At work we have a scramble to use static code analyzers to improve the quality of code in general. Both from a security perspective and from a standardization perspective. I have worked with Sonar before, but it has almost always been in the background, alone and forgotten by everyone who are pushing features. Now those who know me are aware that i prefer early feedback, preferably pre-merge. I like to think of the Patch, Pull or Merge request as the real guard against flinchy developers like myself who don’t have time to run the tests, or check sonar for issues that should be fixed while i’m covering that particular code. This article is about resolving that and getting sonar comments directly on pull-requests.
TeamCityas a build server
C#classic as software platform
MSBuildas a build system
BitBucket cloudfor a source repository .
High level design
This is what it looks like from a high level. A Pull-Request in BitBucket triggers a TeamCity job that, in turn, runs the same pull-request builder build-process as would be done with a regular pre-merge job but with a sonar-analysis in preview-mode and a specific sonar-plugin that is able to post comments.
Things you should probably do before delving in to all the configuration.
- A specific user that can be named Sonar-Reviewer and added to your team
- A TeamCity instance with at least one agent and MSBuild.exe and Java 8 present in the system
- PullRequest Trigger Plugin
- SonarQube Analyzer for MSBuild Plugin
Make sure you build the pull-request trigger from master branch if the latest release is still pullrequest-20172603195632 since it needs the fix in this PullRequest by yours truly to be able to post the pull-request id to sonar.
mvn package with maven should create the zip you need)
There aren’t that many things to setup for this to work actually.
Configuration in BitBucket
- Create a private OAuth Application for your Sonar-Reviewer user)
- Make sure you grab the
OAuth Secretfrom your OAuth Application
Configuration in Sonar
- If analysis is protected then create a system user for TeamCity to login to sonar
- Set the
JAVA_HOMEvariable to where your
JRE 8is for each agent
- Make sure any proxies the agent should use to post to
api.bitbucket.orgis also specified in the
SONAR_SCANNER_OPTSenvironment variable, either as agent property or as build parameter. In my case i had to se
env.SONAR_SCANNER_OPTS=-Dhttp.proxyHost=myproxy.tld -Dhttp.proxyPort=1234in the
- Configure a pull-request trigger to look like this
- Make sure your VCS root has the following branch specification:
Go to parameters
Go to build steps
- Add Sonar Analysis Begin step
- Set a project key, version and branch as you see fit, they may not be empty but they are not important for this either
- Add Sonar Analysis begin with the following huge parameter list with the following
Additional CommandLine Args
Make sure it corresponds to the parameters you added before. Save the build step.
- Add a MSBuild step with whatever targets you want. Sonar for MSBuild suggests
- Add a Sonar Analysis End step with default settings
At this point you should be able to create a pull-request, see the job trigger in TeamCity and have the sonar-plugin work its magic and post any issues introduced by the PR as comments like this.
I’m especially happy i was able to put this integration in place, seeing as i had no prior C#, Sonar Analysis for MSBuild or TeamCity experience experience. But it all get’s easier with time, and most integrations look similar and require the same kind of tinkering.