JFrog Evidence Collection

Understanding the SonarQube Cloud integration with JFrog Evidence Collection.

This integration requires the SonarQube Cloud Enterprise license.

To set up your pipeline to use the JFrog CLI to create the Sonar evidence, see the JFrog pipelines documentation.

The JFrog Evidence Collection expands JFrog’s Release Lifecycle Management capabilities to enrich artifacts, builds, and release bundles with signed attestation metadata that can be easily tracked and verified for governance and compliance.

SonarQube Cloud integrates with JFrog Evidence Collection to provide trusted auditing for software packages.

Prerequisites

SonarQube Cloud Enterprise license
JFrog Artifactory Enterprise+ license
Minimum JFrog CLI version: 2.78.9

Integration overview

The JFrog CLI is used within the CI pipeline to create the Sonar evidence that will be displayed on the JFrog platform. This evidence contains the quality gate status computed by SonarQube Cloud and made accessible via its API.

The figure below shows the process:

The CI pipeline starts the SonarQube analysis.
The SonarScanner performs the analysis and sends the results to SonarQube Cloud.
SonarQube Cloud processes the analysis results and computes the quality gate status.
The CI pipeline asks JFrog CLI to create the Sonar evidence for the analysis.
The JFrog CLI, which waits for the analysis completion, retrieves SonarQube analysis evidence payload from SonarQube Cloud's endpoint: api.sonarcloud.io/dop-translation/jfrog-evidence (see JFrog Evidence Collection below).

The JFrog CLI waits for the SonarQube Cloud analysis completion, retrieves SonarQube analysis evidence payload from SonarQube Cloud's endpoint, creates the Sonar evidence, and sends it to JFrog Evidence Collection.

Example of a Sonar endpoint response

The endpoint response contains the evidence payload in JSON format with a markdown section.

{
   "predicateType":"https://jfrog.com/evidence/sonarqube/v1",
   "predicate":{
      "projectStatus":{
         "status":"ERROR",
         "ignoredConditions":false,
         "caycStatus":"non-compliant",
         "conditions":[
            {
               "status":"ERROR",
               "metricKey":"new_coverage",
               "comparator":"LT",
               "errorThreshold":"85",
               "actualValue":"82.50562381034781"
            },
            {
               "status":"OK",
               "metricKey":"skipped_tests",
               "comparator":"GT",
               "actualValue":"0"
            }
         ],
         "period":{
            "mode":"last_version",
            "date":"2000-04-27T00:45:23+0200",
            "parameter":"2015-12-07"
         }
      }
   },
    "createdAt": "2222-01-01T00:00:00.000Z",
    "createdBy": "SonarQube",
    "markdown": "# SVG in Markdown example\n\n## Details\n\n- **Type**: svg examples\n\nThis demonstrates the syntax for embedding an SVG without a separate file.\n\n!"
}

PreviousJira Cloud NextWebhooks

Last updated 20 days ago

Was this helpful?

Good afternoon

hashtagPrerequisites

hashtagIntegration overview

hashtagExample of a Sonar endpoint response

Prerequisites

Integration overview

Example of a Sonar endpoint response