如何将Sonar Quality Gates与Gitlab集成-CI
How to integrate Sonar Quality Gates with Gitlab-CI
我有一个 gitlab-ci 集成,需要进行声纳分析,如果质量门通过,则构建 docker 图像。
这可以使用 gitlab-ci 吗?
你应该试试 Sonar Build Breaker plugin。它允许返回非零值,这会破坏 Gitlab CI Runner 的构建,而不是执行下一步(构建 Docker 图像)。
在项目的根目录中创建一个 .gitlab-ci.yml 文件:
stages:
- sonarqube
- docker_build
image: maven:3-jdk-8
sonarqube:
stage: sonarqube
script:
- # sonarqube running command (plugin installed), mvn blabla
docker_build
stage: docker_build
script:
- docker build .
对 Gitlab 的提交将 运行 进入 sonarqube 阶段并继续 docker_build 只有当 sonarqube 通过质量门时。
要打破 CI 构建失败的质量门,
1.Search in /report-task.txt CE Task URL (ceTaskUrl) 和 CE 的值
任务 ID (ceTaskId)
2.Call /api/ce/task?id=XXX 其中 XXX 是从步骤 1 中检索到的 CE 任务 ID
例如:- https:///api/ce/task?id=你的 ceTaskId
3.Wait 一段时间,直到第 2 步的状态为成功、取消或失败
4.If失败,中断构建(这里失败是无法生成声纳报告)
5.If成功,然后使用/api/ce/task返回的JSON中的analysisId?
id=XXX(step2)and 立即调用 /api/qualitygates/project_status?analysisId=YYY 到
检查质量门的状态。
例如:- https:///api/qualitygates/project_status?analysisId=你的
analysisId
6.Step 5 给出状态的临界、主要和次要错误阈值限制
7.Based 突破构建限制
8. 使用脚本时遵循正确的缩进
build:
stage: build
before_script:
- yum -y install epel-release
- yum -y install jq
- yum install -y coreutils
script:
- mvn sonar:sonar -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_LOGIN_TOKEN -Dsonar.working.directory=../target/.sonar
- export url=$(cat ../target/.sonar/report-task.txt | grep ceTaskUrl | cut -c11- ) #URL where report gets stored
- sleep 15s #Wait time for the report
- curl -k -u "$SONAR_LOGIN_TOKEN":"" $url -o analysis.txt
- export status=$(cat analysis.txt | jq -r '.task.status') #Status as SUCCESS, CANCELED or FAILED
- export analysisId=$(cat analysis.txt | jq -r '.task.analysisId') #Get the analysis Id
- |
if [ "$status" == "SUCCESS" ];then
echo -e "SONAR ANALYSIS SUCCESSFUL...ANALYSING RESULTS";
curl -k -u "$SONAR_LOGIN_TOKEN":"" https://yourSonarURI/api/qualitygates/project_status?analysisId=$analysisId -o result.txt; #Analysis result like critical, major and minor issues
export result=$(cat result.txt | jq -r '.projectStatus.status');
if [ "$result" == "ERROR" ];then
echo -e "91mSONAR RESULTS FAILED";
echo "$(cat result.txt | jq -r '.projectStatus.conditions')"; #prints the critical, major and minor violations
exit 1 #breaks the build for violations
else
echo -e "SONAR RESULTS SUCCESSFUL";
echo "$(cat result.txt | jq -r '.projectStatus.conditions')";
exit 0
fi
else
echo -e "\e[91mSONAR ANALYSIS FAILED\e[0m";
exit 1 #breaks the build for failure in Step2
fi
感谢 Sahit 的回答。似乎解决方案是 Linux。我希望它与 Windows 兼容。
- $url = (findstr "ceTaskUrl" "<report-task.txt location>").Substring(10)
- sleep 10 #Need some buffer time to get the report updated from sonarqube analyzer
- $response = &"<Curl exe location>" -u <SonarAdminUserName>:<Password> $url #using curl to login to sonarqube to check analysis ran properly or not. Using sonar admin credentials/token
- $sonardata = $response | ConvertFrom-Json #converting returned data to json
- $sonarBuildStatus=$sonardata.task.status
- |
if ("$sonarBuildStatus" -eq "SUCCESS"){
echo "SONARQUBE ANALYSIS IS SUCCESSFUL"
$sonarAnalysisId= $sonardata.task.analysisId
$projurl = (findstr "serverUrl" "<report-task.txt location>").Substring(10)
$projNewUrl = $projurl+"/api/qualitygates/project_status?analysisId="+$sonarAnalysisId
$projresponse = &"<Curl exe location>" -u <SonarAdminUserName>:<Password> $projNewUrl
$sonarprojdata = $projresponse | ConvertFrom-Json
$sonarProjStatus=$sonarprojdata.projectStatus.status
if ("$sonarProjStatus" -eq "ERROR"){ #Checks if the project has meet all the quality gates specified
echo "SONARQUBE QUALITY GATES FAILED FOR $CI_PROJECT_NAME"
echo $sonarprojdata.projectStatus.conditions
exit 1 #breaks the build for violations
}
else{
echo "SONARQUBE QUALITY GATES SUCCESSFUL FOR $CI_PROJECT_NAME"
echo $sonarprojdata.projectStatus.conditions
exit 0
}
}
else{
echo "SONARQUBE ANALYSIS FAILED"
exit 1 #breaks the build for violations
}
参考link了解更多信息https://www.codeproject.com/Tips/5165909/Gated-Check-in-in-Git-repository
有一个用Go写的simple standalone tool,可以和SQ 5.*-8.2一起使用,简单查看具体项目的SQ QG。它需要 URL 到 SQ 实例、项目密钥和令牌或登录名和密码到 运行。
它还有一个技巧,即在项目中有待处理任务时等待。现在还有一个轻量级的Docker image apriorit/go-check-sonar。像那样使用:
$ docker run --rm -it apriorit/go-check-sonar -project=PROJ -server=http://sonar.dev.local -token=dead**beef
Running SonarQube Quality Gate checker!
