fix: fix SonarQube API call on tag analysis (a9f700af) · Commits · to be continuous... / SonarQube

README.md

+10 −0

Original line number	Diff line number	Diff line
		@@ -56,6 +56,16 @@ It is bound to the `test` stage, and uses the following variables:
		\| `base-args` / `SONAR_BASE_ARGS` \| SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/analysis-parameters/) \| `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` \|
		\| `quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` \| Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/quality-standards-administration/managing-quality-gates/introduction/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ \| _none_ (disabled) \|

		Output artifacts:

		When the SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/quality-standards-administration/managing-quality-gates/introduction/) is enabled (using `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED`), this job produces a GitLab SAST report `sonar.gitlab-sast.json`, generated from SonarQube as part of the [Vulnerability Reporting integration](https://docs.sonarsource.com/sonarqube-server/devops-platform-integration/gitlab-integration/setting-up-at-project-level#reporting-vulnerabilities), containing the detected security findings. Artifacts are retained for one day and are downloadable only by users with the Developer role or higher in GitLab.

		The following reports are generated:

		\| Report \| Format \| Usage \|
		\| -------------- \| ---------------------------------------------------------------------------- \| ----------------- \|
		\| `reports/sonar.gitlab-sast.json` \| [Gitlab SAST](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/src/sast-report-format.json?ref_type=heads) report \| [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportssast) \|

		### Automatic Branch Analysis & Merge Request Analysis

		This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube-server/devops-platform-integration/gitlab-integration/introduction/), that is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis

templates/gitlab-ci-sonar.yml

+8 −8

Original line number	Diff line number	Diff line
		@@ -471,19 +471,19 @@ sonar:
		- \|
		if [[ "$SONAR_QUALITY_GATE_ENABLED" == "true" ]]
		then
		log_info "Return a list of vulnerabilities according to the GitLab SAST JSON format, based on SonarQube issues for project \\e[33;1m${SONAR_PROJECT_KEY}\\e[0m..."
		log_info "Retrieve GitLab SAST report from SonarQube for project \\e[33;1m${SONAR_PROJECT_KEY}\\e[0m..."
		mkdir -p ./reports
		sonar_api_params="projectKey=${SONAR_PROJECT_KEY}"
		if [ -z "${CI_MERGE_REQUEST_IID}" ]; then
		sonar_api_params="${sonar_api_params}&branch=${CI_COMMIT_BRANCH}"
		sonar_api_params="projectKey=$SONAR_PROJECT_KEY"
		if [ "${CI_MERGE_REQUEST_IID}" ]; then
		sonar_api_params="${sonar_api_params}&pullRequest=$CI_MERGE_REQUEST_IID"
		else
		sonar_api_params="${sonar_api_params}&pullRequest=${CI_MERGE_REQUEST_IID}"
		sonar_api_params="${sonar_api_params}&branch=$CI_COMMIT_REF_NAME"
		fi
		curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?${sonar_api_params}" -o ./reports/sonar.gitlab-sast.json # gitleaks:allow
		else
		log_info "SONAR_QUALITY_GATE_ENABLED is not set to true — skipping GitLab SAST export and report generation"
		log_info "ℹ️ If you wish to retrieve GitLab SAST report from SonarQube, please set SONAR_QUALITY_GATE_ENABLED to true"
		fi
		exit $exit_code
		- exit $exit_code
		rules:
		- !reference [.test-policy, rules]
		artifacts: