SonarQube Tutorial - Integration with Jenkins & Maven

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] thank you hello everyone this is infotechng welcome to this tutorial on Sonar Cube the motivation for recording yet another tutorial on Sonar cube is that couple of things have changed in the latest versions of sonar Cube at least from the time that I last used it so I thought I'll make a quick tutorial based upon the applications that I did on my laptop and what I plan to do in this demo is first set up sonar Cube 9.8 version and to spin it up I'm going to use Oracle jdk 11. once the solar tube comes up I'm going to possibly create a user and then you know create a token for this particular user then take a plain vanilla Maven based repository which is on my GitHub run maven and then try to push the maven code onto the sonar Cube for analysis now if that goes well I would kind of replicate the same steps in Jenkins but then I will use some plugins in Jenkins and the version of Jenkins that I plan to use is 2.375.2 I am going to use Jenkins with the plugins and kind of replicate the same mechanism that I did where I got maybe the same project to be scanned on Sonar Cube after that what I want to do is maybe come up with a pipeline Syntax for kind of doing the same stuff but maybe a little Advanced where I may put up some sort of a quality Case on Sonar Cube so quality gates are nothing but some sort of a criteria that you would want to set up for your particular Project based on which you want to either mark the build as a pass or a failure before I begin let me quickly show you what setup I have on my local box first and foremost where do I have my jdk so I've installed the Oracle jdk and it is present in C colon program files and Java okay that is where my jdk is present I have put my Maven three dot um 6.3 in the C folder itself all right and then I have downloaded the sonar Cube 9.8 which is nothing but a binary I've kind of extracted that binary out here and let me also show you the environment variables that I've set up because this is pretty important when it comes to Jenkins there are a couple of ways in which you can do it but this is what I kind of prefer first and foremost what is my Java home I pointed to SQL and program files Java and then in the um another variable called Maven home which I pointed to wherever I unzipped my um and also in the path oh is my path I have added the jdk pin and the maven pin now I always want to I mean I always prefer to keep the whatever is the installed GDK that as the first path so that you know it doesn't get um corrupted with any other GDK that I may have on my system all right so that's pretty much the setup that I have and um if at all I open up a command prompt and then I type in mbn hyphen iPhone version I should find the maven ohm the Java home you know this kind of signifies that uh everything is good at least from a perspective now let me get started with the sonar chip in order to run so much Cube what I want what I prefer to do is open up a Powershell because sometimes you need the admin rights and all that part so this I don't want to take up any chances and so within sonar Cube there's a bin folder within bin folder there is a Windows folder I want to go in here and you will find start sonar dot bat I don't want to start it like a service so I'm going to just start sonar dot bat now this may take a minute or two depending upon the the speed of your system so solar Cube as you would probably know it's nothing but a wonderful tool for performing static code analysis it analyzes your code and gives you all kinds of possible metrics uh whatever kind of fails as per the stipulated guidelines kind of throws up so this is a pretty good Tool uh if your application is based upon any programming language it kind of supports up to a 20 or 21 programming languages all right so that was quick my Sonar Cube came up and so that you runs on Port 9000. and the default username and password for sonar QB is admin admin once you log in or at the first time you log in it always asks you to change it I've already changed that or admin admin one two three so this is where I already have my Sonar Cube that is up and running so what I want to do is I'm a wand first to run a scan from a maven-based project without really using Jenkins you know from the command line I may want to run any of these Maven project so what I what I want to do for that is you know for anyone to contact UM sonar Cube they would possibly need some sort of a token so go to administrator here go to my account uh go to security and then you can kind of go ahead and create a token token is nothing but like a user ID and a password kind of a thing in this case it is nothing but a big string which is only displayed the first time that you're going to create it and it has got some expiry date in case you want to um you know you want that token to expire at some of the point in time so this is one way where you can go ahead and create a particular token for your projects the other way is because I'm going to run let's say Maven from a command prompt for the for any for anybody to kind of programmatically get into um getting to sonar Cube and get some scanning done so that you expects a few things from this application so let me kind of manually set up a project in Sonata okay so any name that you want I'll probably give the same name that is showing up test scan and what particular project do