Hello,
I'm glad to announce that the a Apigee Plugin for SonarQube has been released.
For those who are not aware, SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
This plugin works with existing SonarQube installations. It allows SonarQube to examine Apigee Edge proxy definitions, by examining the XML files. It is based on SonarQube's built-in sonar-xml-plugin on which custom rules have been implemented.
The goal is to detect common bad practices, just like the bundle-linter available here do. Moreover, in constructing this plugin, I have taken inspiration from the rules catalog of this previously existing linter.
The latest release 2.1.0 of this plugin comes with the support of sonarXML 2.0.1+ and has been tested with all current public releases of SonarQube (from 6.7 to 8.2).
Note: SonarQube is unrelated to the Apigee project code-named "Sonar".
Some screenshots of the results in action :
Project overview in Sonar :
Project issues in Sonar :
Installation instructions :
With SonarQube Marketplace :
If the Marketplace is unreachable from your Sonar server :
Finally :
Some links :
Please feel free to give any feedback, or to vote for this article.
Regards,
Nicolas.
This is awesome @Nicolas TISSERAND
Thanks for building this. Would it be possible to re-use the output of the bundle-linter and push that to SONAR ? In that case, we don't have to rewrite in both places. Just a thought
Unfortunately it's not possible to directly re-use the bundle-linter. SonarQube is developped in Java, so the plugins must be in Java and packaged with Maven. (https://docs.sonarqube.org/display/DEV/Developing+a+Plugin).
But, I use the bundle-linter as source of inspiration. There are some nice tips (like reverse loops for example).
For the moment, I manage these rules from bundle-linter : PD003, TD002, FL001, ST001, PO001, PO002, PO007, PO008, PO019, PO020, FR001 and some own rules created from previous experiences or based on this page.
The first tests are in progress in my company. Then I'll see later to share it with the community. (And I'll update this article with links and doc)
Thank you for working on SonarQube plugin for Apigee.
I am unable to restart the server after I put the file sonar-apigee-plugin-X.X.X.jar in the directory $SONARQUBE_HOME/extensions/plugins
Thanks @Nicolas TISSERAND for building this. Just an FYI on side note, working on similar use case but installed SONARJS jenkins plugin and configured that in pipeline post apigeelinter
Any suggestion on this approach?
Hello @Jinesh Thakkar. Thank you for trying my plugin but you are a bit too earlier. The plugin is still under development and it is not properly released. This is the reason why I didn't made an announcement here yet.
The plugin still contains some bugs, just like this one and I'm working on this with the help of the SonarQube community.
Stay tuned, I'll provide some news as soon as possible.
Hello @potturiprasanth . I think that it can work. But in order to execute apigeelinter, nodejs must be installed on the jenkins server which is not always the case (just like me). And the results of apigeelinter stay in Jenkins, isn't it ?
Yes we have node and jenkins on same server, also regarding second point#result of apigeelint, as we are executing apigeelint from pipeline i think the result would be print on jenkins console.log..but I am yet to try that ..
Thanks,
@potturiprasanth : Yes, the results of apigeelint will be printed in the Jenkins console log. But, your history will depend on the number of builds kept by Jenkins whereas Sonar will store everything from the beginning.
Hi @Jinesh Thakkar, the version 1.1.0 hes been released. Please follow the installation instructions above and let me know if everything is ok now.
Thank you for making available this plugin.
Does this plugin also cover the javascript code.
No, the Javascript code is natively covered by the SonarJS plugin :
https://docs.sonarqube.org/display/PLUG/SonarJS
I'm currently working on the version 2.0.0 of my plugin to be compatible with the latest version of SonarQube. Please wait few days before it'll be released. (Version 1.3.0 is not compatible at all).
Hi @Nicolas TISSERAND - is this a google tool or your its your personal tool. Or does Google support it.
Hi @amit nerkar - It's my own tool, open sourced, initially developed for my needs in my company.
There is no support at all from Google, neither from SonarSource.
Hi Nicolas,
I am trying to add custom rules in this plugin for my org.
I want to develop something similar to below rule in this plugin :-
var plugin ={ ruleId:"MyRule-002", name:"Check if the Spike Arrest policy is being used in the PreFlow section", message:"Spike Arrest policy should be included in the PreFlow section.", fatal:false, severity:2,//error nodeType:"ProxyEndpoint", enabled:true}, debug =require("debug")("bundlelinter:"+ plugin.name);var onProxyEndpoint =function(ep, cb){var hadError =false, spikeArrestFound =false;if(ep.getPreFlow()){var steps = ep.getPreFlow().getFlowRequest().getSteps(); steps.forEach(function(step){if(step.getName()&& ep.getParent().getPolicies()){var p = ep.getParent().getPolicyByName(step.getName());if(p.getType()==="SpikeArrest"){ spikeArrestFound =true;}}});}if(!spikeArrestFound){ ep.addMessage({ plugin, message: plugin.message }); hadError =true;}if(typeof(cb)=='function'){ cb(null, hadError);}};module.exports ={ plugin, onProxyEndpoint };
@nicolastisseran Is it possible to modify existing rules? if not then is there any way where we can disable some of rules?
There is not way to modify existing rules because they are hard-coded in the plugin. Only parameterized rules can be tuned (such as the "Description pattern" rule for Apiproxy description).
If you want to disable some rules, you can achieve this in creating a custom SonarWay Profile and choose only desired rules.
@nicolastisseran this is awesome work here.
Can i add a new rules to a existing list of rules ?
Hello @saigurunath01
The main purpose of this sonar plugin is to match with the implementation of apigeelint rules. (But I know that the latest rules are not yet implemented.)
What do you mean exactly with "adding new rules" ?
If you're expecting to add new rule with some DSL configuration (just like the sonarXML analyzer), then it's not possible. The checks often relies on several xml files, this is the reason why the rules are hardcoded in the SonarApigee plugin.
If you need some other rules that can be useful for all other Apigee users, then feel free to propose a PR in the project as well as in the original apigeelint project
Regards.