Add support for code quality and dependency analysis to builds

Question

Add support for code quality and dependency analysis to builds

InfoSec812 opened this issue 7 years ago · 6 comments

For Maven builds, support sonar:sonar and dependency-check:check targets for SonarQube and OWASP Dependency Check

For NPM, add sonar-scanner and CLI version of OWASP Dependency Check to build slave and add commands to the Jenkinsfile

Answer 1 · 2019-09-03T12:39:31.000Z

@InfoSec812 ; sonar is supported via:

https://github.com/redhat-cop/pipeline-library/blob/master/vars/sonarqubeStaticAnalysis.groovy

Is there anything else that can be done in the lib? or can this be closed?

Answer 2 · 2019-09-26T02:11:25.000Z

@InfoSec812 please see comment above.

Answer 3 · 2019-09-26T13:53:17.000Z

@garethahealy I have a concern that this is Maven specific, and SonarQube handles multiple languages and platforms.

Answer 4 · 2019-11-04T20:43:10.000Z

To move to something like the CLI[1], we'd need to include it within a builder image or have the pipeline download it.

[1] https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

Answer 5 · 2020-02-18T11:22:30.000Z

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

Answer 6 · 2020-02-18T13:58:14.000Z

I think we can close this as it's somewhat trivial to handle this in Maven, Gradle, and NPM (npx sonar-scanner ). We may need to revisit at some later date for GoLang, Python, Ruby, etc...