you want to scan and then what is the branch main branch so for the for this particular demo what I want to do is let me scan um GitHub one of my projects um which is um simple Maven based web application it's called calc calculator application kind of a thing it doesn't have too many things out there and let me also show you the quick form.xml so it kind of gets packaged as a war file since I'm using jdk 11 I've just put these properties it's got some dependencies on some junit test cases and then I've also used some sort of plugins for spitting out let's say the code coverage I use the plugin called checkoko you can refer to some of my previous tutorials where um you know I've used this plugin so in order to get the code coverage um you know this is an additional thing which probably because anyway your sonar Cube also is going to give you the same um code coverage all right but then I was using this tutorial for some other purpose so I've got um the Chaco or dependencies maybe I've also got something called PMD TMD is one more uh kind of a scanner for your application all right and um and also the unit test cases okay and then I've also added the sonar Maven plugin because some particular version of sonar Maven plugin so this is my particular project and I may want to scan this project from let's say command prompt let me open up a command prompt break and let me do a git clone of this particular Repository all right I can I can kind of uh run let's say in mvn package okay so this will first you know test the application compile the application test the application maybe there is some unit test cases run those unit test case and everything goes well you would go ahead and create a war file out of this okay now while all this is being done I may also want to scan this application from this command prompt okay so in order to do that I would want to create some sort of a placeholder all right now this went on very quickly um just because I've run it earlier so all the independencies the chart files the war files everything has been downloaded but if you're running for the first time probably it may take a couple of minutes more uh for it to kind of run so this project you know which is up there on my GitHub repository I may want to pass it on to my Sonar Cube scanner so that it kind of scans it now I don't want I don't have any other prerequisites on my Maven other than specifying that this is a sonar kind of a project and then pointing you know the URL to sonar Cube and then maybe spit out or pass along kind of a key or which is nothing but the secret so that sonar Cube authorizes this particular push and then does a scanning of this application so in order to do that let me go to the project I want to create a placeholder for the project I'll just create a stress scan um this is the project key which automatically gets picked up what is the branch what is the main branch from this repository so if you see the branch okay there is a master Branch so a main branch is not what I want I want to specify this as Master branch and I'm going to say setup all right now it is saying you know do you want to integrate with any one of these no I don't want to do any one of that what I want to do is I want to analyze this locally I won't announce this this kind of project um you know because I want to manually create this on my own so I'm just going to give a token name I'll just give them let's say um demo token one or something like that that it expire in three days I don't have any problems with that I will say generate so token kind of got generated okay so the best thing is I need to copy this but I'm pretty sure in the next screen as well this case is going to ask me a few more stuff and saying you know what you want to run analysis on your project what kind of projects are you building it gives you at least you know the prominent ones like Maven gradle.net and other stuff so since my project is Maven let me click on maybe you can also say here he's going to clearly tell me how should I execute my Maven from the command prompt and if you see here uh it's got a project key it's called The Host URL in my case it is localhost just because I'm running this locally if this is being run on some other box which has got a fully qualified domain name associated with that or an IP address you'll find the IP address of that machine okay and then the login with this particular key set so let me just copy this and um let me kind of paste it here and let me just take out all these um I don't want these new line characters all right okay so that's all that I got to do control a control C and um let me execute it here okay so I just come back to my prompt where I already did at least the initial part of it so I'm doing the same thing and if you see the syntax um there is sonar colon sonar this is the way in which you're going to uh invoke the sonar um all that is required for the solar scanning to kind of happen Okay so the local repository or local folder from where I'm running this it kind of managed to build everything properly also it kind of pushed the repository onto sonar keep for scanning it also is telling me where to look for my particular results of my skin so if I come back here automatically I see this particular stuff so there are two bugs for wallabies the number of code coverage is not great just 4.5 percent some two unit test cases which were run and for those of you comfortable or who have used owner can kind