Sonar Evidence Integration
The Evidence Collection service can convert Sonar attestations generated by SonarQube into JFrog evidence. All forms of evidence subjects are supported, including artifacts, packages, builds, and Release Bundles. A sample command is shown below:
jf evd create --build-name build_name --build-number build_number --integration sonar --key path-to-key --key-alias key_aliasPrerequisites
SONAR_TOKENorSONARQUBE_TOKENenvironment variable for fetching the data from Sonarreport-task.txtwhich contains the output of the Sonar code scan. These are the default locations for this file:
Type | Default Location |
|---|---|
maven |
|
gradle |
|
cli |
|
msbuild |
|
Configuration Options
You can use either environment variables or a YAML file to set configuration options for Sonar evidence. The YAML file, which is called evidence.yaml, should be placed in the following folder: .jfrog/evidence/evidence.yaml
Environment variable | YAML parameter | Description |
|---|---|---|
|
| The Sonar URL. When the URL cannot be resolved from report-task.txt, the default value is https://sonarcloud.io. |
|
| The location of the output produced by Sonar. Default locations are described in the table above. |
|
| The maximum number of calls to the Sonar server to retrieve the report-task.txt file. |
|
| The interval in milliseconds between polling attempts. |
Sample evidence.yaml file
sonar:
url: https://sonarcloud.io
reportTaskFile: /path/to/report-task.txt
pollingMaxRetries: 30
pollingRetryIntervalMs: 5000Note
Environment variables override the values defined in evidence.yaml. To see a sample GitHub pipeline for creating Sonar evidence, go tohttps://github.com/jfrog/Evidence-Examples/blob/main/.github/workflows/sonar-evidence-example.yml. Additional information about Sonar evidence can be found under Sonar Evidence Example.
Updated 3 months ago