One

主题

One2024-12-24
13604
1h9m
Get...

这些配置项都是统一的,目前sonar支持将扫描参数以文件的方式存放或者以命令行传参的方式读取。

文件方式:可以将扫描参数放到项目的根目录或者sonar-scanner的配置文件目录等自定义的目录中;

命令行传参则可以直接将变量传递给sonarsacnner cli -Dsonar.projectKey=xxx 。

==方法2:命令行方式读取扫描参数==(命令行方式会覆盖掉配置文件方式的)

bash
# 指定配置文件sonar-scanner-Dproject.settings=myproject.properties# 命令行传参sonar-scanner-Dsonar.projectKey=myproject-Dsonar.sources=src1

1.Java项目扫描

sonarqube服务器端需要安装Java语言规则插件

image-20230624112316659

bash
sonar-scanner-Dsonar.host.url=http:-Dsonar.projectKey=devops-maven-service \-Dsonar.projectName=devops-maven-service \-Dsonar.projectVersion=1.1 \-Dsonar.login=admin \-Dsonar.password=admin123 \-Dsonar.ws.timeout=30 \-Dsonar.projectDescription="my first project!"\-Dsonar.links.homepage=http:-Dsonar.links.ci=http:-Dsonar.sources=src \-Dsonar.sourceEncoding=UTF-8 \-Dsonar.java.binaries=target/classes \-Dsonar.java.test.binaries=target/test-classes \-Dsonar.java.surefire.report=target/surefire-reports
bash
`sonar.projectKey` 指定项目的关键字`sonar.host.url`指定服务器地址(可以直接在配置文件中写死),`projectName`指定项目的名称, `projectVersion`指定项目的版本(可以用构建时间和构建ID定义),`login`指定登录用户名,`password`指定登录用户密码,`projectDescription`指定项目的描述信息, `links.homepage`指定项目的主页(超链接),`sources`指定扫描的目录, `sourceEncoding`指定扫描时的编码, `java.binaries`指定编译后的类文件目录(必填), `java.test.binaries`指定编译后的测试类目录,`java.surefire.report`指定测试报告目录。
💘 实践:Scanner进行项目代码扫描(测试成功)-2023.6.24

image-20230624112921445

  • 实验环境
bash
sonarqube:9.9.0-community(docker方式部署)SonarScanner4.8.0.2856(部署在宿主机上)

  • 实验软件(无)

  • 手动扫描代码

devops6-maven-service项目里创建sonar-project.properties文件:

yaml
# 定义唯一的关键字sonar.projectKey=devops6-maven-service# 定义项目名称sonar.projectName=devops6-maven-service# 定义项目的版本信息sonar.projectVersion=1.0# 指定扫描代码的目录位置(多个逗号分隔)sonar.sources=.# 执行项目编码sonar.sourceEncoding=UTF-8# 指定sonar Serversonar.host.url=http:# 认证信息sonar.login=adminsonar.password=Admin@123# java classessonar.java.binaries=target/classessonar.java.test.binaries=target/test-classessonar.java.surefire.report=target/surefire-reports

image-20230624115524654

提交。

  • 在本地devops6-maven-service本地项目里,拉取代码,然后扫描
bash
#拉取代码[root@Devops6 devops6-maven-service]#pwd/data/devops6/devops6-maven-service[root@Devops6 devops6-maven-service]#lsmvnwmvnw.cmdpom.xmlsrctarget[root@Devops6 devops6-maven-service]#git pull[root@Devops6 devops6-maven-service]#lsmvnwmvnw.cmdpom.xmlsonar-project.propertiessrctarget#删除之前的打包好的缓存数据[root@Devops6 devops6-maven-service]#rm -rf target/#打包[root@Devops6 devops6-maven-service]#mvn clean package#扫描[root@Devops6 devops6-maven-service]#sonar-scanner

image-20230624120241295

image-20230624120314686

  • 查看扫描报告

image-20230624120342846

测试结束。😘

💘 实践:Scanner进行项目代码扫描(测试成功)-2022.5.24

自己实际测试过程:

  • 克隆devops4-maven-service项目代码到sonarscanner机器:
bash
[root@devops ~]#mkdir sonarProject[root@devops ~]#cd sonarProject/[root@devops sonarProject]#git clone http:Cloninginto'devops4-maven-service'...Usernamefor'http:Passwordfor'http:remote:Enumeratingobjects:52,done.remote:Countingobjects:100%(18/18),done.remote:Compressingobjects:100%(18/18),done.remote:Total52(delta 9),reused 0 (delta0),pack-reused 34Receivingobjects:100%(52/52),56.33 KiB |28.16MiB/s,done.Resolvingdeltas:100%(11/11),done.[root@devops sonarProject]#lsdevops4-maven-service[root@devops sonarProject]#cd devops4-maven-service/[root@devops devops4-maven-service]#lsbuild.shmvnwmvnw.cmdpom.xmlREADME.mdsrc[root@devops devops4-maven-service]#
  • 在该项目目录下创建sonar-project.properties文件:
bash
[root@devops devops4-maven-service]#pwd/root/sonarProject/devops4-maven-service[root@devops devops4-maven-service]#lsbuild.shmvnwmvnw.cmdpom.xmlREADME.mdsrc[root@devops devops4-maven-service]#vim sonar-project.properties# 定义项目关键字sonar.projectKey=devop4-maven-service# 定义项目名称sonar.projectName=devops4-maven-service# 定义项目的版本信息sonar.projectVersion=1.0# 指定扫描代码的目录位置(多个逗号分隔)sonar.sources=src# 执行项目编码sonar.sourceEncoding=UTF-8# 指定sonar Serversonar.host.url=http:# 认证信息sonar.login=adminsonar.password=admin123
  • 进行扫描:
bash
[root@devops devops4-maven-service]#sonar-scanner

此时会发现一个常见的报错:

注意:java类型项目比较特殊,扫描时要先对其进行下编译,因为sonarqube在扫描时需要用到它编译后的类!