of get into each of these scan results and see what is the problem that this guy is talking about okay the important thing is just by putting up some pretty simple configuration on my Sonar I was able to execute a maven project from let's say command prompt and then push it to sonar queue for analysis now let me try to replicate the same things using Jenkins even in Jenkins I can run the same mvn command um and that can pretty much give me the same results but I don't want to do that that sounds a little crude so what I instant want to do is use the Jenkins plugin in order to achieve the same results so before that let me go ahead and delete this project I don't want to delete this project I mean I don't want this project anymore so I'm going to delete this project also what is required for Jenkins is Jenkins may want to run a lot of scans on Sonar Cube so when you create a token for authorization it need not be a token that is meant only for a particular project across the projects we want to run I mean you can always add tokens for specific projects but in case you want to set up an integration between Jenkins and sonar what is more preferable is I have one token which allows Jenkins to kind of scan all kinds of projects so you can go here say my account and go to security team and create a generator token okay I already have generated these tokens but just for the demo let me show you a demo token demo Jenkins token and what kind of a token are we talking about a user token or a global analysis token these are role-based kind of tokens so I want all kinds of analysis to be done not a Project Specific analysis or not a user specific uh thing so I'm going to choose a global analysis token and let me say no expiration all right I'll go and create this particular token and what you get is a big hash code kind of a thing which I'm going to copy and paste it somewhere in my notepad so now my Jenkins would want to talk to this particular um also not you so in order to do that what I would want to do is get into my Jenkins then install a bunch of plugins I already have the plugins installed but let me just show you what plugins did I install all right so the first one is sonar sonar Cube scanner or Jenkins this is what is required for me to let my Jenkins talk to sonar Cube there's also one more plugin called sonal quality kit plugin I was just trying it out but I couldn't get it to work probably it is broken it's a pretty old a kind of a plug-in so I'm not going to use this plugin so sonar quilting it plugin is required when you want the analysis of your plugin to reflect back on your Jenkins job because Jenkins is going to pass on the analysis to sonara but did the analysis pass any of the quality Case that you set out or not that is determined in a kind of a synchronous way now that doesn't happen automatically it takes some time for sonar Cube to do the analysis so this quality Gates plugin is what is required in order to get the results back from you know what happened to the Quality kit but this doesn't work well so or rather I couldn't get it to work so instead I probably would demo another way where I'm going use the pipeline syntax but just to do the sonar Cube analysis this plugin is all that is required so once that plugin is installed go to manage Jenkins go to configure system you'll have to tell Jenkins as to where exactly is your sonar Cube server and if at all is any token you will have to put up that particular token so you come down here and um somewhere you'll find sonar Cube server okay you can have multiple sonar Cube servers if at all you desire because at any point in time you may have multiple projects where different projects have got the same different optional cubes and Jenkins could be able to operate with or talk to all the sonar Cube servers all that is required for you is to give a name for your sonar Cube server since I have only one I've giveness on the cube but this name has got some prominence when we refer to this particular sonar cube in our pipeline plugin we'll have to use this particular name okay so sonar Q what is the URL localhost 9000 that is the URL what is the token so before this I'll just show you you probably know how to create a token I've already created the token as a sonar token and I put it out shape all right and then one other thing is click on this environment variable so this will enable that you know the sonar Cube server configurations and everything gets injected into your Jenkins job as environment variables so install these on our Cube plugin and then specify this uh all these parameters where to put down the tokens as I was saying I had already put down the token but in case you want to you know create a token uh just click on the manage Jenkins and manage credentials all right system print share add a token add a token or add credentials you can give any type of token what what we have is just a text okay so secret text is all that is required or I already put on that particular token and that token is present uh right here as a sonar token so this guy just has got that big string that I have copied from my Sonar Cube server all right so most of the things are up and then all that I got to do is first let me put up a job a job manual kind of a job which is nothing but a freestyle job okay I already have that job here let me show you what is that I've configured in this particular job all right uh source code it's a git repository I'm pointing