Hello,
I'm glad to announce that the a Apigee Plugin for SonarQube has been released.
For those who are not aware, SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
This plugin works with existing SonarQube installations. It allows SonarQube to examine Apigee Edge proxy definitions, by examining the XML files. It is based on SonarQube's built-in sonar-xml-plugin on which custom rules have been implemented.
The goal is to detect common bad practices, just like the bundle-linter available here do. Moreover, in constructing this plugin, I have taken inspiration from the rules catalog of this previously existing linter.
The latest release 2.1.0 of this plugin comes with the support of sonarXML 2.0.1+ and has been tested with all current public releases of SonarQube (from 6.7 to 8.2).
Note: SonarQube is unrelated to the Apigee project code-named "Sonar".
Some screenshots of the results in action :
Project overview in Sonar :
Project issues in Sonar :
Installation instructions :
With SonarQube Marketplace :
- Use the Marketplace Update Center to search the Apigee plugin :
- Click on the install button
- (The SonarXML Plugin will be installed in the same time if it's not already installed)
If the Marketplace is unreachable from your Sonar server :
- Put the file sonar-apigee-plugin-X.X.X.jar in the directory $SONARQUBE_HOME/extensions/plugins. (the jar is available in the release section)
- Mandatory :
- Check that the SonarXML Plugin is already installed (minimum release 2.0.1.2020)
- If not, download it here (minimum release 2.0.1.*) and put the jar also in the directory $SONARQUBE_HOME/extensions/plugins
Finally :
- Restart the SonarQube server
- Set the "Sonar way Apigee" quality profile as default. You can also create a new profile and add it the rules coming from ApigeeXML and CommonXML repositories.
- Add .wsdl as suffix to be analyzed in the XMLPlugin administration.
- Configure your Quality Gates as needed
Some links :
- Project site, documentation & issue tracking : https://github.com/CreditMutuelArkea/sonar-apigee-plugin
- Direct link to binary : https://github.com/CreditMutuelArkea/sonar-apigee-plugin/releases/latest
Please feel free to give any feedback, or to vote for this article.
Regards,
Nicolas.
This is awesome @Nicolas TISSERAND
Thanks for building this. Would it be possible to re-use the output of the bundle-linter and push that to SONAR ? In that case, we don't have to rewrite in both places. Just a thought
Unfortunately it's not possible to directly re-use the bundle-linter. SonarQube is developped in Java, so the plugins must be in Java and packaged with Maven. (https://docs.sonarqube.org/display/DEV/Developing+a+Plugin).
But, I use the bundle-linter as source of inspiration. There are some nice tips (like reverse loops for example).
For the moment, I manage these rules from bundle-linter : PD003, TD002, FL001, ST001, PO001, PO002, PO007, PO008, PO019, PO020, FR001 and some own rules created from previous experiences or based on this page.
The first tests are in progress in my company. Then I'll see later to share it with the community. (And I'll update this article with links and doc)
Thanks @Nicolas TISSERAND for building this. Just an FYI on side note, working on similar use case but installed SONARJS jenkins plugin and configured that in pipeline post apigeelinter
Any suggestion on this approach?
Hello @potturiprasanth . I think that it can work. But in order to execute apigeelinter, nodejs must be installed on the jenkins server which is not always the case (just like me). And the results of apigeelinter stay in Jenkins, isn't it ?
Thank you for working on SonarQube plugin for Apigee.
I am unable to restart the server after I put the file sonar-apigee-plugin-X.X.X.jar in the directory $SONARQUBE_HOME/extensions/plugins
Hello @Jinesh Thakkar. Thank you for trying my plugin but you are a bit too earlier. The plugin is still under development and it is not properly released. This is the reason why I didn't made an announcement here yet.
The plugin still contains some bugs, just like this one and I'm working on this with the help of the SonarQube community.
Stay tuned, I'll provide some news as soon as possible.
Hi @Jinesh Thakkar, the version 1.1.0 hes been released. Please follow the installation instructions above and let me know if everything is ok now.
Thank you for making available this plugin.
Does this plugin also cover the javascript code.
No, the Javascript code is natively covered by the SonarJS plugin :
https://docs.sonarqube.org/display/PLUG/SonarJS
I'm currently working on the version 2.0.0 of my plugin to be compatible with the latest version of SonarQube. Please wait few days before it'll be released. (Version 1.3.0 is not compatible at all).
Hi @Nicolas TISSERAND - is this a google tool or your its your personal tool. Or does Google support it.
Hi Nicolas,
I am trying to add custom rules in this plugin for my org.
I want to develop something similar to below rule in this plugin :-
var plugin ={
ruleId:"MyRule-002",
name:"Check if the Spike Arrest policy is being used in the PreFlow section",
message:"Spike Arrest policy should be included in the PreFlow section.",
fatal:false,
severity:2,//error
nodeType:"ProxyEndpoint",
enabled:true},
debug =require("debug")("bundlelinter:"+ plugin.name);var onProxyEndpoint =function(ep, cb){var hadError =false,
spikeArrestFound =false;if(ep.getPreFlow()){var steps = ep.getPreFlow().getFlowRequest().getSteps();
steps.forEach(function(step){if(step.getName()&& ep.getParent().getPolicies()){var p = ep.getParent().getPolicyByName(step.getName());if(p.getType()==="SpikeArrest"){
spikeArrestFound =true;}}});}if(!spikeArrestFound){
ep.addMessage({
plugin,
message: plugin.message
});
hadError =true;}if(typeof(cb)=='function'){
cb(null, hadError);}};module.exports ={
plugin,
onProxyEndpoint
};Contributors
55 People are following this .
