Comment on page

SonarQube Integration (Beta)

The SonarQube integration makes it possible to include in the SonarQube dashboard results from the source code analysis by Promyze. We use the feature "Generic issue import format" for that, allowing external issues to be integrated into the SonarQube reports. 
This page introduces how to use the Promyze CLI to generate a report that SonarQube will ingest. 
We didn't develop a classic plugin for SonarQube since this approach is more appropriate with a pre-defined set of coding rules. Promyze does not work like this, as each customer will create its own set of coding standards. 
There are some limitations to this mechanism, according to the SonarQube documentation: 
You can't manage them within SonarQube. For example, you can't mark them as false positives. But you can change the issue type (Bug, Vulnerability, Code Smell) or the severity (Minor, ...).
You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.
Integration
The key concept is simple: you can use either the Docker/Npm/Maven version of the Promyze CLI to generate one or multiple output files using the sonarqube formatter (check the CLI options).
Then, the Sonar Scanner CLI must ingest the output files using the argument: 
-Dsonar.externalIssuesReportPaths=<your_path>
With the Maven Plugin
This will make sense if you use the SonarScanner for Maven. Check the Promyze Maven Plugin documentation to set the plugin up and ready.
Here is an example of configuration for a Gitlab CI pipeline:
stages:
  - quality
​
quality-check:
  stage: quality
  image: maven:3.6.3-jdk-11
  script:
      - mvn install
      - mvn com.promyze:scanner:scan -Dpromyze.formatters=console,sonarqube
      - mvn sonar:sonar -Dsonar.externalIssuesReportPaths=target/promyze-scan.json
​
With the Npm/Docker CLI 
stages:
    - promyze
    - sonarqube
​
# Assume PROMYZE_API_KEY and PROMYZE_URL are set as CI/CD Variables
promyze-detect:
  stage: promyze
  image:
    name: promyze/promyze-cli:latest
    entrypoint: [""]
  artifacts:
    paths:
      - promyze-scan.json
  script:
    - promyze-scanner scan . --formatters=console,sonarqube --output=promyze-scan.json
​
# Assume SONAR_HOST_URL and SONAR_LOGIN are set as CI/CD Variables
sonarqube-scan:
  stage: sonarqube
  image:
    name: sonarsource/sonar-scanner-cli:latest
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  
  cache:
    key: ${CI_COMMIT_REF_SLUG}
    paths:
      - promyze-scan.json
  allow_failure: true
  script:
    - sonar-scanner -Dsonar.projectKey=your-key -Dsonar.qualitygate.wait=true -Dsonar.externalIssuesReportPaths=promyze-scan.json
```
More suggestions?  
Share a feature request with us; we'll be to discuss it with you.

Run on Windows

Next - Leverage coding practices

Onboard new developers with Discovery Workshops

Last modified 6mo ago