Checking if any tasks are running for the provided project...
Waiting for pending tasks to finish...
1 pending tasks remaining for PROJ component...
1 pending tasks remaining for PROJ component...
1 pending tasks remaining for PROJ component...
0 pending tasks remaining for PROJ component...
All tasks on project PROJ are finished!
Checking Quality Gate status of the project...
==============================================
Project Status: OK
==============================================
从 SonarQube 8.1 开始,这可以通过构建命令中的参数实现。请参阅 https://docs.sonarqube.org/latest/analysis/gitlab-integration/,“质量门失败时管道作业失败”:
Failing the pipeline job when the Quality Gate fails
In order for the Quality Gate to fail on the GitLab side when it fails on the SonarQube side, the scanner needs to wait for the SonarQube Quality Gate status. To enable this, set the sonar.qualitygate.wait=true parameter in the .gitlab-ci.yml file.
You can set the sonar.qualitygate.timeout property to an amount of time (in seconds) that the scanner should wait for a report to be processed. The default is 300 seconds.
示例:
mvn verify sonar:sonar -Dsonar.qualitygate.wait=true
我有一个 gitlab-ci 集成,需要进行声纳分析,如果质量门通过,则构建 docker 图像。
这可以使用 gitlab-ci 吗?
你应该试试 Sonar Build Breaker plugin。它允许返回非零值,这会破坏 Gitlab CI Runner 的构建,而不是执行下一步(构建 Docker 图像)。
在项目的根目录中创建一个 .gitlab-ci.yml 文件:
stages:
- sonarqube
- docker_build
image: maven:3-jdk-8
sonarqube:
stage: sonarqube
script:
- # sonarqube running command (plugin installed), mvn blabla
docker_build
stage: docker_build
script:
- docker build .
对 Gitlab 的提交将 运行 进入 sonarqube 阶段并继续 docker_build 只有当 sonarqube 通过质量门时。
要打破 CI 构建失败的质量门,
1.Search in /report-task.txt CE Task URL (ceTaskUrl) 和 CE 的值 任务 ID (ceTaskId)
2.Call /api/ce/task?id=XXX 其中 XXX 是从步骤 1 中检索到的 CE 任务 ID 例如:- https:///api/ce/task?id=你的 ceTaskId
3.Wait 一段时间,直到第 2 步的状态为成功、取消或失败
4.If失败,中断构建(这里失败是无法生成声纳报告)
5.If成功,然后使用/api/ce/task返回的JSON中的analysisId? id=XXX(step2)and 立即调用 /api/qualitygates/project_status?analysisId=YYY 到 检查质量门的状态。 例如:- https:///api/qualitygates/project_status?analysisId=你的 analysisId
6.Step 5 给出状态的临界、主要和次要错误阈值限制
7.Based 突破构建限制
8. 使用脚本时遵循正确的缩进
build:
stage: build
before_script:
- yum -y install epel-release
- yum -y install jq
- yum install -y coreutils
script:
- mvn sonar:sonar -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_LOGIN_TOKEN -Dsonar.working.directory=../target/.sonar
- export url=$(cat ../target/.sonar/report-task.txt | grep ceTaskUrl | cut -c11- ) #URL where report gets stored
- sleep 15s #Wait time for the report
- curl -k -u "$SONAR_LOGIN_TOKEN":"" $url -o analysis.txt
- export status=$(cat analysis.txt | jq -r '.task.status') #Status as SUCCESS, CANCELED or FAILED
- export analysisId=$(cat analysis.txt | jq -r '.task.analysisId') #Get the analysis Id
- |
if [ "$status" == "SUCCESS" ];then
echo -e "SONAR ANALYSIS SUCCESSFUL...ANALYSING RESULTS";
curl -k -u "$SONAR_LOGIN_TOKEN":"" https://yourSonarURI/api/qualitygates/project_status?analysisId=$analysisId -o result.txt; #Analysis result like critical, major and minor issues
export result=$(cat result.txt | jq -r '.projectStatus.status');
if [ "$result" == "ERROR" ];then
echo -e "91mSONAR RESULTS FAILED";
echo "$(cat result.txt | jq -r '.projectStatus.conditions')"; #prints the critical, major and minor violations
