SonarCloud Feuille de chaleur
Aperçu général
SonarCloud est une plateforme d'analyse de la qualité et de la sécurité du code basée sur le cloud qui examine automatiquement le code des bogues, des vulnérabilités et des odeurs de code. Il s'intègre parfaitement aux pipelines CI/CD et fournit des renseignements détaillés pour aider à maintenir des normes élevées de qualité des codes.
C'est pas vrai. Note: Gratuit pour les dépôts publics. Les dépôts privés exigent des régimes payés à partir de 10 $/mois.
Commencer
Configuration du compte
# Sign up options:
# - GitHub account (recommended)
# - Bitbucket account
# - Azure DevOps account
# - GitLab account
# Visit: https://sonarcloud.io
# Click "Log in" and choose your Git provider
Organisation
# Create organization:
# 1. After login, click "Create Organization"
# 2. Choose Git provider
# 3. Select organization/account
# 4. Configure organization settings
# 5. Import repositories
```_
### Importation de projet
```bash
# Import from GitHub:
# 1. Organizations > Your Org > Analyze new project
# 2. Select repositories to import
# 3. Configure project settings
# 4. Set up analysis method
# Manual project creation:
# 1. Create project manually
# 2. Generate project token
# 3. Configure analysis locally
```_
## Installation CLI
### SonarScanner CLI
```bash
# Download and install SonarScanner
# Linux/macOS
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.0.2856-linux.zip
unzip sonar-scanner-cli-4.8.0.2856-linux.zip
export PATH=$PATH:/path/to/sonar-scanner-4.8.0.2856-linux/bin
# macOS with Homebrew
brew install sonar-scanner
# Windows
# Download from https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
# Add to PATH environment variable
Scanner Docker
# Run analysis with Docker
docker run \
--rm \
-e SONAR_HOST_URL="https://sonarcloud.io" \
-e SONAR_LOGIN="your-token" \
-v "${PWD}:/usr/src" \
sonarsource/sonar-scanner-cli
Configuration du projet
Sonar-projet.propriétés
# Basic project configuration
sonar.projectKey=my-org_my-project
sonar.organization=my-org
sonar.projectName=My Project
sonar.projectVersion=1.0
# Source code settings
sonar.sources=src
sonar.tests=tests
sonar.sourceEncoding=UTF-8
# Language-specific settings
sonar.java.source=11
sonar.java.target=11
sonar.java.binaries=target/classes
# Exclusions
sonar.exclusions=**/*test*/**,**/*.spec.ts,**/node_modules/**
sonar.test.exclusions=**/*test*/**
# Coverage reports
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.java.coveragePlugin=jacoco
sonar.jacoco.reportPaths=target/jacoco.exec
Configuration spécifique à la langue
# JavaScript/TypeScript
sonar.typescript.lcov.reportPaths=coverage/lcov.info
sonar.javascript.environments=node,browser,jest
# Python
sonar.python.coverage.reportPaths=coverage.xml
sonar.python.xunit.reportPath=test-reports/xunit.xml
# C#/.NET
sonar.cs.opencover.reportsPaths=coverage.opencover.xml
sonar.cs.nunit.reportsPaths=TestResults.xml
# Go
sonar.go.coverage.reportPaths=coverage.out
# PHP
sonar.php.coverage.reportPaths=coverage.xml
sonar.php.tests.reportPath=test-reports/phpunit.xml
Intégration CI/CD
Actions GitHub
# .github/workflows/sonarcloud.yml
name: SonarCloud Analysis
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
sonarcloud:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Run tests with coverage
run: npm run test:coverage
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GitLab CI
# .gitlab-ci.yml
sonarcloud-check:
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
GIT_DEPTH: "0"
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
only:
- merge_requests
- master
- develop
Azure DevOps
# azure-pipelines.yml
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: SonarCloudPrepare@1
inputs:
SonarCloud: 'SonarCloud'
organization: 'your-org'
scannerMode: 'CLI'
configMode: 'file'
- task: NodeTool@0
inputs:
versionSpec: '18.x'
- script: |
npm ci
npm run test:coverage
displayName: 'Install dependencies and run tests'
- task: SonarCloudAnalyze@1
- task: SonarCloudPublish@1
inputs:
pollingTimeoutSec: '300'
Jenkins Pipeline
pipeline {
agent any
environment {
SONAR_TOKEN = credentials('sonar-token')
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Test') {
steps {
sh 'npm ci'
