Integrating Sonarqube source code analyzers in repository builds

Go is officially supported by SonarSource with SonarGo since May 2018. Any build integration may require the following items:

1)      SonarGo

2)      GoMetaLinter

3)      SonarScanner

4)      SonarQube  docker image

Community package for SonarQube for golang is available at https://github.com/uartois/sonar-golang

It requires GoMetaLinter reports using the checkstyle format for the scanner to run.

The GoMetaLinter can be obtained as follows:

go get -u gopkg.in/alecthomas/gometalinter.v1

gometalinter.v1 –install

The GoMetaLinter report can be generated with the command:

gometalinter.v1 --checkstyle > report.xml

The sonar-golang will also require a sonar.properties file which will look like this:

enableSonarQube=true

sonar.skip-tests=false

sonar.projectKey=group:app-name

sonar.projectName=app-name

sonar.projectVersion=1.1

sonar.sources=pkg/

sonar.sourceEncoding=UTF-8

sonar.host.url=http://localhost:9000

Any server will require the sonar-golang jar file to be put in the $SONAR_PATH/extensions/plugins folder The sonarqube server will be paused and restarted for the jar to be loaded.

The SonarScanner may run in its own docker image during the build. There are several images that are available on dockerhub including sonar server image. The project will have to be copied locally into the image and the sonar properties will point to the server with the jar. This is preferable to do with a custom Dockerfile

Jenkinsfile can be modified to build the image with the sonarscanner from the corresponding Dockerfile and then the project can be scanned with the “sonar-scanner” command.

The sonar.properties helps point to the sonar.host.url where the reports will be published using the sonar.projectKey