SonarQube
Summary
SonarQube provides deep visibility into static code analysis metrics. You can use SonarQube to drive insights into values such as:
- Code coverage
- Vulnerabilities
- Code smells
Setup
In order to connect Cortex to your SonarQube instance, you’ll need to create a SonarQube User Token, and add it under Settings → SonarQube.
If you do not see the Settings page you're looking for in the sidebar, you likely don't have the proper permissions and need to contact your admin.
We route our requests through a static IP address. Reach out to support at help@cortex.io to receive details about our static IP. If you're unable to directly whitelist our static IP, you can route requests through a secondary proxy in your network that has this IP whitelisted, and have that proxy route traffic to your SonarQube instance.
Multi-account support
SonarQube has multi account support meaning that you can configure any amount of SonarQube instances to retrieve data from. Each SonarQube instance will require an alias which is a name that we use to correlate the SonarQube instance with the YAML registrations for each entity. There is also a default configuration used by SonarQube YAML registrations without an alias listed. You can edit aliases and the default configuration under Settings → SonarQube.
Advanced configuration
If you’re unable to expose your SonarQube instance to be reachable by Cortex, you can set up a Custom Integration Webhook. To learn more about SonarQube webhooks, visit their Webhook Documentation.
Registration
Discovery
By default, Cortex will use the entity tag (e.g. my-service
) as the "best guess" for the SonarQube project key. For example, if your entity tag is “my-service”, then the corresponding project key in SonarQube should also be “my-service”.
If you’re using build-system tooling to push analysis to SonarQube, the plugin (e.g. Gradle, Maven) may be automatically generating a project key that’s different from the repo name.
If your SonarQube project keys don’t cleanly match the Cortex service identifier, you can override this in the Cortex Service Descriptor.
Catalog descriptor
If you need to override the automatic discovery, you can define the following block in your Cortex Catalog Descriptor.
x-cortex-static-analysis:
sonarqube:
project: my-project # projectKey in SonarQube
alias: my-sonarqube-alias # alias is optional and only relevant if you have opted into multi account support
The value for project
should be the project key as defined in SonarQube.
Troubleshooting
- I’m seeing “Socket timed out when trying to connect to SonarQube” for all of my services in Scorecards
- This means that Cortex is unable to talk to your SonarQube instance. Make sure that your instance is running and accessible to Cortex.
- I’m using Gradle, and I’ve verified that my project is in SonarQube. Cortex is still showing me an error.
- Gradle automatically generates a project key which is equal to
[${project.group}:]${project.name}
. As a result, automatic discovery won’t work. You’ll need to override the project key in your Cortex Catalog Descriptor.
- Gradle automatically generates a project key which is equal to
- My project is in Sonar, Cortex is able to talk to SonarQube, but my score isn’t showing up.
Try the following troubleshooting steps:
- Make sure the project key in your YAML is exactly the same as the key in SonarQube.
- Verify that the scores are in the “default branch” in SonarQube. If your scores are showing up in a “branch-a” in SonarQube, but your SonarQube default branch is “master”, Cortex will not be able to retrieve the scores.
- Run the following curl command and verify there are metrics showing up in the response
curl -v -u <token>: "https://[SONARQUBE HOST]/api/measures/
component_tree?component=[SONARQUBE PROJECT KEY]&metricKeys=ncloc,coverage"