SonarQube
SonarQube scan results can be accessed from https://sonar.akraino.org. You should be able to log in with your LFID credentials, the same as you would use for Gerrit or Jenkins.
Bug Severity in SonarQube and mapping to Akraino security requirements
SonarQube | Akraino |
---|---|
Blocker | Critical |
Critical | Important |
Major | Important |
Minor | Moderate |
Info | Low |
Enabling scanning should be done per-project, with the addition of mvn-params and nexus-iq-namespace variables, and the gerrit-maven-sonar job added.
Here's some additional documentation on the Sonar jobs/macros we have set up:
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonar
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-python-jobs.html#lf-infra-tox-sonar
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-c-cpp-jobs.html#cmake-sonar