  • 此时再编辑下sonar-project.properties内容,并编译下后,再执行下扫描:
bash
[root@devops devops4-maven-service]#vim sonar-project.properties# 定义项目关键字sonar.projectKey=devop4-maven-service# 定义项目名称sonar.projectName=devops4-maven-service# 定义项目的版本信息sonar.projectVersion=1.0# 指定扫描代码的目录位置(多个逗号分隔)sonar.sources=src# 执行项目编码sonar.sourceEncoding=UTF-8# 指定sonar Serversonar.host.url=http:# 认证信息sonar.login=adminsonar.password=admin123sonar.java.binaries=target/classes[root@devops devops4-maven-service]#mvn clean package[root@devops devops4-maven-service]#lsbuild.shmvnwmvnw.cmdpom.xmlREADME.mdsonar-project.propertiessrctarget[root@devops devops4-maven-service]#ls target/classesdemo-0.0.1-SNAPSHOT.jar.originalgenerated-test-sourcesmaven-statusdemo-0.0.1-SNAPSHOT.jargenerated-sourcesmaven-archivertest-classes[root@devops devops4-maven-service]#ls target/classes/application.propertiescomstatic

再次扫描下,查看结果:

bash
[root@devops devops4-maven-service]#ls .scannerwork/css-bundlereport-task.txt[root@devops devops4-maven-service]#cat .scannerwork/report-task.txt projectKey=devop4-maven-serviceserverUrl=http:serverVersion=8.9.8.54436dashboardUrl=http:ceTaskId=AYD2jY87VkQu9X-kQ24qceTaskUrl=http:sonar.projectVersion=2.0

再次扫描下,再来看下效果: sonar-scanner 此时就可以看到新代码这里显示的bug数了:

⚠️ 注意:这里的sonar-project.properties文件名是不能变的!

测试结束。😘

2.Web前端项目扫描

image-20220526160925155

bash
sonar-scanner\-Dsonar.projectKey=demo-devops-ui\-Dsonar.projectName=demo-devops-ui\-Dsonar.sources=src\-Dsonar.host.url=http:-Dsonar.login=0809881d71f2b06b64786ae3f81a9acf22078e8b\-Dsonar.projectVersion=2.0\-Dsonar.ws.timeout=30\-Dsonar.projectDescription="my first project!"\-Dsonar.links.homepage=http:-Dsonar.links.ci=http:-Dsonar.sourceEncoding=UTF-8

3.Golang项目扫描

image-20220526160958659

bash
sonar-scanner-Dsonar.projectKey=devops-golang-service\-Dsonar.projectName=devops-golang-service \-Dsonar.sources=src \-Dsonar.login=admin \-Dsonar.password=admin \-Dsonar.host.url=http:## 有测试用例的情况sonar.exclusions=***_test.go

4、CI流水线集成

1.JenkinsPipeline集成

本次集成重点演示两种方式: 1. 使用命令行方式 2. 使用Jenkins扩展插件的方式。

(1)使用命令行方式

💘 实践:Jenkins集成SonarQube(命令行方式)(测试成功)-2023.6.24
  • 实验环境
bash
jenkins/jenkins:2.346.3-2-lts-jdk11gitlab/gitlab-ce:15.0.3-ce.0sonarqube:9.9.0-communitySonarScanner4.8.0.2856
  • 实验软件

链接:https:}

image-20230624212603600

bash
# 定义唯一的关键字sonar.projectKey=devops6-maven-service# 定义项目名称sonar.projectName=devops6-maven-service# 定义项目的版本信息sonar.projectVersion=1.0# 指定扫描代码的目录位置(多个逗号分隔)sonar.sources=.# 执行项目编码sonar.sourceEncoding=UTF-8# 指定sonar Server# sonar.host.url=http:# 认证信息# sonar.login=admin# sonar.password=Admin@123# java classessonar.java.binaries=target/classessonar.java.test.binaries=target/test-classessonar.java.surefire.report=target/surefire-reports

我们期待的写法是这样的:

image-20230624213624271

groovy
@Library("devops06@main") _defbuild =neworg.devops.Build()pipeline {agent {label "build"}stages{stage("CheckOut"){steps{script{build.CheckOut()}}}stage("Build"){steps{script{build.Build()}}} stage("CodeScan"){steps{script{withCredentials([usernamePassword(credentialsId:'003d1667-653e-40f3-8103-b74614643aba',passwordVariable:'SONAR_PASSWD',usernameVariable:'SONAR_USER')]) {sh """/data/devops6/sonar-scanner-4.8.0.2856-linux/bin/sonar-scanner \-Dsonar.login=${SONAR_USER} \-Dsonar.password=${SONAR_PASSWD} \-Dsonar.host.url=http:"""}}}}}}

image-20230624215259682

提交。

image-20230624215316515

image-20230624215232679

可以看到,代码检查步骤也是ok的。

image-20230624215409500

测试结束。😘

💘 实践:Jenkins PipeLine中的代码扫描(测试成功)-2022.5.25

image-20220525215102758

也就是来到Gitlab的devops4-maven-service项目下,创建一个sonar-project.properties文件,并提交:

