Maven, Azure DevOps and SonarCloud
While I admit I’m no Java guru, trying to get this up and running took me some time. So, I’m putting it here as a reference for myself later on and to help out anyone who may run into similar problems. This is how I set up and used Maven builds with Azure DevOps and SonarCloud integration.
The Pom File
There are a couple important things to note in the Pom file. The SonarAnalyze task in Azure DevOps has been deprecated and is no longer used for Maven builds. To utilize Maven builds with Azure DevOps and SonarCloud they want you to run the code analysis within the Maven build step instead. So our settings need to go into the Pom file. In the properties section you will define the sonar settings. Before you set this up you’ll want to go to the security tab in your account settings or the organization settings in SonarCloud to get a security token to use here.
The properties:
<properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <java.version>1.8</java.version> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <!-- Sonar --> <sonar.jacoco.reportPath>${project.basedir}/target/jacoco/jacoco-ut.exec</sonar.jacoco.reportPath> <sonar.coverage.jacoco.xmlReportPaths>${project.basedir}/target/jacoco/jacoco-ut/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths> <sonar.language>java</sonar.language> <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin> <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis> <sonar.host.url>https://sonarcloud.io</sonar.host.url> <sonar.exclusions>[comma delimited exclusions]</sonar.exclusions><!-- Organization and project keys are displayed in the right sidebar of the project homepage --> <sonar.organization>[org name here]</sonar.organization> <sonar.projectKey>[Project key here]</sonar.projectKey> <sonar.login>[SonarCloud auth token (org or user)]</sonar.login> </properties>The important thing to know about what’s above is that SonarCloud deprecated support for the Jacoco exec output. They added a new option called sonar.coverage.jacoco.xmlReportPaths which you use alongside sonar.jacoco.reportPath. You need to point the XML report path to the XML file that is generated by Jacoco in your project which is defined further down the Pom file. Leave the report path in so that coverage is displayed in the pipeline build output. For exclusions, use wildcards for directories and exclude specific java files, not the Java classes. See this page for details.
For the plugins there are a couple entries:
Lastly, profiles…
<profiles>
<profile>
<id>sonar</id>
<properties>
<sonar.host.url>https://sonarcloud.io</sonar.host.url>
<sonar.organization>[organization]</sonar.organization>
</properties>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<executions>
<execution>
<id>prepare-agent</id>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</profile>
</profiles>The Pipeline
I did all of this with a Docker build, but the simple steps are:
- SonarCloud Prepare
- Maven — Set sonarQubeRunAnalysis to true
- Publish Code Coverage Results
- SonarCloud Publish
- Publish Test Results
Before checking this all in create the project in SonarCloud so it has somewhere to publish the data to. If you don’t do that it will only create the project in SonarCloud when building against the master branch. It will not publish the data with the initial pull request. A work around for this if you do not have permission to create projects is to disable build policies to get the first pull request through and re-enable the policy again after it completes.
I hope this can help someone out!