it out to my web app which is calc web app it is engineering credential because it is a public repository branches master that is my main branch and um prepare sonar Cube scanner environment all right hang in there one minute okay um I forgot to show you one other configuration that was required okay um configure a global tool configuration all right now where is this Cube scanner what is required is that you need to install a kind of after the plugin right you'll have to install something called as a sonar Cube scanner so if you come down to manage Jenkins Global tool configurations you come out here and you know once you have that plugin you will find this on our Cube scanner you add this and say that I want you know you can specify any name that you want and install automatically and or rather let me do one thing let me delete this and show you this Okay add a sonar cubes scanner other name I can give it as sonar Canon install automatically yes what version of Sonic you know it is as good as a sudo or I mean sorry yum or apt kind of a thing where a centralized repository is there where all kinds of solar Cube scanners are all present okay so that is all that is supposed to do you know uh install automatically a specified what version of solar Cube scanner that you want and then okay install from Maven Central okay that is the default uh you don't have to specify anything this is all that you're supposed to do go ahead and save this so I've got my Sonar Cube plugin I have informed Jenkins where to find my Sonar Cube server what is the credential that it requires I also have installed something called as scanners which are nothing but small agents which allow my Jenkins to kind of talk to sonar Cube server there are also some more scanners which kind of run locally as well okay now let me put up a simple job I already have that job here so let me just show you what all I have in that particular job okay um GitHub repository credential not required the master branch is what it needs and um prepare sonar Cube scanner environment okay so this has to be clicked otherwise your Sonar doesn't get triggered okay and here what exactly you want to do as a part of the build step mvn package sonar colon sonar you can either invoke the maven you know gold top level goal but you know what I prefer is since I put everything in the path a main works perfectly well for me so I've executed a command which is mvn package sonar colon sonar okay all that is required is this one so let me save this and let me build this project now right so when the project is going on let me go back to my Sonar Cube and see okay this is an empty sonar Cube I don't have any projects here because I deleted the previous project that I had me just wait till this particular project gets um completed the older sonar cubes needed a couple of information regarding the project what type of project where is the source where is the class files and all that thing what kind of a project is it and all that but the latest ones do not mean many of that and these configuration that you have set can also be put up in the project Palm XML okay so there you go and this is successful you can see the results right here but anyway I have the tab open here so let me go to projects you see here the project has got executed it is the same project so you will not find any difference because I've not done any change to the particular code okay so the name of the project the token everything is kind of pre-configured in my Jenkins job now let me set up something called as a quality gate quality gate is nothing but a kind of a boundary that I set out just to save whether my particular project is as per my expected quality so the quality can be defined based upon any of the metrics in terms of how many bugs is okay to be allowed for a particular build how many vulnerabilities are okay what should be the code coverage percentage to certify whether a build is a pass or a kind of a fail so quality gate can be anything usually people working for projects belonging to some customers they've got these quality kits which are set as per the slas are set in in agreement with the customers so for this particular project as of now I don't have any quality kids so the project says you know it's passed but let me quickly set up a quality gate so I will give the quality gate as let's say you know a project quality gate or something like that name has already been taken okay I will call it as okay demo quality gate one we'll save it with this particular name oh I didn't see this project quality eight okay let me go ahead and delete this guy all right so demo quality gate one and it says you know what what conditions are we talking about I can add multiple number of conditions is it on the new code when you do a repeated analysis the you know the last code that gets pushed down is called as a new code the overall code is you know what exactly was there if you had some 10 bills earlier you know you know this whole thing you want to consider this parameter for the whole code that's what I would kind of put out uh so what kind of metrics are we talking about let's say a code coverage okay code coverage is a pretty good Factor if the code coverage is less than let's say 50 percent okay I would say you know the the build is kind of a bad build it has to be above 50 percent house that is one condition that I'm going to add let me also take a look at the bugs and also add one more parameter