SonarQube

Out-of-the-box discovery of Compliance Rules and their metadata

Introduction

The LeanIX VSM SonarQube integration offers the automated out-of-the-box creation and updating of LeanIX Compliance Rule Fact Sheets. In this way, we provide Compliance information that can be linked to Software Artifacts to understand what Compliance Rules a Software Artifact is breaking. Value Stream Management is focused on the high-level information of Compliance Rules.

25402540

Integrate with SonarQube to:

  • Get a holistic overview of your organization's Compliance Rules
  • Understand how many Compliant rules your Software Artifacts are breaking and insights into more such information

Setup in VSM

The SonarQube Integration works with the LeanIX Integration Hub to scan your company data, process it into an LDIF, and automatically trigger the Inbound Integration API processor.

Configuration

  1. In your VSM workspace go to 'Administration > Integrations'
27362736
  1. Enter the following details:
22122212

i. Configuration name: The name that identifies the data source.
ii. SonarQube instance URL: The URL where your sonarQube instance is running, for example http://example.sonarqube.com
iii. SonarQube token: A sonarQube token that grants the connector access to the sonarQube API to retreive data. Token is generated by the admin.

Since SonarQube is usually deployed on-premise, this integration requires one more step to successfully bring in data. Please find the details below

🚧

External Execution

SonarQube connector starts in external execution mode. The Integration cannot be started or scheduled manually. The actual scheduling should be done by making sure that the integration setup in your environment runs periodically (e.g. Kubernetes CronJob, Manual trigger, etc..)

Setup in the source system

The connector docker image is available in our public Azure container registry. The execution of this docker image can be scheduled in the environment in which the SonarQube instance to be scanned is available.

Prerequisites for Docker image execution

  • Docker CLI is available in your environment. You can test this by running the command
    docker -v in your terminal. The output should be something like
    Docker version 20.10.5, build 55c4c88 . Docker version above. If you do not have Docker installed on your host
    machine, you can install it from here

Docker Image Pull

To pull the external-executable-sonarqube-connector from our public Azure container
registry, please run the below command in your terminal

docker pull leanixacrpublic.azurecr.io/external-executable-sonarqube-connector:latest

Setting up environment variables for Docker run

We suggest creating an environment file with the required environment variables mentioned below. This file path needs to be passed as an input to the Docker container that will run the external-executable-SonarQube-connector image.

  1. LX_HOST: The LeanIX hostname the connector is going to connect to, e.g.: app.leanix.netβ€œ
  2. LX_APITOKEN: A valid technical user token obtained from the workspace the data will be delivered to. See Details
  3. LX_DATASOURCE_NAME: The name of the vsm-sonarqube-connector DataSource in the respective workspace that will be triggered by the connector.
LX_HOST={your domain}.leanix.net
LX_APITOKEN={token}
LX_DATASOURCE_NAME={Integration configuration name}

Running the Docker Container

Run the below command to execute the connector. Please replace ./sonarqube_env.list with the path to the actual environment file you created above.

docker run --pull always  --env-file ./sonarqube_connector_env.list leanixacrpublic.azurecr.io/external-executable-sonarqube-connector

The connector should start, and you should be able to see something similar in docker stdout

> [email protected] start-self /usr/src/app
> node SonarQubeConnectorSelfStart

Attempting to self start via Integration Hub.
Successfully fetched the access token.
Successfully initiated the self start. Progress can also be checked in Sync Logging.
Updated IN_PROGRESS status to Integration Hub with status 200 and message: Starting to get data from sonarqube and process the LDIF!

πŸ“˜

Sync Logging

Open the "Sync Logging" tab to understand the progress of your current integration run. Sync Logging also provides information on previous integration runs

25162516

🚧

Accessing the SonarQube server

The above docker run command may need to be tweaked according to your network settings for docker to access the SonarQube server instance. For example, if docker and SonarQube server is running in the same host network --network host flag should be included in the above command

Imported Data

Below you find how objects fetched from SonarQube are translated into LeanIX FactSheets and attributes on them.

SonarQube Object

LeanIX Value Stream Management

Project

Software Artifact Fact Sheet

Rule

Compliance Rule Fact Sheet

Issues in a Project
(limited to 10 000 issues of type: VULNERABILITY and BUG with severities of BLOCKER and CRITICAL)
See more about the sonarqube API here

Relation between Software Artifact and Compliance Rule Fact Sheets with count

Rule Language

Tag on the Compliance Rule Fact Sheet

Project Dashboard Link

Link available on Software Artifact Fact Sheet as a resource

Rule Dashboard Link

Link available on Compliance Rule Fact Sheet as a resource

Tag on Compliance Rule Fact Sheets: SonarQube

24722472

Mapping discovered APIs to Software Artifacts

Our integration will automatically discover all Rules you have in SonarQube and create Compliance Rule Fact Sheets (as detailed above). Currently, information stored in SonarQube does not allow LeanIX to connect the Compliance Rule Fact Sheets to Software Artifacts (e.g. Microservices) automatically. To leverage a semi-automatic mapping mechanism follow the steps below:

  1. Retrieve & Copy the 'Project Key' information of a particular project from your SonarQube instance
25382538
  1. In the to-be-linked Software Artifact Fact Sheet paste the project key from 1) into the field SonarQube Project Key
24302430
  1. Run the connector in a one-off run as per Configuration to instantly link the factsheets. As part of your scheduled connector run, the processors will attempt to match Compliance Rule & Software Artifact Fact Sheets automatically.

Removing irrelevant data

  • If one of your projects in SonarQube no longer breaks a particular Compliance Rule, then the relation between respective Software Artifact and Compliance Rule is removed.
  • If one of your compliance rule in the SonarQube instance in no longer tracked (deleted), then the Compliance Rule Fact Sheet is also archived in the workspace.

Extending the Integration

Integration also supports Integration API execution groups via Integration Hub to enable users to add custom processors. To process the data correctly, you need to add a custom processor set.

29962996

Sample data source configuration with execution group

"executionGroup": "vsmSonarqubeInbound"

Unique execution group name for the integration is vsmSonarqubeInbound

The integration API will pick up your processors and merge them with the base processors at execution time. Make sure to set the Integration API run number accordingly.

For more information on the execution groups visit: https://docs.leanix.net/docs/integration-api#section-grouped-execution-of-multiple-integration-api-configurations

To get to grips on the general steps needed to extend the integration please also find an in-depth guide in the tutorials section.

FAQs

How do I generate SonarQube token?

  1. Go to your org's SonarQube Home page
  2. Go to "My Account" and open the "Security" tab
  3. Enter a name for the token and click "Generate Token"
  4. A new token is generated and shown in the UI.
25502550

Did this page help you?