SonarQube
SonarQube scan results can be accessed from https://sonar.akraino.org. You should be able to log in with your LFID credentials, the same as you would use for Gerrit or Jenkins.
Bug Severity in SonarQube and mapping to Akraino security requirements
SonarQube | Akraino |
---|---|
Blocker | Critical |
Critical | Important |
Major | Important |
Minor | Moderate |
Info | Low |
Each project should have jjb file to integrate with CI.
To add SonarQube scan, the jjb file should be modified with the following changes:
- mvn-settings
- mvn-params
- gerrit-maven-sonar job
Here is an example:
- project:
name: portal_user_interface
project: portal_user_interface
project-name: portal_user_interface
mvn-settings: portal_user_interface-settings
mvn-params: '-f AECPortalMgmt'
nexus-iq-namespace: 'akraino-'
build-node: centos7-builder-2c-1g
stream: master
jobs:
- '{project-name}-maven-jobs'
- gerrit-maven-sonar
views:
- project-view
Here's some additional documentation on the Sonar jobs/macros we have set up:
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonar
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-python-jobs.html#lf-infra-tox-sonar
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-c-cpp-jobs.html#cmake-sonar