SonarQube Analysis¶
The PTB supports using SonarQube Cloud
to analyze, visualize, and track linting, security, and coverage results that
PTB uploads via sonar:check.
All of our Python projects should be evaluated against the Exasol Way and subscribe to the Clean as You Code methodology. If code modified in a pull request does not satisfy the configured criteria, the Sonar analysis fails.
The PTB workflow report.yml runs sonar:check after the linting and test
jobs have produced their artifacts. For the end-to-end PTB code-quality flow, see
Measuring Code Quality.
Configuration¶
To use Sonar with PTB, configure:
GitHub access and secrets
the Sonar project
the project-specific Sonar settings in
pyproject.tomlandnoxconfig.py
Public GitHub Repository¶
In GitHub¶
A GitHub Admin will need to:
Inherit organization secret ‘SONAR_TOKEN’
Activate the SonarQubeCloud App
Post-merge: update the branch protections to include SonarQube analysis.
This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.
In Sonar¶
Create a project on SonarCloud
Project key should follow this pattern, e.g.
com.exasol:python-toolboxTo alter the project further, you will need the help of a SonarQube Admin.
In the Code¶
In
noxconfig.py, the relative path to the project’s source code is defined withConfig.sonar_code_path.- Add the following to the project’s file
pyproject.toml [tool.sonar] projectKey = "<sonar-project-key>" host.url = "https://sonarcloud.io" organization = "exasol" exclusions = "<source_code_directory>/<directory-to-ignore>/*"
- Add the following to the project’s file
Note
For more information, see the General remarks section.
Private GitHub Repository¶
See the company wiki for details on how to use Exasol’s on-prem SonarQube cluster and the needed steps to configure for a private GitHub repository.
Note
For more general information, see the General remarks section.
General Remarks¶
For additional configuration information, see Sonar’s analysis parameters page.
Exclude Files from SonarQube Static Code Analysis¶
With the value of exclusions, you can exclude files and directories of your
project from Sonar’s analysis:
You can use wildcards, e.g.
<root>/dir/*.pyor<root>/**/*.pyMultiple exclusions can be comma-separated (as shown above).
For excluding arbitrary directories and files below a specific directory, please use two asterisks, e.g.
root/abc/**.
See the Sonar Matching Patterns for more details.
The Nox session sonar:check only analyses the source code, as specified by
the PROJECT_CONFIG.sonar_code_path, so directories outside of this are
already excluded from being analyzed by default.