sh 'npm run test:coverage'
}
}
stage('SonarCloud Analysis') {
steps {
withSonarQubeEnv('SonarCloud') {
sh 'sonar-scanner'
}
}
}
stage('Quality Gate') {
steps {
timeout(time: 1, unit: 'HOURS') {
waitForQualityGate abortPipeline: true
}
}
}
}
}
Commandes d'analyse
Analyse de base
# Run analysis with CLI
sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.organization=my-org \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.login=your-token
# Analysis with coverage
sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.organization=my-org \
-Dsonar.sources=src \
-Dsonar.tests=tests \
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.login=your-token
Analyse linguistique
# Java with Maven
mvn clean verify sonar:sonar \
-Dsonar.projectKey=my-project \
-Dsonar.organization=my-org \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.login=your-token
# .NET with dotnet
dotnet sonarscanner begin \
/k:"my-project" \
/o:"my-org" \
/d:sonar.host.url="https://sonarcloud.io" \
/d:sonar.login="your-token"
dotnet build
dotnet test --collect:"XPlat Code Coverage"
dotnet sonarscanner end /d:sonar.login="your-token"
# Python with coverage
coverage run -m pytest
coverage xml
sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.python.coverage.reportPaths=coverage.xml
Portails de qualité
Qualité par défaut Porte
# Default conditions:
# - Coverage on New Code >= 80%
# - Duplicated Lines on New Code <= 3%
# - Maintainability Rating on New Code = A
# - Reliability Rating on New Code = A
# - Security Rating on New Code = A
# - Security Hotspots Reviewed on New Code >= 100%
Qualité personnalisée Porte
# Create custom quality gate:
# 1. Administration > Quality Gates
# 2. Create new quality gate
# 3. Add conditions:
# - Coverage > 85%
# - Bugs = 0
# - Vulnerabilities = 0
# - Code Smells <= 10
# - Duplicated Lines <= 5%
# 4. Set as default or assign to projects
État du portail de qualité
# Check quality gate status via API
curl -u your-token: \
"https://sonarcloud.io/api/qualitygates/project_status?projectKey=my-project"
# Response example:
{
"projectStatus": {
"status": "OK",
"conditions": [
{
"status": "OK",
"metricKey": "new_coverage",
"comparator": "LT",
"errorThreshold": "80"
}
]
}
}
Analyse de la sécurité
Points chauds de sécurité
# Security hotspot categories:
# - SQL Injection
# - Cross-Site Scripting (XSS)
# - Command Injection
# - Path Traversal
# - LDAP Injection
# - Weak Cryptography
# - Authentication Issues
Détection de vulnérabilité
// Example: Detected vulnerability
function getUserData(userId) {
// SonarCloud detects SQL injection risk
const query = "SELECT * FROM users WHERE id = " + userId;
return database.execute(query);
}
// Recommended fix:
function getUserData(userId) {
const query = "SELECT * FROM users WHERE id = ?";
return database.execute(query, [userId]);
}
Configuration des règles de sécurité
# Configure security rules:
# 1. Project > Administration > Quality Profiles
# 2. Select language profile
# 3. Enable/disable security rules
# 4. Set rule severity levels
# 5. Add custom rules if needed
Couverture du code
JavaScript/TypeScript Couverture
// package.json
{
"scripts": {
"test": "jest",
"test:coverage": "jest --coverage"
},
"jest": {
"collectCoverageFrom": [
"src/**/*.{js,jsx,ts,tsx}",
"!src/**/*.d.ts",
"!src/index.tsx"
],
"coverageReporters": ["lcov", "text"]
}
}
Couverture Java avec JaCoCo
<!-- pom.xml -->
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.8</version>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>test</phase>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>
Couverture Python
# Install coverage
pip install coverage
# Run tests with coverage
coverage run -m pytest
coverage xml
# Configuration in .coveragerc
[run]
source = src
omit =
*/tests/*
*/venv/*
setup.py
[report]
exclude_lines =
pragma: no cover
def __repr__
raise AssertionError
API Utilisation
Authentification de l'API REST
# Generate user token:
# Account > Security > Generate Tokens
# API authentication
curl -u your-token: \
"https://sonarcloud.io/api/projects/search?organization=my-org"
Statistiques du projet
# Get project metrics
curl -u your-token: \
"https://sonarcloud.io/api/measures/component?component=my-project&metricKeys=bugs,vulnerabilities,code_smells,coverage,duplicated_lines_density"
# Get quality gate status
curl -u your-token: \
"https://sonarcloud.io/api/qualitygates/project_status?projectKey=my-project"
# Get issues
curl -u your-token: \
"https://sonarcloud.io/api/issues/search?componentKeys=my-project&types=BUG,VULNERABILITY"
Configuration de Webhook
// Webhook payload example
{
"serverUrl": "https://sonarcloud.io",
"taskId": "task-id",
"status": "SUCCESS",
"analysedAt": "2024-01-15T10:30:00+0000",
"project": {
"key": "my-project",
"name": "My Project"
},
"qualityGate": {
"name": "Sonar way",
"status": "OK"
}
}
Analyse de la demande de tirage
Intégration GitHub
# Automatic PR analysis:
# 1. Install SonarCloud GitHub App
# 2. Configure repository permissions
# 3. Enable PR decoration
# 4. Analysis runs on every PR
# PR comment example:
# Quality Gate passed
# 0 Bugs
# 0 Vulnerabilities
# 0 Security Hotspots
# 2 Code Smells
# Coverage: 85.2% (+2.1%)
Analyse de la branche
# Analyze specific branch
sonar-scanner \
-Dsonar.projectKey=my-project \
-Dsonar.branch.name=feature/new-feature \
-Dsonar.login=your-token
# Compare branches
# SonarCloud automatically compares:
# - New code vs. overall code
# - Feature branch vs. main branch
# - Short-lived vs. long-lived branches
Configuration avancée
Règles douanières
<!-- Custom rule template -->
<rule>
<key>custom-rule-key</key>
<name>Custom Rule Name</name>
<description>Rule description</description>
<severity>MAJOR</severity>
<type>CODE_SMELL</type>
<tag>custom</tag>
</rule>
Profils de qualité
# Create custom quality profile:
# 1. Quality Profiles > Create
# 2. Select language and parent profile
# 3. Activate/deactivate rules
# 4. Set rule parameters
# 5. Assign to projects
Paramètres du projet
# Advanced project settings
sonar.projectDescription=Project description
sonar.links.homepage=https://example.com
sonar.links.ci=https://ci.example.com
sonar.links.scm=https://github.com/org/repo
sonar.links.issue=https://github.com/org/repo/issues
# Analysis scope
sonar.inclusions=**/*.js,**/*.jsx,**/*.ts,**/*.tsx
sonar.exclusions=**/node_modules/**,**/dist/**,**/*.min.js
sonar.test.inclusions=**/*.test.js,**/*.spec.js
sonar.coverage.exclusions=**/*.test.js,**/*.config.js
Dépannage
Questions communes
# Analysis fails with "Project not found":
# 1. Check project key spelling
# 2. Verify organization name
# 3. Ensure project exists in SonarCloud
# 4. Check token permissions
# Coverage not showing:
# 1. Verify coverage report path
# 2. Check report format compatibility
# 3. Ensure tests run before analysis
# 4. Validate coverage configuration
Analyse des débogages
# Enable debug logging
sonar-scanner -Dsonar.verbose=true
# Check analysis logs
# SonarCloud > Project > Activity > View Details
# Validate configuration
sonar-scanner -Dsonar.scanner.dumpToFile=sonar-scanner-dump.properties
Optimisation des performances
# Optimize analysis performance:
# 1. Exclude unnecessary files
# 2. Use incremental analysis
# 3. Optimize test coverage collection
# 4. Configure appropriate heap size
# JVM options for large projects
export SONAR_SCANNER_OPTS="-Xmx2048m"
Meilleures pratiques
Normes de qualité du code
# Maintain quality standards:
# - Zero tolerance for bugs and vulnerabilities
# - Minimum 80% code coverage
# - Maximum 5% code duplication
# - Regular technical debt reduction
# - Consistent coding standards
Adoption par l'équipe
# Successful team adoption:
# 1. Set clear quality gates
# 2. Integrate with development workflow
# 3. Provide training on fixing issues
# 4. Regular code quality reviews
# 5. Celebrate quality improvements
Amélioration continue
# Quality improvement process:
# 1. Monitor quality trends
# 2. Identify recurring issues
# 3. Update coding standards
# 4. Refine quality gates
# 5. Share best practices
Ressources
Documentation
- [Documentation SonarCloud] (LINK_9)
- [Paramètres d'analyse] (LINK_9)
- [Portes de qualité] (LINK_9)
Communauté
- [Communauté SonarSource] (LINK_9)
- [Questions relatives au GitHub] (LINK_9)
- [Débordement de la pile] (LINK_9)
Formation
- [SonarCloud Academy] (LINK_9)
- [Directives pour un code propre] (LINK_9)
- [Règles de sécurité] (LINK_9)