image-20220525210706283

bash
# 定义项目关键字sonar.projectKey=devop4-maven-service# 定义项目名称sonar.projectName=devops4-maven-service# 定义项目的版本信息sonar.projectVersion=2.0# 指定扫描代码的目录位置(多个逗号分隔)sonar.sources=src# 执行项目编码sonar.sourceEncoding=UTF-8# 指定sonar Serversonar.host.url=http:# 认证信息sonar.login=adminsonar.password=admin123sonar.java.binaries=target/classes

image-20220525211340725

可以看到能够正常运行流水线。

image-20220525212023657

image-20220525212120228

完整Jenkinsfile代码如下:

groovy
@Library("mylib@main") _ importorg.devops.*defcheckout =newCheckout() defbuild =newBuild()defunittest =newUnitTest()pipeline {agent {label "build"}options {skipDefaultCheckout true}stages{stage("Checkout"){steps{script {println("GetCode")checkout.GetCode("${env.srcUrl}","${env.branchName}")}}}stage("Build"){steps{script{println("Build")sh "${env.buildShell}"}}}stage("CodeScan"){steps{script{cliPath="/usr/local/sonar-scanner/sonar-scanner-4.7.0.2747-linux/bin"sh "${cliPath}/sonar-scanner"}}}}}

image-20220525215313708

image-20220525215435863

随便找一个流水线项目,利用流水线语法-片段生成器,来生成代码:

image-20220525215725362

image-20220525215822362

image-20220525215836066

groovy
withCredentials([usernamePassword(credentialsId:'79d8f75b-3733-49f4-950f-19f8480fda03',passwordVariable:'SONAR_PASSWD',usernameVariable:'SONAR_USER')]) {}
groovy
@Library("mylib@main") _ importorg.devops.*defcheckout =newCheckout() defbuild =newBuild()defunittest =newUnitTest()pipeline {agent {label "build"}options {skipDefaultCheckout true}stages{stage("Checkout"){steps{script {println("GetCode")checkout.GetCode("${env.srcUrl}","${env.branchName}")}}}stage("Build"){steps{script{println("Build")sh "${env.buildShell}"}}}stage("CodeScan"){steps{script{cliPath="/usr/local/sonar-scanner/sonar-scanner-4.7.0.2747-linux/bin"withCredentials([usernamePassword(credentialsId:'79d8f75b-3733-49f4-950f-19f8480fda03',passwordVariable:'SONAR_PASSWD',usernameVariable:'SONAR_USER')]) {sh """${cliPath}/sonar-scanner \-Dsonar.login=${SONAR_USER} \-Dsonar.password=${SONAR_PASSWD} \-Dsonar.projectVersion=${env.branchName}"""}}}}}}

写好后提交:

记得要把devops4-maven-service项目的sonar-project.propertries文件里的相关信息给注释掉:

image-20220526074100772

以上代码都修改完成后,进行提交,再来到jenkins上进行构建。

image-20220526074434831

image-20220526074827725

image-20220526074859189

进一步优化下jenkins共享库里的代码:

创建srg/org/devops/Sonar.groovy文件:

groovy
packageorg.devopsdefCodeScan(branchName){cliPath="/usr/local/sonar-scanner/sonar-scanner-4.7.0.2747-linux/bin"withCredentials([usernamePassword(credentialsId:'79d8f75b-3733-49f4-950f-19f8480fda03',passwordVariable:'SONAR_PASSWD',usernameVariable:'SONAR_USER')]) {sh """${cliPath}/sonar-scanner \-Dsonar.login=${SONAR_USER} \-Dsonar.password=${SONAR_PASSWD} \-Dsonar.projectVersion=${branchName}"""}}

编写Jenkinsfile里的代码:

bash
@Library("mylib@main") _ 
importorg.devops.*defcheckout=newCheckout() defbuild=newBuild()defunittest=newUnitTest()defsonar=newSonar() pipeline{agent{label"build"}options{skipDefaultCheckouttrue}stages{stage("Checkout"){steps{script{println("GetCode")checkout.GetCode("${env.srcUrl}","${env.branchName}")}}}stage("Build"){steps{script{println("Build")sh"${env.buildShell}"}}}stage("CodeScan"){steps{script{profileName ="${JOB_NAME}".split("-")[0]sonar.Init("${JOB_NAME}","java",profileName)sonar.CodeScan("${env.branchName}")}}}}}

注意:也要保证devops4-maven-service项目里sonar-project.properties文件的配置正确:

image-20220527200544085

image-20220527200527645

image-20220527200453554

image-20220527200437075

符合预期。😘

6、其他日常使用实践

image-20230625002555845

1.规则的禁用与启用

目的: 掌握默认规则中的一部分规则如何激活和禁用。

质量规则、质量阈--这一般是由TeamLeader、开发人员去指定的。

进入质量配置页面, 可以看到所有的语言规则配置。在这里可以看到规则的使用情况。

image-20220526163338496

这里假设我要调整Go语言的规则配置, 点击规则数量数字。

image-20220526163411808

image-20220526163432210

创建新的规则集:

image-20220526163507119

点击更多激活规则, 进入规则设置页面。

image-20220526163534952

激活或者下线规则。(活动/挂起)

image-20220526163558278

使用规则: 先在页面配置项目,然后使用SonarScanner扫描。

image-20220526163638026

💘 实践:新建SonarQube质量配置(测试成功)-2023.6.25

自己测试过程:

