Automatically analyze code with SonarQube when a new pull request is created in bitbucket cloud
Prerequisites
A repository made in bitbucket cloud.
A Jenkins server instance.
A SonarQube instance.
Add the project to SonarQube
In SonarQube go to
Administration > Project > Management
Click Create Project.
Give the project a name and a key. The project key is used to identify the project later.
The new project created is now displayed in the dashboard along with the key we specified.
Setup Sonar for Bitbucket Cloud Addon
This addon is used to add relevant comments to bitbucket pull requests after performing a sonar analysis.
Go to the Atlassian market place.
Install the addon by clicking Get it now button.
Now, the addon will be displayed at the top of all your repositories. This is supposed to display statistics regarding the quality of the code. Since we haven’t configured the addon yet, it is disabled.
Basic configuration for the addon is specified in sonar.json file at the root of the repository. Create this file now.
sonarHost — is the public URL of the Sonar instance.
sonarProjectKey — is the key specified when creating test-project in SonarQube.
Now the plugin will show this message. It says “No Data Available” because we haven’t analyzed the project with Sonarqube yet.
Analyze project with SonarQube (optional)
If you only want sonarqube to be run from a jenkins job, skip this section.
Setupsonaqube-cli for your OS.
In windows add <path>\sonarqube-cli\bin to path environment variable to run sonar-scanner.bat from anywhere in the command line.
Create filesonar-project.properties in the root of the project.
sonar.login — token you generated when setting up SonarQube for the first time.
sonar.sources — Section of the project we want to analyze. Since this is an Angular project, we only want to analyze what’s inside src folder.
Next, open a terminal and change directory to the root of the project.
Execute this command.
sonar-scanner -X
Note that sonar-scanner can be used directly like this because we added it to path environment variable earlier. (Windows)
Result
Scan results are shown in the SonarQube instance.
SonarQube for Bitbucket Cloud addon now displays this data in the repository page.
Install Bitbucket Cloud plugin for SonarQube
This plugin is used to perform a SonarQube analysis and generate comments when a PR is created.
Install it in Jenkins according to the instructions given in the documentation.
Note
In the time of writing v1.2.3 is the latest version of the plugin.
In this version the developer has provided only the source code and not the compiled .jar file. You can compile the jar file from the source code by following the instructions provided in the documentation or you can use an earlier version (eg : v1.2.1) which has the jar file provided.
Install Generic Webhook Trigger Plugin in Jenkins
This is used to trigger Jenkins when a pull request is made in bitbucket.
In Jenkins dashboard go to
Manage Jenkins > Manage Plugins > Available
Search and install the plugin.
Install SonarQube Scanner plugin for Jenkins
This is used to execute SonarQube scans from a Jenkins build.
Install it the same way you installed the earlier plugin.
After installing go to
Manage Jenkins > Configure Systems
There will be a section called SonarQube servers
Add a SonarQube Scanner
Server URL — URL of your SonarQube instance.
Server authentication token — Token generated when initializing the SonarQube instance.
Next, go to
Manage Jenkins > Global Took Configuration
The Name should be the same you gave earlier in Configure Systems.
Add a Jenkins installation. In this example, we are installing it from Maven Central.
Create a Jenkins build
Create a new job called test-project in Jenkins.
If you don’t know how to, follow any of these tutorials.
Configure the Jenkins build
Go to the project and click configure.
Add the repository.
Under Build, Tick Generic Webhook Trigger. This is the plugin we installed earlier.
Here, when a PR is generated, we store the name of the branch from which the PR was issued in a variable named pr_from_branch .
Other expressions you can use are
For a full list of expressions available refer here.
Give a value for the token. The token will be used to configure the bitbucket webhook later.
Execute SonarQube scanner.
Notice how we are passing pr_from_branch environment variable from earlier. Now, the branch to build is taken dynamically when the build is run.
Create a Webhook in bitbucket
A bitbucket is used to notify and communicate to an external URL when changes occur in the repository.
Inside the repository, go to settings.
Click webhooks under WORKFLOW.
Click Add webhook button.
URL — http://<JENKINS_URL>/generic-webhook-trigger/invoke?token=test
test is the token we specified earlier in the Generic Webhook configuration
We want to trigger Jenkins when a pull request is made. So, only that is selected.
Create an OAuth in Bitbucket
Click the profile icon at the bottom left and go to Bitbucket settings.
Click OAuth under ACCESS MANAGEMENT.
The callback URL should be the public address of the SonarQube instance.
A key and a secret are generated.
Add sonarqube properties
If you read the optional section regarding sonar-cli analysis you might remember we made a sonar-project.properties file in the root of the project. If you didn’t read it it’s a file where you specify the configuration to run a sonar analysis.
This is the file.
Rather than creating this file, we can add the properties in Jenkins.
How it all works
Create a PR in your repository.
Jenkins will identify this through the webhook and start a new build.
After the build is complete refresh the PR window.
A new comment is added with the SonarQube analysis.