specific to the bug so this one I will say I had a condition uh on the overall code bug okay or the bugs uh if the bugs are let's say more than five I just want to say that this build is not a good build okay I'm going to add this condition so the same project the same um you know whatever there's no change in the configurations it is just that on top of the build I have put out a kind of a condition okay my bad I didn't really check as to where these conditions has to be met for which particular projects so if you see here I put the quality kids and then I can assign the quality kids to whatever projects that I would want okay uh projects with without all you know okay all is what I want and here if I search in the all step I will find all the projects maybe for this particular project I want this quality kit to be set all right so the previous build still says it is a good build let me kind of run this job again the same job it pretty much there's no code change or anything like that so let me see what happens okay uh it says analysis is successful everything kind of looks good um let me check see here now the bill says it's got failed okay uh what is uh you know what is the condition based on which the build got failed or something like that and the code coverage percentage okay that's one of the conditions why the whole build kind of got failed but the only problem is for this particular job to get back the result sometimes you know you don't find this automatically getting updated it will take a while for these applications to happen because the quality Gates that I put out was pretty simple assuming that is a pretty complicated quality gate and the analysis takes maybe a couple of minutes or 30 minutes or 40 minutes for the complete analysis to kind of happen okay so then your Jenkins job should wait till the results are kind of pushed back okay now out here in this particular freestyle job I couldn't find a way to kind of do that so instead in the next section what I want to do is I want to put up a job in terms of um what should I say the pipeline syntax where there's a very nice mechanism of waiting till the quality gate gets um updated and also in in that case sonar Cube can send a web hook back to the Jenkins server okay a kind of an asynchronous update that will happen from sonar Cube who knows whether recording it passed or not because if the Jenkins pushes the job once it's a kind of one shot kind of an activity all right so let me do that in the next section of the demo let me put up a pipeline job which pretty much does the same thing but in a much more simpler kind of a syntax so I've gone here I've cleared all the projects there's no oh where did this guy come from let me go ahead and delete this guy you don't need this project all right clean and empty now in the same repository I put out a file called Jenkins file which has got a bunch of instructions for people who are not familiar with this pretty simple kind of a syntax um first stage is going to check out the repository how to get all these steps is all there and you can refer to some of the video tutorials that tells you how to get the syntax but in a simplistic way this is how I check out a git repository this is how I package by running an ambient package this is how I run the junit test cases okay and then I also have installed a plugin called jakoko so this also gives you the code coverage percentage this is how I can invoke a jackoko plugin all right and then most importantly I'm interested in how do I do a sonar Cube analysis with sonar Cube EnV okay and this is the name of the sonar Cube instance that we kind of configured well within urgent case Okay so batch file mbn package sonar sonar now this is the interesting part where asynchronously I'm going to wait till that point in time where my Sonar cube is going to pass the results of the quality kit but first let me just show you I don't want to put this quality kit because we'll have to we'll have to kind of configure something called as a web hook in our sonar queue so let me just copy this whole content and then let me put up a new item I will say sonar pipeline job all right this is a pipeline kind of a job so the beauty of writing your pipeline as code is you don't really have to you know copy anything else other than this particular code so let me get rid of this quality gate stage I don't want to wait on the quality gate again so stage one and two one two okay so we don't want this step all right so let me save this and let me build it the same set of instructions that kind of date with the freestyle job now it is being executed in a kind of pipeline way and here you'll also find junit test cases also Jacob reports okay so what is Jacob he said nothing but a code coverage this also you know it's a small subset of what tasks on our Cube already does but I also have a plugin which is installed plugin which is called jaipoku so anybody wants to try this demos you would need this plugin otherwise just comment out the Chaco section of the job all right so sumara pipeline plugin is still running let me see the oops cancel output all right if you see here um you know everything runs well junit test case is also um also the Jacob um coverage reports and it also pushed a job it also pushed our job to sonar Cube you will also find some beautiful code coverage reports here now this is because of Jaco okay and then you'll also find J unit test cases because you know we have got the we also run the genit and if you come back to sonar q and maybe click on projects you'll also find the project that got pushed in a similar way but what I want to do now is inform this guy as to you know whenever you're supposed to keep the results back out of quality gate how would you reach out to Jenkins and then um give the information that whether a build is a pass or a fail for that let me add something called as a web so let me first check if at all the quality gates are applied to my particular project or not all okay because I deleted the previous project this um you know the rule was not applied so you know I'm going to choose this that will ensure that my quality gate would get applied and then if we go to the project settings out here there is something called as a web hook okay so let me go ahead and create a web hook I can give any name that I want I will just call this as uh Jenkins hook and the URL has to be something like this localhost 8080 which is nothing but my Jenkins URL forward slash sonar Cube hyphen web hook forward slash okay so let me it may not allow me to create this webwork but let's check this out okay for some reason he doesn't allow the Web book to point the same system because we are all running on localhost okay so what I'll do is let me expose my Jenkins URL as an external URL okay so njr okay HTTP 8080 and this is not required to be done if at all your Jenkins and um these energy were running on different servers okay so since I have got both running in my localhost I'll hit up on this error so what I did is I started a small utility called in grok and I'm exposing my port 8080 which is nothing but my Jenkins so if somebody hits this URL which is an external URL so that also gets pointed back to my Jenkins so now let me specify this URL here instead of the localhost all right forward slash and then uh sonar Cube hyphen webhook a forward slash okay if at all if your gen can need some sort of an authentication if there's a secret or something that you'll have to choose this but for now you know I'll ignore that I will just say create a webhoop so we've informed this is a project kind of a setting so we've informed sonar Cube as to you know after the project is done if at all any of these the results pass or fail or whatever is the status whatever is the status of your project kindly use the web hook and inform this guy or this Jenkins who is running at this particular URL all right now let me come back to my job and let me add that last okay I if you remember I had removed the um weight uh the quality gate kind of a setting okay and what I'm trying to do is if at all the um the job or the quality gate kind of fails I'm going to bot there's a bunch of parameters how long do you want the quality gate uh to keep waiting and all that stuff but I just want to keep this very simple so I'm just going to add this snippet all that it does it is going to wait for the quality kit and if at all the quality gate kind of fails it's going to mark your build as a failure all right nobody put it in um somewhere after the sonar Cube analysis uh this is this on our Cube analysis all right so this is where I would wait and again I'm kind of redoing a couple of things I think I'm doing mbn twice um you know that's not the intent uh you can kind of anybody wants to better it can always do that all right now um that's all that I'm going to make the change and I'm going to say Bella so this build pretty much do the same thing but then I'm interested in finding out what happened to my quality gate did it pass did it fail and assuming that my quality gate analysis would take a couple of minutes to run okay you will find that I could wait and in a synchronous way the job information I mean the quality gate information would get passed on to Jenkins job accordingly Jenkins job will get marked either as a success or as a failure the failure just because the quality gate kind of bumped you see here the task is in status quality gate is error pipeline of water due to Quality gate failure our quality gate did not pass okay so that is why my pipeline and we see here the task you know it is in progress this task got completed but the quality gate kind of field if I come back here and if I refresh this you'll find that the quality gate kind of failed because you know the same condition that you know I put earlier put but the beauty of this particular job is that in Jenkins now if at all I look at the shop that we kind of ran this whole job is marked as a failure because my quality gate kind of failed as usual I will leave all the documentation regarding the tools that I used the versions of the tools and the plugins that I used and the GitHub repository that I used in My Demo in the description section of my tutorial hope you enjoyed watching my tutorial and uh in case anybody wants to try it and if you hit upon some issues please leave a message in the comment section and I'll try to address it as soon as I can thank you so much for stopping and watching my tutorial you have a great day thank you [Music]
Info
Channel: crudsinfotech NG
Views: 6,056
Rating: undefined out of 5
Keywords: Jenkins, SonarQube, Sonar, Quality Gate, Jenkins Pipeline, Devops, CRUDS Infotech NG, Jenkins integrate with SonarQube, Jenkins maven sonarqube, Sonarqube jenkins
Id: WXhQHG3zjjk
Channel Id: undefined
Length: 42min 22sec (2542 seconds)
Published: Fri Feb 17 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.