  • 测试环境
bash
sonarqube:9.9.0-community
  • 创建新的质量配置

image-20230625061319404

  • 给特定的配置规则指定项目

image-20230625061514779

image-20230625061521958

  • 激活更多规则

image-20230625061716716

image-20230625061748202

image-20230625061807466

完成。

2.质量阈的配置

目的: 适用于以质量门禁作为交付关卡。

image-20220526164453427

image-20220526164523681

💘 实践:新建SonarQube质量阈(测试成功)-2023.6.25

自己测试过程:

  • 测试环境
bash
sonarqube:9.9.0-community
  • 创建新的质量阈

image-20230625062234005

  • 给新创建的质量阈指定项目

image-20230625062329756

  • 也可以添加新的条件

image-20230625062459190

找一个具有大量单元测试的项目, 然后集成jacoco插件,生成覆盖率报告,最后由sonar收集。

  • Maven集成Jacoco(本次在gitlab的devops4-maven-service项目里的pom.xml里修改)

添加jacoco-maven-pluginjunit插件。

json
<dependencies><dependency><groupId>org.jacoco</groupId><artifactId>jacoco-maven-plugin</artifactId><version>0.8.2</version><scope>test</scope></dependency><dependency><groupId>junit</groupId><artifactId>junit</artifactId><version>4.12</version><scope>test</scope></dependency></dependencies>

添加插件:

json
<plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><version>3.6.1</version><configuration><skipMain>true</skipMain><skip>true</skip><source>1.8</source><target>1.8</target></configuration></plugin><plugin><groupId>org.jacoco</groupId><artifactId>jacoco-maven-plugin</artifactId><version>0.7.5.201505241946</version><executions><execution><id>prepare-agent</id><goals><goal>prepare-agent</goal></goals></execution><execution><id>report</id><phase>prepare-package</phase><goals><goal>report</goal></goals></execution><execution><id>post-unit-test</id><phase>test</phase><goals><goal>report</goal></goals><configuration><dataFile>target/jacoco.exec</dataFile><outputDirectory>target/jacoco-reports</outputDirectory></configuration></execution></executions><configuration><systemPropertyVariables><jacoco-agent.destfile>target/jacoco.exec</jacoco-agent.destfile></systemPropertyVariables></configuration></plugin>
  • SonarQube安装Jacoco插件(8.9.1 版本可以跳过,已经集成

https:sonar.core.codeCoveragePlugin=jacoco# 指定exec二进制文件存放路径sonar.jacoco.reportPaths=target/jacoco.exec

bash
cddevops-jacoco-service/sonar-scanner-Dsonar.host.url=http:-Dsonar.projectKey=devops-jacoco-service \-Dsonar.projectName=devops-jacoco-service \-Dsonar.projectVersion=1.0 \-Dsonar.login=admin \-Dsonar.password=admin \-Dsonar.ws.timeout=30 \-Dsonar.projectDescription="my first project!"\-Dsonar.links.homepage=http:-Dsonar.sources=src \-Dsonar.sourceEncoding=UTF-8 \-Dsonar.java.binaries=target/classes \-Dsonar.java.test.binaries=target/test-classes \-Dsonar.java.surefire.report=target/surefire-reports \-Dsonar.core.codeCoveragePlugin=jacoco \-Dsonar.jacoco.reportPaths=target/jacoco.exec

image-20220526195904254

image-20220526200141381

image-20220526200304214

==测试效果:(失败)==---老师当时这里也是没做实际测试的!

测试时间:2023年6月25日

测试环境:

bash
apache-maven-3.9.2jenkins/jenkins:2.346.3-2-lts-jdk11gitlab/gitlab-ce:15.0.3-ce.0sonarqube:9.9.0-communitySonarScanner4.8.0.2856

当前maven版本无jacoco插件:

image-20230625070317135

构建失败:

image-20230625070530207

image-20230625070632543

4.多分支代码扫描

https:dockerexec-itsonarqubebashcd/opt/sonarqube/lib/commoncp../../extensions/plugins/sonarqube-community-branch-plugin-1.3.2./exitdockerrestartsonarqube## 持久化lib目录后[root@zeyang-nuc-service sonarqube]# lssonarqube_confsonarqube_datasonarqube_extensionssonarqube_libsonarqube_logs[root@zeyang-nuc-service sonarqube]# cp /root/sonarqube-community-branch-plugin-1.3.2.jar sonarqube_extensions/plugins/[root@zeyang-nuc-service sonarqube]# chmod +x sonarqube_extensions/plugins/sonarqube-community-branch-plugin-1.3.2.jar[root@zeyang-nuc-service sonarqube]#[root@zeyang-nuc-service sonarqube]#[root@zeyang-nuc-service sonarqube]# cp /root/sonarqube-community-branch-plugin-1.3.2.jar sonarqube_lib/common/[root@zeyang-nuc-service sonarqube]# chmod +x sonarqube_lib/common/sonarqube-community-branch-plugin-1.3.2.jar[root@zeyang-nuc-service sonarqube]#dockerrestartsonarqube

image-20220528092757954

bash
##扫描参数增加 –Dsonar.branch.name=sonar-scanner-Dsonar.host.url=http:-Dsonar.projectKey=devops-maven2-service \-Dsonar.projectName=devops-maven2-service \-Dsonar.projectVersion=1.0 \-Dsonar.login=admin \-Dsonar.password=admin \-Dsonar.ws.timeout=30 \-Dsonar.projectDescription="my first project!"\-Dsonar.links.homepage=http:-Dsonar.links.ci=http:-Dsonar.sources=src \-Dsonar.sourceEncoding=UTF-8 \-Dsonar.java.binaries=target/classes \-Dsonar.java.test.binaries=target/test-classes \-Dsonar.java.surefire.report=target/surefire-reports \-Dsonar.branch.name=release-1.1.1

