A few basic questions on ci/cd pipelines.

1. When we build java code, do we create jar file before going for sonarqube analysis or does both happen simultaneously. My understanding is sonarqube analysis needs to be performed before maven build. Build should happen only if codequality crosses our quality checks.

2. Does sonar scanner and maven are used individually or sonar scanner is integrated with maven. I know both are possible but what is the best way that we need artifacts to be created only if code passes quality checks.

3. How does the sonarqube tell CI system (be it azuredevops or any other system) whether to go for next steps or break if the quality check is failed.

CodePudding user response：

1. Usually you run your full build (which contains building the jar file or in general artifacts) and the sonar analysis will be done afterwards (unit tests coverage, static code analysis etc.) and no it is not done before it's done afterwards otherwise it would not be possible to integrate results like code coverage of the unit/integration test into the sonarqube analysis.

2. Technically the sonar scanner can be triggered via the Maven build (it is done via a maven plugin) and often called like this: mvn verify sonar:sonar(assumed that it is configured correctly).

3. SonarQube has a webhook which will be called/triggered if the quality is not as expected. Most of the time the CI/CD system have a stage which will shows the result of that and makes the final result of the build "red". Also many source code hosting solutions (GitHub, GitLab, Gitea or alike) having indicators which shows that (usually) within a pull request...

Update:

• If you run sonar analysis on a project without compiling the code you will get this:

$ mvn clean sonar:sonar

[INFO] JavaClasspath initialization
[INFO] ------------------------------------------------------------------------

[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.952 s
[INFO] Finished at: 2022-12-04T21:41:34 01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar (default-cli) on project kata-fraction: 
Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property. -> [Help 1]
[ERROR] 

CodePudding user response：

1. It depends on the specific pipeline setup. In some cases, the jar file may be created before performing the SonarQube analysis, while in others the analysis and build may happen simultaneously. The key is to ensure that the SonarQube analysis is performed before the maven build, so that any potential issues with the code quality can be identified and addressed before the build process.
2. Both options are possible, but it is generally recommended to integrate the SonarScanner with Maven. This allows the code quality analysis to be seamlessly integrated into the build process, and ensures that the artifacts are only created if the code passes the quality checks. This allows for a more efficient and effective pipeline, as the build process is not interrupted by issues with the code quality.
3. The SonarQube analysis results are typically sent back to the CI system through the use of a SonarQube webhook, which is a tool that allows for the automatic triggering of a specific action (in this case, sending the analysis results) based on a specific event (such as the completion of the analysis). The webhook is configured to send the analysis results to the CI system, which can then use the information to determine whether to continue with the pipeline or stop it.