Add sonarqube-scanner with optioanl credentials workspace

Add sonarqube scanner with credentials support
2024-11-21 05:55:35 +00:00 · 2022-09-28 15:56:16 +02:00 · 2022-09-28 15:56:16 +02:00 · 22db0c47e2
commit 22db0c47e2
parent 8b8ebf8c88
6 changed files with 314 additions and 0 deletions
--- a/task/sonarqube-scanner/0.4/README.md
+++ b/task/sonarqube-scanner/0.4/README.md
@ -0,0 +1,72 @@
+# SonarQube
+
+SonarQube™ is the leading tool for continuously inspecting the Code Quality and Security™ of your codebases, all while empowering development teams. Analyze over 25 popular programming languages including C#, VB.Net, JavaScript, TypeScript and C++. It detects bugs, vulnerabilities and code smells across project branches and pull requests.
+
+The following task can be used to perform static analysis on the source code provided the SonarQube server is hosted.
+
+For creating your own `sonar-project.properties` please follow the guide [here](https://docs.sonarqube.org/latest/analysis/analysis-parameters/). Sample properties file can be found [here](./samples/sonar-project.properties)
+
+## Install the Task
+
+```
+kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/sonarqube-scanner/0.4/raw
+```
+
+## Pre-requisite
+
+Install the `git-clone` task from the catalog
+
+```
+https://api.hub.tekton.dev/v1/resource/tekton/task/git-clone/0.7/raw
+```
+
+## Parameters
+
+- **SONAR_HOST_URL**: SonarQube server URL
+- **SONAR_PROJECT_KEY**: Project's unique key
+- **PROJECT_VERSION**: Version of the project (_Default_: 1.0)
+- **SOURCE_TO_SCAN**: Comma-separated paths to directories containing main source files (_Default_: ".")
+- **SONAR_ORGANIZATION**: The organization in sonarqube where the project exists
+- **SONAR_SCANNER_IMAGE**: The sonarqube scanner CLI image which will run the scan (_Default_: docker.io/sonarsource/sonar-scanner-cli:4.6)
+- **SONAR_LOGIN_KEY**: Name of the file of the login within the sonarqube credentials workspace (default: `login`)
+- **SONAR_PASSWORD_KEY**: Name of the file of the password within the sonarqube credentials workspace (default: `password`)
+
+> _Note_ : Parameters are provided in that case when we want to override the corresponding values in `sonar-project.properties` or there is no `sonar-project.properties` present for the project which needs to be analyzed
+
+## Workspaces
+
+- **source**: `PersistentVolumeClaim`-type so that volume can be shared among git-clone and sonarqube task. Sample PVC can be found [here](../0.4/tests/resources.yaml)
+- **sonar-credentials**: To mount a secret with login and password for sonar. Is `optional`.
+- **sonar-settings**: To mount the `sonar-project.properties` via the `ConfigMap`. It's an optional workspace.
+  To mount via the `ConfigMap`:
+
+  ```
+  kubectl create configmap sonar-properties --from-file="sonar-project.properties"
+  ```
+
+## Running SonarQube Server locally using Docker
+
+1. Boot SonarQube
+
+   ```
+   docker run --name="sonarqube" -d sonarqube
+   ```
+
+2. Get the IP address exposed by docker image to access sonarqube server
+
+   ```
+   docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_id or container_name>
+   ```
+
+Sample IPAddress we will obtain using above command is like http://172.17.0.2:9000
+
+## Platforms
+
+The Task can be run on `linux/amd64` platform.
+
+## Usage
+
+1. `sonar-project.properties` present in Github Repository. For example :- following [repo](https://github.com/vinamra28/sonartest) contains the properties file and Sonar Host URL needs to be updated via the `params`.
+   The sample run for this scenario can be found [here](../0.1/samples/run.yaml)
+
+2. In case when no `sonar-project.properties` file is present then above parameters are mandatory to create a `sonar-project.properties` file with the required fields or the file can be mounted via the `ConfigMap`.