⚠️ 注意:需要先把主分支扫描一遍,不然会报错。

bash
ERROR:ErrorduringSonarScannerexecutionERROR:Nobranchescurrentlyexistinthisproject.Pleasescanthemainbranchwithoutpassinganybranchparameters.ERROR:ERROR:Re-runSonarScannerusingthe-Xswitchtoenablefulldebuglogging.

2. Sonar 8.9.1 版本

新版本插件的配置有变化,效果和使用方式不变。

  1. 将插件下载到extensions/plugins/目录。
  2. 更新sonar服务端的配置文件。
  3. 重启docker restart sonarqube 。
bash
# cd /data/cicd2/sonarqube/# lssonarqube_confsonarqube_datasonarqube_extensionssonarqube_logs# cat sonarqube_conf/sonar.propertiessonar.web.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.8.1.jar=websonar.ce.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.8.1.jar=ce# ls sonarqube_extensions/plugins/sonar-gitlab-plugin-4.1.0-SNAPSHOT.jarsonar-l10n-zh-plugin-8.9.jarsonarqube-community-branch-plugin-1.8.0.jar
  • 源文档描述:
bash
1.CopythepluginJARfiletotheextensions/plugins/directoryofyourSonarQubeinstance2.Add-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-${version}.jar=webtothesonar.web.javaAdditionalOptionspropertyinyourSonarqubeinstallation's config/sonar.properties file,e.g. sonar.web.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.8.0.jar=web3. Add -javaagent:./extensions/plugins/sonarqube-community-branch-plugin-${version}.jar=ce to the sonar.ce.javaAdditionalOptions property in your Sonarqube installation'sconfig/sonar.propertiesfile,e.g.sonar.ce.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.8.0.jar=ce4.StartSonarqube,andacceptthewarningaboutusingthird-partyplugins

image-20220528092936614

💘 实践:SonarQube多分支代码扫描(测试成功)-2023.6.25

image-20220528145709149

  • 实验环境
bash
jenkins/jenkins:2.346.3-2-lts-jdk11gitlab/gitlab-ce:15.0.3-ce.0sonarqube:9.9.0-communitySonarScanner4.8.0.2856
  • 实验软件(无)
  • 我们可以看到这里默认是没有其他分支的:

image-20230625073331766

  • 官网下载插件:

https:[root@Devops6 ~]#cd /data/devops6/sonarqube/[root@Devops6 sonarqube]#lssonarqube_confsonarqube_datasonarqube_extensionssonarqube_logs[root@Devops6 sonarqube]#cd sonarqube_extensions/plugins/[root@Devops6 plugins]#lssonar-l10n-zh-plugin-9.9.jar[root@Devops6 plugins]#wget https:[root@Devops6 plugins]#ll -htotal13M-rw-r--r--11000100069KJun2408:17sonar-l10n-zh-plugin-9.9.jar-rw-r--r--1rootroot13MDec3123:46sonarqube-community-branch-plugin-1.14.0.jar[root@Devops6 plugins]##(2)更新sonar服务端的配置文件[root@Devops6 sonarqube]#pwd/data/devops6/sonarqube[root@Devops6 sonarqube]#lssonarqube_confsonarqube_datasonarqube_extensionssonarqube_logs[root@Devops6 sonarqube]#cd sonarqube_conf/[root@Devops6 sonarqube_conf]#ls[root@Devops6 sonarqube_conf]#vim sonar.properties #这里新建次文件sonar.web.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.14.0.jar=websonar.ce.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.14.0.jar=ce#(3)重启sonarqube[root@Devops6 ~]#docker restart sonarqube9

重启sonarqube完成后,就可以看到这里的项目出现了分支字样:

image-20230625074748550

image-20230625074854064

image-20230625075339301

groovy
@Library("devops06@main") _defbuild =neworg.devops.Build()pipeline {agent {label "build"}stages{stage("CheckOut"){steps{script{build.CheckOut()}}}stage("Build"){steps{script{build.Build()}}} stage("CodeScan"){steps{script{withSonarQubeEnv(credentialsId:'bdefe5e2-62a0-4e20-bf5a-51abedfe6df1') {sh """/data/devops6/sonar-scanner-4.8.0.2856-linux/bin/sonar-scanner \-Dsonar.login=${SONAR_AUTH_TOKEN} \-Dsonar.host.url=${SONAR_HOST_URL} \-Dsonar.branch.name=${env.branchName}"""}}}}}}

提交。

image-20230625075253222

image-20220528112618449

image-20230625075316457

符合预期,测试结束。😘

5.扫描结果关联commitid

⚠️ 注意:

7.几,8.几的版本有这个插件,但9版本已经不支持次功能了。

提前装好插件:https:# chmod +x /data/cicd/sonarqube/sonarqube_extensions/plugins/sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar# docker restart sonarqube

image-20220528152445659

bash
-Dsonar.gitlab.failure_notification_mode值为commit-status表示更改提交状态,值为nothing不做任何动作。
bash
sonar-scanner-Dsonar.host.url=http:-Dsonar.projectKey=devops-jacoco-service \-Dsonar.projectName=devops-jacoco-service \-Dsonar.projectVersion=1.0 \-Dsonar.login=0809881d71f2b06b64786ae3f81a9acf22078e8b \-Dsonar.ws.timeout=30 \-Dsonar.projectDescription="my first project!"\-Dsonar.links.homepage=http:-Dsonar.sources=src \-Dsonar.sourceEncoding=UTF-8 \-Dsonar.java.binaries=target/classes \-Dsonar.java.test.binaries=target/test-classes \-Dsonar.java.surefire.report=target/surefire-reports \-Dsonar.core.codeCoveragePlugin=jacoco \-Dsonar.jacoco.reportPaths=coverage/jacoco.exec \-Dsonar.gitlab.commit_sha=f898a9fdbd319e68d519aa2ff42ad80da5186103 \-Dsonar.gitlab.ref_name=main \-Dsonar.gitlab.project_id=37 \-Dsonar.dynamicAnalysis=reuseReports \-Dsonar.gitlab.failure_notification_mode=commit-status \-Dsonar.gitlab.url=http:-Dsonar.gitlab.user_token=CwmDA_4TKevDPRh4_SEf \-Dsonar.gitlab.api_version=v4

image-20220528152526270

1.静态配置

💘 实践:扫描结果关联commitid(静态配置)(测试failed)-2022.6.3

image-20220604093406610

自己实际测试过程:

  • 安装插件:

提前装好插件:https:[root@devops ~]#ll -h sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar-rw-r--r--1rootroot9.9MMay2815:43sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar[root@devops ~]#docker cp sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar sonarqube:/opt/sonarqube/extensions/plugins#(2)重启sonarqube容器[root@devops ~]#docker restart sonarqubesonarqube

image-20220528154004111

image-20220528154114783

找一次commit信息:并拷贝commitid

5abc33244088898bdfb494ed0a3fc134ab0f5c80

image-20220528154447483

可以看到这里的评论是空的:

image-20220528154529245

image-20220528162246486

编辑,提交后构建运行,观察效果:

image-20220528162639835

image-20220528163644963

但是自己是没有效果的:……

好奇怪:

image-20220528195546475

==老师这里是有效果的==:😥

image-20220528195636389

image-20220528195702007

好奇怪……😥

这里先放在这里,先进行动态配置,观察效果。

2.动态配置

💘 实践:扫描结果关联commitid(动态配置)(测试成功)-2022.6.3

image-20220604093420729

image-20220604093454668

bash
-Dsonar.gitlab.commit_sha=f898a9fdbd319e68d519aa2ff42ad80da5186103\-Dsonar.gitlab.ref_name=main \-Dsonar.gitlab.project_id=37 \-Dsonar.dynamicAnalysis=reuseReports \-Dsonar.gitlab.failure_notification_mode=commit-status \-Dsonar.gitlab.url=http:-Dsonar.gitlab.user_token=CwmDA_4TKevDPRh4_SEf \-Dsonar.gitlab.api_version=v4
groovy
defGetCommitID(){ID=sh returnStdout:true,script:"git rev-parse HEAD"returnID-"\n"}[root@devopsdevops4-maven-service]#git rev-parse HEADb1087191a26bf36b7f77f31093a9e226a8846674

因为我们是有规范的,jenkins的作业name和gitlab的项目是保持一致的:

image-20220529082809298

image-20220529083616704

bash
curl--location--requestGET'http:--header 'PRIVATE-TOKEN:MhEV52bNpbUnnSfNg1nc'\--header 'Authorization:Basic YWRtaW46YWRtaW4xMjM='

如果获取一个不存在的项目的话,这里返回值为空。

image-20220529091336258

完整代码:

groovy
pipeline {agent {label "build"}stages {stage("Run") {steps{script{commitID =GetCommitID()groupName ="${JOB_NAME}".split('-')[0]projectID =GetProjectID("${JOB_NAME}",groupName)println("commitID:${commitID}")println("projectID:${projectID}")}}}}}defGetCommitID(){ID=sh returnStdout:true,script:"git rev-parse HEAD"returnID-"\n"}defGetProjectID(projectName,groupName){response =sh returnStdout:true,script:"""curl --location --request GET \http:--header 'PRIVATE-TOKEN:MhEV52bNpbUnnSfNg1nc'\--header 'Authorization:Basic YWRtaW46YWRtaW4xMjM='"""response =readJSON text:responseif(response !=[]){for(p inresponse) {if(p["namespace"]["name"] ==groupName){returnresponse[0]["id"]}}}}

运行后效果如下:

image-20220529183235881

符合预期,但是注意下,这个commitID好像不是最新一次的commitID……

共享库例的代码如下:

Jenkinsfile

groovy
@Library("mylib@main") _ importorg.devops.*defcheckout =newCheckout() defbuild =newBuild()defunittest =newUnitTest()defsonar =newSonar()defgitcli =newGitLab()pipeline {agent {label "build"}options {skipDefaultCheckout true}stages{stage("Checkout"){steps{script {println("GetCode")checkout.GetCode("${env.srcUrl}","${env.branchName}")}}}stage("Build"){steps{script{println("Build")sh "${env.buildShell}"}}}stage("CodeScan"){steps{script{profileName ="${JOB_NAME}".split("-")[0]sonar.Init("${JOB_NAME}","java",profileName)commitID =gitcli.GetCommitID()groupName =profileNameprojectID =gitcli.GetProjectID("${JOB_NAME}",groupName)sonar.CodeScan("${env.branchName}",commitID,projectID)}}}}}

image-20220603172100559

GitLab.groovy

image-20220604091428000

groovy
packageorg.devopsdefGetCommitID(){ID=sh returnStdout:true,script:"git rev-parse HEAD"returnID-"\n"}defGetProjectID(projectName,groupName){response =sh returnStdout:true,script:"""curl --location --request GET \http:--header 'PRIVATE-TOKEN:MhEV52bNpbUnnSfNg1nc'\--header 'Authorization:Basic YWRtaW46YWRtaW4xMjM='"""response =readJSON text:responseif(response !=[]){for(p inresponse) {if(p["namespace"]["name"] ==groupName){returnresponse[0]["id"]}}}}

可以看到,构建成功:

image-20220604091622213

在gitlab的devops4-maven-service项目的commit查看效果:

image-20220604091725749

符合预期,测试结束。😘

6.控制代码扫描步骤运行

groovy
stage("SonarScan"){when {environment name:'skipSonar',value:'false'}}

image-20220529075645233

image-20220529075703587

💘 实践:SonarQube控制代码扫描步骤运行(测试成功)-2023.6.25

自己测试过程:

bash
jenkins/jenkins:2.346.3-2-lts-jdk11gitlab/gitlab-ce:15.0.3-ce.0sonarqube:9.9.0-communitySonarScanner4.8.0.2856

修改Jenkinsfile共享库里的下代码,添加when片段:

image-20230625125723186

image-20230625125806038

不扫描代码:

image-20230625125836029

image-20230625125824376

image-20230625125932868

扫描代码:

image-20230625125844404

image-20230625125906993

可以看到,本次就跳过代码扫描了。

测试结束。😘

FAQ

sonarQube漏洞

sonarQube也很危险,之前暴露过很多漏洞,因为你的源代码也会在sonarQube里保留下来。

sonarQube版本

bash
SonarQube:之前6版本还支持Mysql,现在的7版本不支持Mysql了,也是Jdk11了;要升级的话:1.jdk要升级到jdk11;2.数据库:要做迁移的;多分支代码扫描是企业版本的一个特性,但开源版本有一个插件,可以实现这个功能。

snoar:代码扫描工具

sonar 代码质量检查:硬编码检查,安全检查,单元测试是否通过,代码质量

snoar:

SonQuar:5-9版本

企业里,6版本应该用的比较多些。

6版本是支持mysql的。

但7版本后,不支持mysql了。

image-20230624101529609

jdk版本需要注意:

从7开始,jdk就11以上了。

image-20230623105946080

Mysql-->迁移到 PG数据库。

image-20230623110031496

课程里使用docker安装的SonarQube。

image-20230623110121028

新版本已经集成了各语言规则插件

image-20230624112212379

SonarQube中各种语言的扫描规则都是以jar包的方式。在SonarQube8.9.1之前版本,默认没有安装语言规则插件, 需要手动安装。 服务端安装Java Code Quality and Security,SonarJS SonarGO插件,并重启服务器。(如果这里由于网速原因下载不了插件,可以使用课程提供的压缩包,解压到downloads目录下然后重启sonarqube) 由于本次实验使用的是SonarQube8.9.1版本,所以不用在手动安装语言插件了。

bash
[root@devops ~]#docker exec -it sonarqube bashbash-5.1#cd/opt/sonarqube/lib/extensions/bash-5.1#lssonar-csharp-plugin-8.22.0.31243.jarsonar-jacoco-plugin-1.1.1.1157.jarsonar-python-plugin-3.4.1.8066.jarsonar-css-plugin-1.4.2.2002.jarsonar-java-plugin-6.15.1.26025.jarsonar-ruby-plugin-1.8.3.2219.jarsonar-flex-plugin-2.6.1.2564.jarsonar-javascript-plugin-7.4.4.15624.jarsonar-scala-plugin-1.8.3.2219.jarsonar-go-plugin-1.8.3.2219.jarsonar-kotlin-plugin-1.8.3.2219.jarsonar-vbnet-plugin-8.22.0.31243.jarsonar-html-plugin-3.4.0.2754.jarsonar-php-plugin-3.17.0.7439.jarsonar-xml-plugin-2.2.0.2973.jarbash-5.1#

如果低于该版本,可以参考如下操作。(可选,跳过)

bash
[root@zeyang-nuc-service ~]# cd /data/cicd/plugin-sonar/[root@zeyang-nuc-service plugin-sonar]# lssonar-go-plugin-1.6.0.719.jarsonar-l10n-zh-plugin-1.29.jarsonar-java-plugin-6.3.2.22818.jarsonar-typescript-plugin-2.1.0.4359.jarsonar-javascript-plugin-6.2.2.13315.jar[root@zeyang-nuc-service plugin-sonar]# cp sonar-go-plugin-1.6.0.719.jar sonar-java-plugin-6.3.2.22818.jar sonar-javascript-plugin-6.2.2.13315.jar sonar-typescript-plugin-2.1.0.4359.jar /data/cicd/sonarqube/sonarqube_extensions/downloads/[root@zeyang-nuc-service plugin-sonar]# ls /data/cicd/sonarqube/sonarqube_extensions/downloads/sonar-go-plugin-1.6.0.719.jarsonar-javascript-plugin-6.2.2.13315.jarsonar-java-plugin-6.3.2.22818.jarsonar-typescript-plugin-2.1.0.4359.jar[root@zeyang-nuc-service plugin-sonar]# chmod +x /data/cicd/sonarqube/sonarqube_extensions/downloads/*[root@zeyang-nuc-service plugin-sonar]# ls /data/cicd/sonarqube/sonarqube_extensions/downloads/sonar-go-plugin-1.6.0.719.jarsonar-javascript-plugin-6.2.2.13315.jarsonar-java-plugin-6.3.2.22818.jarsonar-typescript-plugin-2.1.0.4359.jar[root@zeyang-nuc-service plugin-sonar]# docker restart sonarqubesonarqube

