At work we have a scramble to use static code analyzers to improve the quality of code in general. Both from a security perspective and from a standardization perspective. I have worked with Sonar before, but it has almost always been in the background, alone and forgotten by everyone who are pushing features. Now those who know me are aware that i prefer early feedback, preferably pre-merge. I like to think of the Patch, Pull or Merge request as the real guard against flinchy developers like myself who don’t have time to run the tests, or check sonar for issues that should be fixed while i’m covering that particular code. This article is about resolving that and getting sonar comments directly on pull-requests.
Requirement
TeamCity
as a build serverC#
classic as software platformMSBuild
as a build systemBitBucket cloud
for a source repository .
High level design
This is what it looks like from a high level. A Pull-Request in BitBucket triggers a TeamCity job that, in turn, runs the same pull-request builder build-process as would be done with a regular pre-merge job but with a sonar-analysis in preview-mode and a specific sonar-plugin that is able to post comments.
Prerequisites
Things you should probably do before delving in to all the configuration.
BitBucket
- A specific user that can be named Sonar-Reviewer and added to your team
TeamCity
- A TeamCity instance with at least one agent and MSBuild.exe and Java 8 present in the system
- PullRequest Trigger Plugin
- SonarQube Analyzer for MSBuild Plugin
Make sure you build the pull-request trigger from master branch if the latest release is still pullrequest-20172603195632 since it needs the fix in this PullRequest by yours truly to be able to post the pull-request id to sonar. mvn package
with maven should create the zip you need)
SonarQube
- Install latest Sonar Csharp Plugin
- Install latest Sonar BitBucket Plugin
Configuration
There aren’t that many things to setup for this to work actually.
Configuration in BitBucket
- Create a private OAuth Application for your Sonar-Reviewer user)
- Make sure you grab the
OAuth Key
andOAuth Secret
from your OAuth Application
Configuration in Sonar
- If analysis is protected then create a system user for TeamCity to login to sonar
Configure TeamCity
- Set the
JAVA_HOME
variable to where yourJRE 8
is for each agent - Make sure any proxies the agent should use to post to
api.bitbucket.org
is also specified in theSONAR_SCANNER_OPTS
environment variable, either as agent property or as build parameter. In my case i had to seenv.SONAR_SCANNER_OPTS=-Dhttp.proxyHost=myproxy.tld -Dhttp.proxyPort=1234
in theAGENT_HOME/conf/buildAgent.properties
. - Configure a pull-request trigger to look like this
- Make sure your VCS root has the following branch specification:
+:refs/heads/*
-
Go to parameters
-
Go to build steps
- Add Sonar Analysis Begin step
- Set a project key, version and branch as you see fit, they may not be empty but they are not important for this either
- Add Sonar Analysis begin with the following huge parameter list with the following
Additional CommandLine Args
/d:sonar.analysis.mode=preview
/d:sonar.bitbucket.repoSlug=YOUR_REPOSITORY
/d:sonar.bitbucket.accountName=YOUR_ORGANIZATION_OR_USER
/d:sonar.bitbucket.oauthClientKey=%sonar.bitbucket.oauthClientKey%
/d:sonar.bitbucket.oauthClientSecret=%sonar.bitbucket.oauthClientSecret%
/d:sonar.bitbucket.pullRequestId=%trigger.pullRequestId%
/d:sonar.bitbucket.minSeverity=%sonar.bitbucket.minSeverity%
/d:sonar.bitbucket.approvalFeatureEnabled=%sonar.bitbucket.approvalFeatureEnabled%
/d:sonar.bitbucket.maxSeverityApprovalLevel=%sonar.bitbucket.maxSeverityApprovalLevel%
/d:sonar.bitbucket.buildStatusEnabled=%sonar.bitbucket.buildStatusEnabled%
Make sure it corresponds to the parameters you added before. Save the build step.
- Add a MSBuild step with whatever targets you want. Sonar for MSBuild suggests
MSBuild.exe /t:Rebuild
- Add a Sonar Analysis End step with default settings
That’s it!
At this point you should be able to create a pull-request, see the job trigger in TeamCity and have the sonar-plugin work its magic and post any issues introduced by the PR as comments like this.
I’m especially happy i was able to put this integration in place, seeing as i had no prior C#, Sonar Analysis for MSBuild or TeamCity experience experience. But it all get’s easier with time, and most integrations look similar and require the same kind of tinkering.
No Comments
You can leave the first : )