Links

SonarQube Integration (Beta)

The SonarQube integration makes it possible to include in the SonarQube dashboard results from the source code analysis by Promyze. We use the feature "Generic issue import format" for that, allowing external issues to be integrated into the SonarQube reports.
This page introduces how to use the Promyze CLI to generate a report that SonarQube will ingest.
We didn't develop a classic plugin for SonarQube since this approach is more appropriate with a pre-defined set of coding rules. Promyze does not work like this, as each customer will create its own set of coding standards.
There are some limitations to this mechanism, according to the SonarQube documentation:
  • You can't manage them within SonarQube. For example, you can't mark them as false positives. But you can change the issue type (Bug, Vulnerability, Code Smell) or the severity (Minor, ...).
  • You can't manage the activation of the rules that raise these issues within SonarQube. External rules aren't visible on the Rules page or reflected in quality profiles.

Integration

The key concept is simple: you can use either the Docker/Npm/Maven version of the Promyze CLI to generate one or multiple output files using the sonarqube formatter (check the CLI options).
Then, the Sonar Scanner CLI must ingest the output files using the argument:
-Dsonar.externalIssuesReportPaths=<your_path>

With the Maven Plugin

This will make sense if you use the SonarScanner for Maven. Check the Promyze Maven Plugin documentation to set the plugin up and ready.
Here is an example of configuration for a Gitlab CI pipeline:
stages:
- quality
quality-check:
stage: quality
image: maven:3.6.3-jdk-11
script:
- mvn install
- mvn com.promyze:scanner:scan -Dpromyze.formatters=console,sonarqube
- mvn sonar:sonar -Dsonar.externalIssuesReportPaths=target/promyze-scan.json

With the Npm/Docker CLI

stages:
- promyze
- sonarqube
# Assume PROMYZE_API_KEY and PROMYZE_URL are set as CI/CD Variables
promyze-detect:
stage: promyze
image:
name: promyze/promyze-cli:latest
entrypoint: [""]
artifacts:
paths:
- promyze-scan.json
script:
- promyze-scanner scan . --formatters=console,sonarqube --output=promyze-scan.json
# Assume SONAR_HOST_URL and SONAR_LOGIN are set as CI/CD Variables
sonarqube-scan:
stage: sonarqube
image:
name: sonarsource/sonar-scanner-cli:latest
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0"
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- promyze-scan.json
allow_failure: true
script:
- sonar-scanner -Dsonar.projectKey=your-key -Dsonar.qualitygate.wait=true -Dsonar.externalIssuesReportPaths=promyze-scan.json
```

More suggestions?

Share a feature request with us; we'll be to discuss it with you.