SonarQube
SonarQube is an open-source platform that empowers developers to write clean and safe code by continuously inspecting code quality and reviewing for bugs, vulnerabilities, and code duplication. By integrating SonarQube with Cortex, you can drive powerful insights into code coverage, code smells, and vulnerabilities.
In this guide, you'll learn how to set up and use the SonarQube integration to drive insights into several key values:
- Code coverage
- Code smells
- Vulnerabilities
Setup and configuration
Getting started
In order to connect Cortex to your SonarQube instance, you’ll first need to create a SonarQube user token.
Configuration
Once you’ve created a SonarQube token, you can configure the integration in Cortex from the SonarQube page in Settings.
If you do not see the Settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.
From the SonarQube Settings page, you’ll see the option to Add SonarQube configuration.
- Account alias: Used to tie entity registrations to different configuration accounts
- Token: Personal access token generated earlier
- SonarQube URL: URL for your SonarQube instance, e.g. https://sonarcloud.io
Once you save your configuration, you'll see the last four characters of the token you entered. If you’ve set everything up correctly, you’ll see the option to Remove Integration in Settings.
You can also use the Test all configurations button to confirm that the configuration was successful. If your configuration is valid, you’ll see a banner that says “Configuration is valid. If you see issues, please see documentation or reach out to Cortex support.”
Multi-account support
The SonarQube integration has multi-account support so you can add a configuration for each additional instance by repeating the above process.
Each configuration requires an alias, which Cortex uses to correlate the designated instance with registrations for various entities. Registrations can also use a default configuration without a listed alias.
You can edit aliases and default configurations from the SonarQube page in Settings. Select the edit icon next to a given configuration and toggle "Set as default" on. If you only have one configuration, it will automatically be set as the default.
Self-hosted Sonar instances
If you’re using a self-hosted instance of SonarQube, you’ll need to verify that your Cortex instance is able to reach the SonarQube instance.
If you're using a self-hosted instance of SonarQube, you'll need to
verify that your Cortex instance is able to reach the SonarQube instance.
We route our requests through a static IP address. Reach out to support at
help@cortex.io to receive details about our static IP.
If you're unable to directly whitelist our static IP, you can route requests through a
secondary proxy in your network that has this IP whitelisted, and have that proxy route traffic
to your SonarQube instance.
If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your SonarQube instance.
Advanced configuration
If you’re unable to expose your SonarQube instance to be reachable by Cortex, you can set up a custom integration webhook. To learn more about SonarQube webhooks, visit their webhook documentation.
Registration
Discovery
By default, Cortex will use the entity tag (e.g. my-entity) as the "best guess" for the SonarQube project key. For example, if your entity tag is “my-project,” then the corresponding project key in SonarQube should also be “my-project.”
If you’re using build-system tooling to push analysis to SonarQube, the plugin (e.g. Gradle, Maven) may be automatically generating a project key that’s different from the repo name.
Entity descriptor
If your SonarQube project keys don’t cleanly match the Cortex entity tag, you can override this in the entity descriptor.
If you need to override the automatic discovery, you can define the following block in your Cortex entity descriptor.
x-cortex-static-analysis:
sonarqube:
project: sonar-project-key # projectKey in SonarQube
alias: sonarqube-alias # alias is optional and only relevant if you have opted into multi account support
The value for project should be the project key defined in SonarQube.
Cortex only supports one SonarQube project per entity.
Expected results
Once the integration is established, data from SonarQube will be available under Integrations for each entity, as well as under the Overview and Code and Security tabs. You can pull in data on code smells, bugs, code coverage, vulnerabilities, and any custom metrics available through Sonar. You can read more about metric definitions in Sonar's documentation.
- Metrics
- Complexity
- Duplications
- Issues
- Maintainability
- Quality gates
- Reliability
- Security
- Size
- Tests
- Code freshness
- Code coverage
With CQL, you can check various metrics for entities and define corresponding Scorecard rules:
- Check if SonarQube project is set
- SonarQube code smells
- SonarQube coverage
- SonarQube custom metric with number result
- SonarQube custom metric with text result
- SonarQube freshness
- SonarQube lines of code
FAQs and Troubleshooting
Does Cortex support SonarCloud?
Yes. You can integrate with SonarCloud by following the same steps as integrating with SonarQube. In the URL field, use your <https://sonarcloud.io/> URL.
You can also use multi-account support to add a self-hosted or SonarCloud instance by adding the URL for that instance during configuration.
I’m seeing “Socket timed out when trying to connect to SonarQube” for all of my entities in Scorecards.
This means that Cortex is unable to talk to your SonarQube instance. Make sure that your instance is running and accessible to Cortex.
I’m using Gradle and I’ve verified that my project is in SonarQube, but Cortex is still showing me an error.
Gradle automatically generates a project key which is equal to [${project.group}:]${project.name}. As a result, automatic discovery won’t work. You’ll need to override the project key in your Cortex entity descriptor.
My project is in Sonar and Cortex is able to talk to SonarQube, but my score isn’t showing up.
Try the following troubleshooting steps:
- Make sure the project key in your YAML is exactly the same as the key in SonarQube.
- Verify that the scores are in the “default branch” in SonarQube. If your scores are showing up in a “branch-a” in SonarQube, but your SonarQube default branch is “master”, Cortex will not be able to retrieve the scores.
- Run the following curl command and verify there are metrics showing up in the response:
curl -v -u <token>: "https://[SONARQUBE HOST]/api/measures/
component_tree?component=[SONARQUBE PROJECT KEY]&metricKeys=ncloc,coverage"
What if I want to send custom data, but I don't have control over the integration touchpoint?
If you don't have control of or access to the integration touchpoint (for example, if you're using a SonarQube notification webhook) you'll want to use the API to send custom data. You can find information on sending data to a custom data webhook here.
SonarQube connection: “Component key not found”
For SonarQube (and all integrations), Cortex will map the entity tag defined in the cortex.yaml for a given entity. For SonarQube specifically, the tag must exactly match the project ID in SonarQube. If these are not one-to-one, we recommend using the override detailed above to define the proper mapping for project ID and entity name.
Still need help?
The following are all the ways to get assistance from our customer engineering team. Please use the option that is best for your users:
- Email: help@cortex.io, or open a support ticket in the in app Resource Center
- Chat: Available in the Resource Center
- Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket reaction to a question in Slack, and the team will respond directly.
Don’t have a Slack channel? Talk with your customer success manager.