README.md

Plugin SonarQube EcoSonar

Introduction

This plugin aims to embed EcoSonar Audits, Recommendations as well as Configuration. It fulfills two purposes :

• enable automatic trigger of EcoSonar Analysis each time a Sonarqube analysis is made
• adding EcoSonar audit reports directly into Sonarqube projet User interface

Getting Started

Prerequisites

• Sonarqube- minimum version 9.4 https://docs.sonarqube.org/latest/setup/install-server/ https://docs.sonarqube.org/latest/setup/install-cluster/ No constraint on the edition type. Please check with your infrastructure team which edition are you allowed to use.
• Java : version 17 if Sonarqube version is 9.9 or above, otherwise version 11
• Maven - 3.8.3

Build the SonarQube Plugin related to EcoSonar

To build the plugin JAR file, first you need to retrieve the URL of the deployed server for EcoSonar API. Then run the following commands:

For Windows:

set REACT_APP_BASE_URL_ECOSONAR_API=#EcoSonar-API-URL
mvn clean package -Durl=#EcoSonar-API-URL

For Linux/Mac:

export REACT_APP_BASE_URL_ECOSONAR_API=#EcoSonar-API-URL
mvn clean package -Durl=#EcoSonar-API-URL

If you are running EcoSonar locally, EcoSonar-API-URL should be by default http://localhost:3000.

Install Sonarqube Plugins (EcoSonar + Ecocode) manually

1. Copy the file located at the following path EcoSonar-SonarQube/target/ecosonar-X-SNAPSHOT.jar.
2. Go to your Sonarqube folder extensions/plugins/ and paste the JAR.
3. Retrieve all JAR files available in the EcoSonar-SonarQube/ecocode folder (there should be 6, one by language):
4. Go to your Sonarqube folder extensions/plugins/ and paste the JAR files to add the EcoCode Sonarqube plugins.

To finally launch Sonarqube with the plugin, run the shell script: bin/windows-x86-64/StartSonar.bat.

The Sonarqube instance startup logs are located in the file logs/web.log

Official documentation about installing a SonarQube plugin: https://docs.sonarqube.org/latest/setup/install-plugin/.

Launch a Sonarqube analysis from Azure Pipelines on a local SonarQube server

1. Download ngrok https://ngrok.com/

2. Launch the Sonarqube server on http://localhost:9000/

3. On a command prompt, launch:

ngrok http 9000

4. Retrieve the http url provided by ngrok

5. Create an authentication token on sonarqube : (go to My Account > Security > Generate Tokens)

6. In Project Settings on Azure DevOps > Service Connections, add a connection service of type SonarQube; server url the url given by ngrok; the token generated by Sonar

7. Choose a connection service name and add it to the pipeline script as the SonarQube Server Endpoint.

8. Launch the correctly configured pipeline with the project key defined on the SonarQube server

9. The analysis is launched and you should see the results on the corresponding project page.

Launch a Sonarqube analysis from Azure Pipelines on a deployed SonarQube server

1. In Azure DevOps, go to project settings, then Service Connections

2. Add a new service connection with the following parameters :

• connection type : Sonarqube
• server URL : url of the sonarqube instance
• token : token generated when creating the Sonarqube project
• service connecton name

3. In the Azure Pipelines file, set up Sonarqube analysis using Sonarque service connection previously registered and project key defined in the Sonarqube instance.

How to run dependency check

We have added a dependency check to verify vulnerabilities in packages included in the maven project.

In command prompt, run the following command :

mvn dependency-check:check

It will create automatically a report located in the followng path target/dependency-check/dependency-check-report.html. You will find the number of packages audited and the list of vulnerabilities detected.