exit 1 #breaks the build for violations
else
echo -e "SONAR RESULTS SUCCESSFUL";
echo "$(cat result.txt | jq -r '.projectStatus.conditions')";
exit 0
fi
else
echo -e "\e[91mSONAR ANALYSIS FAILED\e[0m";
exit 1 #breaks the build for failure in Step2
fi
感谢 Sahit 的回答。似乎解决方案是 Linux。我希望它与 Windows 兼容。
- $url = (findstr "ceTaskUrl" "<report-task.txt location>").Substring(10)
- sleep 10 #Need some buffer time to get the report updated from sonarqube analyzer
- $response = &"<Curl exe location>" -u <SonarAdminUserName>:<Password> $url #using curl to login to sonarqube to check analysis ran properly or not. Using sonar admin credentials/token
- $sonardata = $response | ConvertFrom-Json #converting returned data to json
- $sonarBuildStatus=$sonardata.task.status
- |
if ("$sonarBuildStatus" -eq "SUCCESS"){
echo "SONARQUBE ANALYSIS IS SUCCESSFUL"
$sonarAnalysisId= $sonardata.task.analysisId
$projurl = (findstr "serverUrl" "<report-task.txt location>").Substring(10)
$projNewUrl = $projurl+"/api/qualitygates/project_status?analysisId="+$sonarAnalysisId
$projresponse = &"<Curl exe location>" -u <SonarAdminUserName>:<Password> $projNewUrl
$sonarprojdata = $projresponse | ConvertFrom-Json
$sonarProjStatus=$sonarprojdata.projectStatus.status
if ("$sonarProjStatus" -eq "ERROR"){ #Checks if the project has meet all the quality gates specified
echo "SONARQUBE QUALITY GATES FAILED FOR $CI_PROJECT_NAME"
echo $sonarprojdata.projectStatus.conditions
exit 1 #breaks the build for violations
}
else{
echo "SONARQUBE QUALITY GATES SUCCESSFUL FOR $CI_PROJECT_NAME"
echo $sonarprojdata.projectStatus.conditions
exit 0
}
}
else{
echo "SONARQUBE ANALYSIS FAILED"
exit 1 #breaks the build for violations
}
参考link了解更多信息https://www.codeproject.com/Tips/5165909/Gated-Check-in-in-Git-repository
有一个用Go写的simple standalone tool,可以和SQ 5.*-8.2一起使用,简单查看具体项目的SQ QG。它需要 URL 到 SQ 实例、项目密钥和令牌或登录名和密码到 运行。
它还有一个技巧,即在项目中有待处理任务时等待。现在还有一个轻量级的Docker image apriorit/go-check-sonar。像那样使用:
$ docker run --rm -it apriorit/go-check-sonar -project=PROJ -server=http://sonar.dev.local -token=dead**beef
Running SonarQube Quality Gate checker!
Checking if any tasks are running for the provided project...
Waiting for pending tasks to finish...
1 pending tasks remaining for PROJ component...
1 pending tasks remaining for PROJ component...
1 pending tasks remaining for PROJ component...
0 pending tasks remaining for PROJ component...
All tasks on project PROJ are finished!
Checking Quality Gate status of the project...
==============================================
Project Status: OK
==============================================
从 SonarQube 8.1 开始,这可以通过构建命令中的参数实现。请参阅 https://docs.sonarqube.org/latest/analysis/gitlab-integration/,“质量门失败时管道作业失败”:
Failing the pipeline job when the Quality Gate fails In order for the Quality Gate to fail on the GitLab side when it fails on the SonarQube side, the scanner needs to wait for the SonarQube Quality Gate status. To enable this, set the
sonar.qualitygate.wait=trueparameter in the.gitlab-ci.ymlfile. You can set thesonar.qualitygate.timeoutproperty to an amount of time (in seconds) that the scanner should wait for a report to be processed. The default is 300 seconds.
示例:
mvn verify sonar:sonar -Dsonar.qualitygate.wait=true