SonarCloud is a code quality and security tool that is free to open-source projects.

Requirements

SonarCloud does not work with Subversion code repositories, so if your project uses SVN, you will need to use an Apache GitHub mirror of your SVN project. Create a Jira ticket asking Infra to set up this mirror for your project. See the PDFBox Jenkins job and this related INFRA Jira ticket as an example of an SVN-based project using Sonarcloud and GitHub.

Project members who will be responsible for running SonarCloud need to create SonarCloud accounts. Log in to sonarcloud.io with your ASF GitHub credentials. 

If you do not see any Apache project in SonarCloud, make sure you have configured a Public access to your ASF organization membership in GitHub. See how to make public or hide your organizational membership.

Configuring SonarCloud for your project

File an INFRA Jira ticket to have a new project created at sonarcloud.io for your ASF project. On the ticket:

  1. identify the project members who will have Admin status on the SonarCloud project. Provide the GitHub ID for each person.
  2. Confirm that the Admins have logged into sonarcloud.io with their ASF-linked GitHub ID.
  3. Optionally, If you have a preferred project key, the "friendly" name for your SonarCloud project, state it on the ticket. 
    Otherwise we will use the default, 'apache_$repositoryName'.

(Project keys must contain at least one non-digit character. Allowed characters are: 'a' through 'z', 'A' through 'Z', '-' (dash), '_' (underscore), '.' (dot), ':' (colon) and digits '0' to '9'. This value is case-sensitive.)

To configure SonarCloud analysis, you need:

  1. The project key, either the default 'apache_$repositoryName' or the one that you requested in the Jira ticket.

  2. A Token, one of:
    User Token: you can generate it on your own on https://sonarcloud.io/account/security/ .
    Jenkins: A pre-configured Token by Infra for project use. Example:

    Github Actions: Infra has a SONARCLOUD_TOKEN secret you can use. Ask on your Jira ticket to have this enabled for your GitHub repository.
    Or you can have Infra add your PAT (Personal Access Token) instead, in which case, email root.at.apache.org with the Secret details to add.

Running SonarCloud analysis

Here is an example of how to run the SonarCloud analysis in a Jenkins file:

Example code
stage('Code Quality') {
    steps {
        echo 'Checking Code Quality on SonarCloud'
        // Main parameters
        def sonarcloudParams="-Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=apache -Dsonar.projectKey=apache_project_key_provided_by_infra"
        if ( env.BRANCH_NAME.startsWith("PR-") ) {
        // this is a pull request
        sonarcloudParams="${sonarcloudParams} -Dsonar.pullrequest.branch=${CHANGE_BRANCH} -Dsonar.pullrequest.base=${CHANGE_TARGET} -Dsonar.pullrequest.key=${CHANGE_ID}"
        } else {
        // this is just a branch
        sonarcloudParams="${sonarcloudParams} -Dsonar.branch.name=${BRANCH_NAME}"
        }
        // Then run the analysis
        // 'my-sonarcloud-token' needs to be defined for this job and contains the user token
        withCredentials([string(credentialsId: 'my-sonarcloud-token', variable: 'SONAR_TOKEN')]) {
            sh 'mvn clean verify sonar:sonar ${sonarcloudParams} -Dsonar.login=${SONAR_TOKEN}'
        }
    }
}


Monorepo Support

Note that sonarcloud.io now supports a monorepo configuration. See docs here and file an INFRA ticket should you wish to utliise this setup in your project(s).


email users@infra.apache.org for any queries or suggestions.