Open in app

Sign in

Write

Sign in

Decorate Bitbucket Cloud Pull Request with SonarQube Server Comments

Farooq Khan
5 min readNov 13, 2018

--

SonarQube reported issues in codebase

Why SonarQube?

SonarQube is static code analyzer which analyse the code and warns about potential tricky issues, bugs, code smells, security issues. Above all it could be a great tool to make all member of team to code in same style making the codebase consistent. It also has the capability to monitor and track the health of the application. According the configured rules in the sonarqube server, you can even fail the build to make sure that application is following coding standards and its health is up to mark before hand.

What will we achieve?

It will add the comments on the pull requests according to the specified rules. Have a look at the image below for reference.

comment on PR from sonarqube

Abstract Level Steps:

Here are the high level steps you need to follow to setup the sonarqube server to send code analysis to bitbucket overview page of the project and also decorate the pull requests with comments.

  • Setup sonar server.
  • Create key on sonarqube server. Alternatively you can also use username and password for authentication.
  • Install bitbucket plugin from marketplace from here.
  • Add sonar.json file to the root of your project. It will show the analysis on top of the bitbucket repo.
  • Run the following command to send project analysis to bitbucket cloud overview page and sonarqube server. It will give you the analysis of repo on the bitbucket overview page.
mvn clean verify sonar:sonar -Dsonar.host.url=<sonar-server-url>:<port> -Dsonar.login=<sonar-qube-porject-token>

Now the next step is to add comments to pull request.

<sonar-installation-directory>/sonar/extensions/plugins
  • Create the bitbucket webhook to send us data about pull request. Using this data we will run sonarqube analysis on our server to decorate pull request by running the following command. Note that the following command will not send the analysis to either sonarqube server or bitbucket overview page.
mvn clean verify -DskipTests sonar:sonar — batch-mode — errors \
-Dsonar.bitbucket.repoSlug=<repo-slug> \
-Dsonar.bitbucket.accountName=<bitbucket-account-username> \
-Dsonar.bitbucket.branchName=<branch-name-from-where-pull-request-is-created> \
-Dsonar.host.url=<sonar-qube-server-url> \
-Dsonar.login=<sonar-qube-porject-token> \
-Dsonar.analysis.mode=issues \
-Dsonar.bitbucket.oauthClientKey=<bit-bucket-auth-key> \
-Dsonar.bitbucket.oauthClientSecret=<bitbucket-auth-sercret>

Install SonarQube

Now we’ll see in detail how can we do the mentioned above steps. First thing is how can we install sonarqube server. It is very easy, you just need to download it from the download page on sonarqube official site. The other alternate is the download and install it manually. Doing it manually is also pretty simple.

  • Run the command to download sonar into local machine:
sudo wget -O /etc/yum.repos.d/sonar.repo http://downloads.sourceforge.net/project/sonar-pkg/rpm/sonar.repo
  • Now run the following command to install the sonar qube server.
  • To start the server use the command:
sudo service start/stop sonar
  • (Optional) You can either use embedded database with sonarqube or install with and use actual instal of mySql. To install mySql use the following the steps:
  1. Run: sudo yum install mysqld
  2. Run the command to start the mySql sudo service mysqld start
  3. To set the password to you mySQL run the command
sudo mysql_secure_installation

That is all, our sonarqube server is up and running. You can verify it by hitting <ServerIP:9000>. As by default sonarqube server runs on port 9000. Run SonarQube Analysis using the following command. It will post the code metrix on the sonarqube server with the code smells:

mvn clean verify sonar:sonar -Dsonar.host.url=<sonar-server-url>:<port> -Dsonar.login=<sonar-qube-porject-token>.

Catch:
In my case this command didn’t worked. I used systemctl to start service as follows

sudo systemctl start/stop sonar

I was also unable to install sonar using the root user on linux machine (AWS EC2 instance). So I created a new user and install the sonarqube using that user. One other notable point is you may need to open the 9000 port to access the server.

Configure Bitbucket to Show SonarQube Analysis

To send sonarqube analysis to your bitbucket overview page, you need to do two simple steps:

{
“sonarHost”: “<sonar-qube-server-url:port>”,
“sonarProjectKey”: “<project-key-on-sonar-server>”
}
  • Run the following command to send analysis to sonar qube server:
mvn clean verify sonar:sonar -Dsonar.host.url=<sonar-server-url>:<port> -Dsonar.login=<sonar-qube-porject-token>

You can generate token by Administration => Security. You will see a column named tokens. From here you can manage your tokens. When we open the bitbucket, it will automatically fetch the updated analysis.

Sonarqube analysis on Bitbucket project overview page

Decorating PR with Comments

Now comes the part for which we have just set up the stage. We want to add comments to the pull request. For github we have plugins available on market place. But unfortunately, for bitbucket, plugin/addon is not available on office market place. But setting up it yourself is also so easy. Download the source code and compile using mvn clean install. It will compile the plugin and generate a .jar file. Place jar file in

<sonar-installation-directory>/sonar/extensions/plugins

And you are done. Just restart the sonarqube server. Next step is to use this plugin. All you need to do is run the command in cmd:

mvn clean verify -DskipTests sonar:sonar — batch-mode — errors \
-Dsonar.bitbucket.repoSlug=<repo-slug> \
-Dsonar.bitbucket.accountName=<bitbucket-account-username> \
-Dsonar.bitbucket.branchName=<branch-name-from-where-pull-request-is-created> \
-Dsonar.host.url=<sonar-qube-server-url> \
-Dsonar.login=<sonar-qube-porject-token> \
-Dsonar.analysis.mode=issues \
-Dsonar.bitbucket.oauthClientKey=<bit-bucket-auth-key> \
-Dsonar.bitbucket.oauthClientSecret=<bitbucket-auth-secret>

To get bitbucket OAuth key and secret, go to bitbucket account settings and under OAuth click on Add consumer and generate a key and secret. This command will add comments to the bitbucket pull request. Note that the above command will not send the analysis to the bitbucket server. Make sure you give the right privileges.

Required privileges from bitbucket

Catch

You need to add url in Callback URL. It could be any url, don’t know but it doesn’t work if you don’t add this url.

Automate PR Decoration

Next goal is to automate the pull request decoration, means whenever a pull request is generated or updated, the sonarqube server should run the analysis and update the PR with comments. As I was unable to integrate it with jenkins, so I build my own pull request listener. Download and build from github repository. To achieve this in bitbucket,

  1. Download the source from github repository. Run the command written in README.md of the project. And run this application on the same server you are running jenkins.
  2. We need to enable a webhook on bitbucket to send data about pull request. On bitbucket go to <your-project> =>Settings => Under workflows, click on webhooks and add a new webhook with Pull Request created and updated fields checked. In webhook url enter <your-server-url:port>/bitbucket/webhook

We are all done with end to end pull request decoration with sonarqube analysis automation.

Static Code Analysis
Jenkins
Sonarqube
DevOps
Bitbucket

--

--

Farooq Khan

Written by Farooq Khan

20 Followers

Hey, I’m Farooq, computer geek, fun friend and prefer coffee over tea. Interested in backend and elastic related stuff. Currently working at @DeliveryHeroSE

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams