SonarQube Analysis

The PTB supports using SonarQube Cloud to analyze, visualize, & track linting, security, & coverage. All of our Python projects should be evaluated against the Exasol Way and subscribe to the Clean as You Code methodology. If code modified in a PR does not satisfy the aforementioned criteria, the SonarQube analysis fails.

The PTB includes instructions to set up a GitHub bot to display the results of the Sonar analysis in your pull requests as a stylized comment and workflow result. Section Configuration gives instructions for public and private repositories.

Configuration

Public GitHub repository

In GitHub

A GitHub Admin will need to:

  1. Inherit organization secret ‘SONAR_TOKEN’

  2. Activate the SonarQubeCloud App

  3. Post-merge: update the branch protections to include SonarQube analysis.

  • This should only be done when tests exist for the project, & that the project is at a state in which enforced code coverage would not be a burden. If you do not enact branch protections, it is recommended to create an issue to do so later.

In Sonar

  1. Create a project on SonarCloud

  • Project key should follow this pattern, e.g. com.exasol:python-toolbox

  • To alter the project further, you will need the help of a SonarQube Admin.

In the code

  1. In the noxconfig.py, the relative path to the project’s source code is defined with Config.sonar_code_path.

  2. Add the following to the project’s file pyproject.toml
    [tool.sonar]
projectKey = "<sonar-project-key>"
host.url = "https://sonarcloud.io"
organization = "exasol"
exclusions = "<source_code_directory>/version.py,<source_code_directory>/<directory-to-ignore>/*"

Note

For more information, see the General remarks section.

Private GitHub repository

See the company wiki for details on how to use Exasol’s on-prem SonarQube cluster and the needed steps to configure for a private GitHub repository.

Note

For more general information, see the General remarks section.

General remarks

For additional configuration information, see Sonar’s analysis parameters page.

exclusions

With the value of exclusions, you can exclude files and directories of your project from Sonar’s analysis:

  • You can use wildcards, e.g. <root>/dir/*.py or <root>/**/*.py

  • Multiple exclusions can be comma-separated (as shown above).

  • For excluding arbitrary directories and files below a specific directory, please use two asterisks, e.g. root/abc/**.

See the Sonar Matching Patterns for more details.

By default, the nox session sonar:check only analyses the source code, as specified by the PROJECT_CONFIG.sonar_code_path, so directories outside of this are already excluded from being analyzed.