quality profiles
  • Click on the wheel of the quality profile you'd like to adjust > copy
  • Name the new profile > Click on the wheel top right > set as default


SonarQube # create quality profile


Disable / Enable rule for quality profile

  • Go to Rules
  • Search for the rule you want to modify
  • Click on the rule name

SonarQube # disable rule screen 1

  • Scroll down to the quality profile view
  • Disable rule for particular quality profile(s)

SonarQube # disable rule screen 2



Other

jUnit tests ordering

Since jUnit 4.11 you can set the order of your tests. If you have to use that it means something is probably wrong with your tests design!




References

This article is based on my daily work in VEHCO + European Parliament + LuxTrust.

This article is based on a lot of research and code browsing. Following articles are very good:

PowerMock support


Other article that are relevant for older versions of Sonar (versions < 6.x with Java 7)