--- a/task/sonarqube-scanner/0.4/samples/sonar-project.properties
+++ b/task/sonarqube-scanner/0.4/samples/sonar-project.properties
@ -0,0 +1,19 @@
+# required metdata
+sonar.projectKey=node-test-app
+sonar.projectVersion=1.0
+sonar.sourceEncoding=UTF-8
+sonar.organization=default
+sonar.host.url=http://172.17.0.2:9000
+# sonar.language=js
+sonar.eslint.eslintconfigpath=app/eslintrc.json
+
+# path to srouce directories
+sonar.sources=app
+# sonar.tests=app/test/integration/api/
+
+# excludes
+sonar.exclusions=app/node_modules/*,app/coverage/lcov-report/*,app/test/integration/api/v1/*,app/middlewares/common-middleware.js
+
+# coverage reporting
+sonar.javascript.lcov.reportPaths=app/coverage/lcov.info
+# sonar.surefire.reportPaths=app/coverage/lcov-report
--- a/task/sonarqube-scanner/0.4/sonarqube-scanner.yaml
+++ b/task/sonarqube-scanner/0.4/sonarqube-scanner.yaml
@ -0,0 +1,157 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: sonarqube-scanner
+  labels:
+    app.kubernetes.io/version: "0.4"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.17.0"
+    tekton.dev/categories: Security
+    tekton.dev/tags: security
+    tekton.dev/displayName: "sonarqube scanner"
+    tekton.dev/platforms: "linux/amd64"
+spec:
+  description: >-
+    The following task can be used to perform static analysis on the source code
+    provided the SonarQube server is hosted
+
+    SonarQube is the leading tool for continuously inspecting the Code Quality and Security
+    of your codebases, all while empowering development teams. Analyze over 25 popular
+    programming languages including C#, VB.Net, JavaScript, TypeScript and C++. It detects
+    bugs, vulnerabilities and code smells across project branches and pull requests.
+
+  workspaces:
+    - name: source
+      description: "Workspace containing the code which needs to be scanned by SonarQube"
+    - name: sonar-settings
+      description: "Optional workspace where SonarQube properties can be mounted"
+      optional: true
+    - name: sonar-credentials
+      description: |
+        A workspace containing a login or password for use within sonarqube.
+      optional: true
+  params:
+    - name: SONAR_HOST_URL
+      description: SonarQube server URL
+      default: ""
+    - name: SONAR_PROJECT_KEY
+      description: Project's unique key
+      default: ""
+    - name: PROJECT_VERSION
+      description: "Version of the project. Default: 1.0"
+      default: "1.0"
+    - name: SOURCE_TO_SCAN
+      description: "Comma-separated paths to directories containing main source files"
+      default: "."
+    - name: SONAR_ORGANIZATION
+      description: "The organization in sonarqube where the project exists"
+      default: ""
+    - name: SONAR_SCANNER_IMAGE
+      description: "The sonarqube scanner CLI image which will run the scan"
+      default: "docker.io/sonarsource/sonar-scanner-cli:4.6@sha256:7a976330a8bad1beca6584c1c118e946e7a25fdc5b664d5c0a869a6577d81b4f"
+    - name: SONAR_LOGIN_KEY
+      description: Name of the file of the login within the sonarqube credentials workspace
+      default: "login"
+    - name: SONAR_PASSWORD_KEY
+      description: Name of the file of the password within the sonarqube credentials workspace
+      default: "password"
+  steps:
+    - name: sonar-properties-create
+      image: registry.access.redhat.com/ubi8/ubi-minimal:8.2
+      workingDir: $(workspaces.source.path)
+      env:
+        - name: SONAR_HOST_URL
+          value: $(params.SONAR_HOST_URL)
+        - name: SONAR_PROJECT_KEY
+          value: $(params.SONAR_PROJECT_KEY)
+        - name: PROJECT_VERSION
+          value: $(params.PROJECT_VERSION)
+        - name: SOURCE_TO_SCAN
+          value: $(params.SOURCE_TO_SCAN)
+        - name: SONAR_ORGANIZATION
+          value: $(params.SONAR_ORGANIZATION)
+      script: |
+        #!/usr/bin/env bash
+
+        replaceValues() {
+          filename=$1
+          thekey=$2
+          newvalue=$3
+
+          if ! grep -R "^[#]*\s*${thekey}=.*" $filename >/dev/null; then
+            echo "APPENDING because '${thekey}' not found"
+            echo "" >>$filename
+            echo "$thekey=$newvalue" >>$filename
+          else
+            echo "SETTING because '${thekey}' found already"
+            sed -ir "s|^[#]*\s*${thekey}=.*|$thekey=$newvalue|" $filename
+          fi
+        }
+
+        if [[ "$(workspaces.sonar-settings.bound)" == "true" ]]; then
+          if [[ -f $(workspaces.sonar-settings.path)/sonar-project.properties ]]; then
+            echo "using user provided sonar-project.properties file"
+            cp -RL $(workspaces.sonar-settings.path)/sonar-project.properties $(workspaces.source.path)/sonar-project.properties
+          fi
+        fi
+
+        if [[ -f $(workspaces.source.path)/sonar-project.properties ]]; then
+          if [[ -n "${SONAR_HOST_URL}" ]]; then
+            echo "replacing sonar host URL"
+            replaceValues $(workspaces.source.path)/sonar-project.properties sonar.host.url "${SONAR_HOST_URL}"
+          fi
+          if [[ -n "${SONAR_PROJECT_KEY}" ]]; then
+            echo "replacing sonar project key"
+            replaceValues $(workspaces.source.path)/sonar-project.properties sonar.projectKey "${SONAR_PROJECT_KEY}"
+          fi
+          echo "Values in sonar-project.properties file replaced successfully..."
