Adding quality gate to Jenkins maven project's build section

Question

I have a Jenkins Maven project that runs a SonarQube analysis for my build. I would like to add quality gate, so that my build fails when quality gate fails. I also would like to do it without Jenkinsfile (so just using Jenkins project configurations). Currently, I use build section to perform SonarQube analysis. The 'Goals and options' field has this code:

clean package -Dmaven.test.skip=true sonar:sonar -Dsonar.projectKey=someName -Dsonar.sources=src/main/java

Here is where I would like quality gate to be defined and implemented:

I tried to add Quality Gate to 'Post Build' section but no available options worked for me (I was thinking to try to make 'SonarQube Analysis with Maven' option to work, but it is deprecated now). I also found 'Quality Gate' plugin available to Jenkins but it has a vulnerability that I do not want to have (but wonder if there are any alternatives to said plugin).

I am thinking that 'Execute SonarQube Scanner' option in 'Pre-Steps' section may do it but I cannot find the right line/lines that I need to add to sonar-project.properties file (is there a line like sonar.qualityGateFailBuild = true option?)

This question here mentioned that Maven version is an issue. Wonder if it is possible to work around it? (My maven version is 3.8.0 and I cannot change it)

Update

Found an 'Post step' section that allows for sonar.property file to be configured. Currently, it looks as below, but Quality Gate still does not fail my build. What other arguments do I need to add?:

What you want to achieve ?? It’s not clear. Could you please write in comments what you want ? — Sourav, Nov 13 '20 at 15:59
@SouravAtta I would like to have a quality gate, so that my build fails when QG fails. I am having a Maven Project in Jenkins which, using "Configuration" option, allows me to execute my project from the 'Build' section of said "Configuration" option. Currently, it only scans my project and produces the analysis but does stop my build when QG fails — Joe, Nov 13 '20 at 16:21
Without sonar analysis, you will not able to able to fail your pipeline based on Quality Gate. You can make use of `Quality Gate Plugin`. In your pipeline configuration, under **Post Build Actions**, select `Wait for QualityGate` option. This will help to fail the pipeline based on QualityGate status. — Sourav, Nov 13 '20 at 17:11
@SouravAtta that was my plan initially, but it has the vulnerability and it is not something I can tolerate, unfortunately. Would it be possible to run both, SQ analysis and QG, in one of the pre steps? Like is it possible to configure 'Execute SonarQube Scanner' option to do all the work, for example? Or does build section needs to happen first? — Joe, Nov 13 '20 at 17:16
Ok got it. We have used the custom script to achieve this. I have updated the answer with the process to create script. — Sourav, Nov 13 '20 at 17:26

score 1 · Answer 1 · answered Nov 13 '20 at 17:24

Here is the most reliable way to achieve this.

You can achieve this using custom script to get the QualityGate status using sonar web api and set the job to be failed and success.

When you run the sonar analysis using maven sonar:sonar, after the analysis is completed report-task.txt will be created in the workspace folder.

Note: The location of the file report-task.txt depends on the tool that was used to generate it (in your case it is gradle). For eg. like The "mvn sonar:sonar" task defaults to "target/sonar". This location is controlled by the "sonar.scanner.metadataFilePath" property

You will get the ceTaskUrl and ceTaskId in report-task.txt. Now, you can use that ceTaskUrl to get the analysisId.

You can use the below web api to get the quality gate status using analysisId.

http://localhost:9000/sonarqube/api/qualitygates/project_status?analysisId=$ANALYSIS_ID

Yes, and in my projects that use Jenkinsfile, I used to use it (I extracted value from said API via JsonSlurper). If I understood you correctly, there is an option called 'Custom script' that I can use to write groovy script to use API? Or did you mean sonar.property file (in which case, what would my script be? Not sure if I can use groovy commands there and `sonar.scanner.metadataFilePath` will only give me the report-task.txt file's content. Would I need something like `sonar.qualitygate.wait`)? — Joe, Nov 16 '20 at 11:01

score 1 · Accepted Answer · answered Nov 17 '20 at 15:03

After trial and error, I found this post which was a life saver. I had some errors when I tried to use Nanotron's code (last answer), so I have added some adjustments. Here is what worked for me (I used 'Post Steps' --> 'Execute shell command' section of my Jenkins project):

if [ -e tmp.txt ];
then
rm tmp.txt
rm error.txt
rm task.json
fi


url=$(cat $WORKSPACE/[your pathway here]/target/sonar/report-task.txt | grep ceTaskUrl | cut -c11- )
echo ${url}
pswd=${SONAR_AUTH_TOKEN} // env variable that fetches sonar token
curl -s -X GET -u "${pswd}" "$url" | python -m json.tool

stsCheck=1

while [ $stsCheck = 1 ]
do
sleep 10
curl -s -X GET -u "${pswd}" "$url" -o task.json
status=$(python -m json.tool < task.json | grep -i "status" | cut --delimiter=: --fields=2 | sed 's/"//g' | sed 's/,//g' )
echo ${status}

if [ $status = SUCCESS ]; then
analysisID=$(python -m json.tool < task.json | grep -i "analysisId" | cut -c24- | sed 's/"//g' | sed 's/,//g')
analysisUrl="http://my-sonar-server/api/qualitygates/project_status?analysisId=${analysisID}"
echo ${analysisID}
echo ${analysisUrl}

stsCheck=0
fi
done

curl -s -X GET -u "${pswd}" -L $analysisUrl | python -m json.tool
curl -s -X GET -u "${pswd}" -L $analysisUrl | python -m json.tool | grep -i "status" | cut -c28- | sed 's/.$//' >> tmp.txt
cat tmp.txt
sed -n '/ERROR/p' tmp.txt >> error.txt
cat error.txt
if [ $(cat error.txt | wc -l) -eq 0 ]; then
echo "Quality Gate Passed ! Setting up SonarQube Job Status to Success ! "
else
echo "Quality Gate Failed ! Setting up SonarQube Job Status to Failure ! "
exit 1
fi

Adding quality gate to Jenkins maven project's build section

2 Answers2