I have a SonarQube installation that hosts multiple projects, owned by multiple dev teams. The CI/CD system is locked down. Anyone can make changes through GitOps, but o manual changes through the UI.
We have a tiered set of Quality Gates from minimal (legacy projects, where no prior static analysis was done) through to High Quality (80% code, 5% duplication, 'A' maintainability, etc.), which are enterprise wide. We only use the 'sonar way' quality profile, though.
This is the only part that needs to be manually configured.
Does anyone know of a way to configure the quality profile and set the quality gate on a project-by-project basis, preferably within the codebase for the project?
Previously (when you had a scanner per language, on the build instructions, CheckStyle, etc.) you could have an XML file on the codebase that defined the rules to apply. Does anyone know if there is a way to configure SQ like this?
TBF, at a push I could accept the Quality Gate being manually set, as that only changes wrt the level of quality for a project, not the actual settings of the level.
A bigger problem we would like the rules to apply to the profile differ between projects. From reading the docs, this means creating different profiles for each team, in SonarQube, and setting the profile to use for the project on the project settings.
Obviously, this means either we give access to teams to create new profiles and manually set the rules to apply in the SQ UI, or we have those teams make requests to a central team with that access to make those changes. This is a problem. Giving teams access may work, but is not ideal as there would be no versioning/auditing of changes. But, I really want to avoid a central team managing the profiles, we're trying to cut down or eliminate handoffs, not add new ones.
SonarQube provides a REST api that can perform various functions, one of which is setting both the quality gate and quality profile of the project. I recently changed our build process (Jenkins scripted pipeline) to use this api to modify the sonarqube project before the scan is run, to ensure it's using the gate and profile that we want.
For instance, here is an excerpt that shows this being done.
def qualityGateNameResult =
sh(returnStdout: true,
script: "curl -s -X GET -u ${sonarLogin}: \'${sonarHostUrl}/api//qualitygates/get_by_project?project=${sonarQubeProjectName}\'")
def qualityGateName = new JsonSlurper().parseText(qualityGateNameResult).qualityGate.name
qualityGateNameResult = null
if (qualityGateName != expectedQualityGateName) {
reportWrongSonarQubeQualityGateName(qualityGateName, expectedQualityGateName)
setQualityGateOnProject(sonarHostUrl, sonarLogin, sonarQubeProjectName, branchName, expectedQualityGateName)
}
def setQualityGateOnProject(String sonarHostUrl, String sonarLogin, String sonarQubeProjectName, String branchName, String expectedQualityGateName) {
// Now associate the project with the quality gate.
def selectQualityGateResult =
sh(returnStdout: true,
script: "curl -s -X POST -u ${sonarLogin}: \'${sonarHostUrl}/api/qualitygates/select?gateName=${URLEncoder.encode(expectedQualityGateName)}&projectKey=${sonarQubeProjectName}\'")
}