GitLabCI-实践

🍀 老师之前写的一个python代码,可以拿来即用:

python
importos importrequestsimportjsonimportsysclassSonarQube(object):def__init__(self,project_name,lang,profile_name,cmds):self.server_api ="http:self.auth_token ="YWRtaW46YWRtaW4xMjM="self.project_name =project_nameself.lang =langself.profile_name =profile_nameself.cmds =cmdsdefhttp_req(self,method,apiUrl):url =self.server_api +apiUrlpayload={}headers ={'Authorization':'Basic '+self.auth_token}response =requests.request(method,url,headers=headers,data=payload)print(response.text)ifresponse.text !="":data =json.loads(response.text)returndatareturn{}defSearchProject(self):"""查找项目"""url ="projects/search?projects="+self.project_nameresponse =self.http_req("GET",url)ifresponse["paging"]["total"] ==0:returnFalsereturnTruedefCreateProject(self):"""创建项目"""apiUrl ="projects/create?name={0}&project={1}".format(self.project_name,self.project_name)response =self.http_req("POST",apiUrl)try:ifresponse["project"]["key"] ==self.project_name:returnTrueexceptExceptionase :print(e)print(response["errors"])returnFalsedefUpdateQualityProfiles(self):apiUrl ="qualityprofiles/add_project?language={0}&project={1}&qualityProfile={2}".format(self.lang,self.project_name,self.profile_name)response =self.http_req("POST",apiUrl)try:print("ERROR:UpdateQualityProfiles{0}...".format(response["errors"]))returnFalseexceptExceptionase :print(e)print("SUCCESS:UpdateQualityProfiles {0}>{1}>${2}".format(self.lang,self.project_name,self.profile_name))returnTruedefSonarScan(self):result =os.system(self.cmds)ifresult ==0:returnTruereturnFalsedefrun(self):ifnotself.SearchProject():self.CreateProject()self.UpdateQualityProfiles()returnself.SonarScan()if__name__=='__main__':lang =sys.argv[1]profile_name =sys.argv[2]CI_PROJECT_NAME,CI_COMMIT_SHA,SONAR_AUTH_TOKEN,CI_PROJECT_TITLE,CI_PROJECT_URL,CI_PIPELINE_URL,CI_COMMIT_REF_NAME,CI_PROJECT_ID,CI_SERVER_URL,GITLAB_ADMIN_TOKEN=sys.argv[3:]print(CI_PROJECT_NAME)sonarcmds ="""sonar-scanner \-Dsonar.host.url=http:-Dsonar.projectKey={0}\-Dsonar.projectName={0}\-Dsonar.projectVersion={1}\-Dsonar.login={2}\-Dsonar.ws.timeout=30 \-Dsonar.projectDescription={3}\-Dsonar.links.homepage={4}\-Dsonar.links.ci={5}\-Dsonar.sources=src \-Dsonar.sourceEncoding=UTF-8 \-Dsonar.java.binaries=target/classes \-Dsonar.java.test.binaries=target/test-classes \-Dsonar.java.surefire.report=target/surefire-reports \-Dsonar.core.codeCoveragePlugin=jacoco \-Dsonar.jacoco.reportPaths=target/jacoco.exec \-Dsonar.gitlab.commit_sha={1}\-Dsonar.gitlab.ref_name={6}\-Dsonar.gitlab.project_id={7}\-Dsonar.dynamicAnalysis=reuseReports \-Dsonar.gitlab.failure_notification_mode=nothing \-Dsonar.gitlab.url={8}\-Dsonar.gitlab.user_token={9}\-Dsonar.gitlab.api_version=v4""".format(CI_PROJECT_NAME,CI_COMMIT_SHA,SONAR_AUTH_TOKEN,CI_PROJECT_TITLE,CI_PROJECT_URL,CI_PIPELINE_URL,CI_COMMIT_REF_NAME,CI_PROJECT_ID,CI_SERVER_URL,GITLAB_ADMIN_TOKEN)result =SonarQube(CI_PROJECT_NAME,lang,profile_name,sonarcmds ).run()print(result)
bash
python3sonarqube.py\"java""devops03""devops-test""99d098ef066b79d577a98220a17959465f4dd750""9e7e39a14a96bc886fdde43388b91e810491b7dc""devops""http:- project:'devops03/devops03-gitlabci-lib'ref:mainfile:- '/jobs/CI.yaml'workflow:rules:- if:$CI_PIPELINE_SOURCE =="web"when:always- if:$CI_COMMIT_BEFORE_SHA =="0000000000000000000000000000000000000000"when:never- when:alwaysvariables:GIT_CHECKOUT:"false"## 全局关闭作业代码下载BUILD_SHELL:"mvn clean package -DskipTests -s settings.xml"## 构建命令TEST_SHELL:"mvn test -s settings.xml"## 测试命令ARTIFACT_PATH:"target