We use SonarQube to scan our code (see Adding SonarQube to TFS build) and have version 8 LTS up-and-running for some time now. The upgrade to SonarQube 9 and future version 9 LTS is upcoming. Here is how we prepare for the upgrade.
Run SonarQube 9
According to the requirements for SonarQube we need the Java 11 runtime for the server. This is already available along with the other requirements because they are the same for running our version 8 LTS.
For testing purpose we create another database (upgrade test planned for another time) and put that connectionstring in the configuration. We configure other ports for the Web UI and ElasticSearch so we can run both version 8 and 9 at the same time on our server. After a few attempts we get everything right and see the “Sonarqube is up” message on the console.
Run Azure devops build
Our platform team installed the Java 17 runtime on a few build agents. This is needed for the scanners or we get errors. To make sure we use the correct Java runtime we set the environment variable JAVA_HOME to point to Java 17 in the task (like https://marketplace.visualstudio.com/items?itemName=Hey24sheep.envar) before the Run Code Analysis task.
In the Prepare Analysis task we needed to set the timeout property (sonar.ws.timeout) to 2 minutes. This might be caused by running two instances of SonarQube on one server.
For use of the new SonarQube 9 instance we needed to create a new service endpoint with a generated token. Here comes the first real difference – tokens are now more specific.
You need specific rights to create a project and specific rights to run analysis for a project. There is one token type that contains both rights but you should not use it for running analysis. So we need to create the project (and get a project key) by hand so the build can run analysis with the analysis token. More details about tokens: https://docs.sonarqube.org/latest/user-guide/user-token/
The analyses worked as expected and a report is available in the SonarQube 9 web ui.
We have some custom plugins. Most can be removed after buying a license. But the R code plugin was the odd one. Luckily we had no problems running analysis with the plugin after copying it from the version 8 instance.
- Read the what’s new to find out what more differences / features are in version 9 https://www.sonarqube.org/whats-new/
- Figure out how to use the new tokens https://docs.sonarqube.org/latest/user-guide/user-token/
- Add capabilities to Azure devops agents for java versions
- Test the database upgrade from SonarQube 8 to 9
For now all signs are on green.