4

I am new to BitBucket and have inherited a project, now trying to get up to speed and code-complete. We have a DevSecOps pipeline using BitBucket as SCM, SonarQube as our static analysis engine and either Maven or Jenkins, depending on dev team preference. Java is the development language.

My Tech Lead would like to prevent a merge of a pull request if there are Critical or High issues found in the SonarQube analysis of code in the pull request. So, I am looking for a way to trigger SonarQube scan on a pull request and if it fails (Critical issue found) the Merge is not allowed to go through or some notification is sent. There is hope also that issue that pre-existed on the branch would not trigger the notification (legacy issues don't break merge requests).

I see plugins for BitBucket that are "pull-request decorators" but they lack documentation (open source ones do, anyway).

halfer
  • 19,824
  • 17
  • 99
  • 186
randomNerdboy
  • 320
  • 1
  • 3
  • 14

2 Answers2

1

The tool which is definitely suits your case is Sonar for Bitbucket.

It integrates well into a build pipeline with jenkins and sonarqube. additionally for triggering your analysis i recommend to use the plugin pullrequest-notifier, which allows you to react to special "pullrequest" events only -> this can reduce the amount of your builds heavily when it comes to sonar analysis for feature branches.

regarding Sonar for Bitbucket

just as an complete information! Sonarqube does not recommend to do branch analysis at the moment for feature branches. As this will generate a seperate project on sonarqube for each project and each analysed branch. Sonar for Bitbucket will clean those up.

In the future there will be a change, which seem to be presented already at the SonarSource City tour. When this change goes live, you will be able to do analyses in a more "branchy" style!

Community
  • 1
  • 1
Simon Schrottner
  • 4,146
  • 1
  • 24
  • 36
  • i added some additional information for you! i can fully recommend this plugin, as it offers a lot of functionality, and makes it really easy to stop "malicious" pushes :D, if you have additional questions just let me know :D – Simon Schrottner Sep 26 '17 at 15:11
  • Hi Simon - I appreciate your replies. . as I'm new to this tech stack perhaps you can assist: We are attempting to determine if we can prevent 'legacy' issues from appearing when an analysis is run on code from a Pull request. We'd then prevent a Merge from taking place when, during analysis of a Pull request issues (new to the pull request - not pre-existing when the branch was created) - so the question is: can we exclude 'legacy' issues in a SQ report and if new issues (crit/high) are on the cod in the Pull, no merge is allowed. – randomNerdboy Sep 26 '17 at 15:28
  • The sonar for bitbucket only reacts on issues on your changes... It ignores issue even in the same class, if they are not on changed lines – Simon Schrottner Sep 26 '17 at 15:34
  • The new branching feature was introduced with commercial editions of SonarQube 6.7 which does not result in separate projects for branches anymore. – Saikat Nov 06 '18 at 07:05
0

You may do static code analysis on the feature branches, in Jenkins, and report to Bitbucket Server with Violation Comments To Bitbucket Server Plugin.

There is also a bunch of other Gradle, and Maven, plugins to take care of violations found.

Tomas Bjerre
  • 3,270
  • 22
  • 27