+        else
+          echo "Creating sonar-project.properties file..."
+          touch sonar-project.properties
+          [[ -n "${SONAR_PROJECT_KEY}" ]] && {
+            echo "sonar.projectKey=${SONAR_PROJECT_KEY}" >> sonar-project.properties
+          } || {
+            echo "missing property SONAR_PROJECT_KEY"
+            exit 1
+          }
+
+          [[ -n "${SONAR_HOST_URL}" ]] && {
+            echo "sonar.host.url=${SONAR_HOST_URL}" >> sonar-project.properties
+          } || {
+            echo "missing property SONAR_HOST_URL"
+            exit 1
+          }
+
+          [[ -n "${PROJECT_VERSION}" ]] && {
+            echo "sonar.projectVersion=${PROJECT_VERSION}" >> sonar-project.properties
+          } || {
+            echo "missing property PROJECT_VERSION"
+            exit 1
+          }
+
+          [[ -n "${SONAR_ORGANIZATION}" ]] && {
+            echo "sonar.organization=${SONAR_ORGANIZATION}" >> sonar-project.properties
+          } || {
+            echo "missing property SONAR_ORGANIZATION"
+            exit 1
+          }
+          echo "sonar.sources=${SOURCE_TO_SCAN}" >> sonar-project.properties
+          echo "---------------------------"
+          cat $(workspaces.source.path)/sonar-project.properties
+        fi
+
+        if [[ "$(workspaces.sonar-credentials.bound)" == "true" ]]; then
+          if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY) ]]; then
+            SONAR_PASSWORD=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_PASSWORD_KEY)`
+            replaceValues $(workspaces.source.path)/sonar-project.properties sonar.password "${SONAR_PASSWORD}"
+          fi
+          if [[ -f $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY) ]]; then
+            SONAR_LOGIN=`cat $(workspaces.sonar-credentials.path)/$(params.SONAR_LOGIN_KEY)`
+            replaceValues $(workspaces.source.path)/sonar-project.properties sonar.login "${SONAR_LOGIN}"
+          fi
+        fi
+    - name: sonar-scan
+      image: $(params.SONAR_SCANNER_IMAGE)
+      workingDir: $(workspaces.source.path)
+      command:
+        - sonar-scanner
--- a/task/sonarqube-scanner/0.4/tests/pre-apply-task-hook.sh
+++ b/task/sonarqube-scanner/0.4/tests/pre-apply-task-hook.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Add git-clone
+add_task git-clone 0.7
--- a/task/sonarqube-scanner/0.4/tests/resources.yaml
+++ b/task/sonarqube-scanner/0.4/tests/resources.yaml
@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sonar-source-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 200Mi
--- a/task/sonarqube-scanner/0.4/tests/run.yaml
+++ b/task/sonarqube-scanner/0.4/tests/run.yaml
@ -0,0 +1,51 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: sonarqube-pipeline
+spec:
+  workspaces:
+    - name: shared-workspace
+  tasks:
+    - name: fetch-repository
+      taskRef:
+        name: git-clone
+      workspaces:
+        - name: output
+          workspace: shared-workspace
+      params:
+        - name: url
+          value: https://github.com/vinamra28/sonartest
+        - name: subdirectory
+          value: ""
+        - name: deleteExisting
+          value: "true"
+    - name: code-analysis
+      taskRef:
+        name: sonarqube-scanner
+      params:
+        - name: SONAR_PROJECT_KEY
+          value: sonarqube-scanner
+        - name: SONAR_HOST_URL
+          value: https://sonarcloud.io/
+        - name: PROJECT_VERSION
+          value: "1.0"
+        - name: SONAR_ORGANIZATION
+          value: tekton-catalog-test
+      runAfter:
+        - fetch-repository
+      workspaces:
+        - name: source
+          workspace: shared-workspace
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: sonarqube-run
+spec:
+  pipelineRef:
+    name: sonarqube-pipeline
+  workspaces:
+    - name: shared-workspace
+      persistentVolumeClaim:
+        claimName: sonar-source-pvc