SonarQube Analysis

The PTB supports using SonarQube Cloud to analyze, visualize, and track linting, security, and coverage results that PTB uploads via sonar:check.

All of our Python projects should be evaluated against the Exasol Way and subscribe to the Clean as You Code methodology. If code modified in a pull request does not satisfy the configured criteria, the Sonar analysis fails.

The PTB workflow report.yml runs sonar:check after the linting and test jobs have produced their artifacts. For the end-to-end PTB code-quality flow, see Measuring Code Quality.

Configuration

To use Sonar with PTB, configure:

  • GitHub access and secrets

  • the Sonar project

  • the project-specific Sonar settings in pyproject.toml and noxconfig.py

Public GitHub Repository

In GitHub

A GitHub Admin will need to:

  1. Inherit organization secret ‘SONAR_TOKEN’

  2. Activate the SonarQubeCloud App

  3. Post-merge: update the branch protections to include SonarQube analysis.

  • This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.

In Sonar

  1. Create a project on SonarCloud

  • Project key should follow this pattern, e.g. com.exasol:python-toolbox

  • To alter the project further, you will need the help of a SonarQube Admin.

In the Code

  1. In noxconfig.py, the relative path to the project’s source code is defined with Config.sonar_code_path.

  2. Add the following to the project’s file pyproject.toml
    [tool.sonar]
    projectKey = "<sonar-project-key>"
    host.url = "https://sonarcloud.io"
    organization = "exasol"
    exclusions = "<source_code_directory>/<directory-to-ignore>/*"
    

Note

For more information, see the General remarks section.

Private GitHub Repository

See the company wiki for details on how to use Exasol’s on-prem SonarQube cluster and the needed steps to configure for a private GitHub repository.

Note

For more general information, see the General remarks section.

General Remarks

For additional configuration information, see Sonar’s analysis parameters page.

Exclude Files from SonarQube Static Code Analysis

With the value of exclusions, you can exclude files and directories of your project from Sonar’s analysis:

  • You can use wildcards, e.g. <root>/dir/*.py or <root>/**/*.py

  • Multiple exclusions can be comma-separated (as shown above).

  • For excluding arbitrary directories and files below a specific directory, please use two asterisks, e.g. root/abc/**.

See the Sonar Matching Patterns for more details.

The Nox session sonar:check only analyses the source code, as specified by the PROJECT_CONFIG.sonar_code_path, so directories outside of this are already excluded from being analyzed by default.