SonarQube Server analysis overview
With SonarQube Server, you can analyze your project’s main branch. Starting in the Developer Edition, you can analyze multiple branches and pull requests.
Code analysis with the SonarScanner
The SonarScanner performs the source code analysis. This stand-alone program runs on the CI/CD host and sends the analysis results to SonarQube Server, which computes them, calculates the quality gate, and generates reports.
To perform the analysis, the SonarScanner uses the language analyzers that it downloads from SonarQube Server at installation.
The Sonar Solution offers SonarScanners that integrate with the following build systems: Gradle, Maven, .NET, NPM, and Python. For other project types, the SonarScanner CLI which requires more manual configuration is used.
Analysis process
Essentially, the main steps of the analysis process are:
- Your build or CI pipeline starts the SonarScanner.
- The SonarScanner scans the local repository and determines the files to be analyzed according to the configured analysis scope.
- The scanner sends an analysis request to the respective language analyzer which retrieves the files to be analyzed from the file system and analyzes them according to the configured quality profile.
- The analyzer sends the analysis results (quality measures and issues) to the scanner which forwards them to SonarQube Server in the form of a report.
- SonarQube Server computes the analysis results asynchronously to perform the following:
- It identifies the new issues according to the configured New Code definition and raises them in both the new code and the overall code (It uploads the code as part of the analysis and shows users the code that it raised issues on. Unanalyzed changes in the code are not visible.).
- It computes the quality gate.
- It generates reports.
By default, only files that are recognized by your edition of SonarQube Server are loaded into the project during analysis. For example, if you're using SonarQube Community Build, which includes analysis of Java and JavaScript, but not C++, all .java and .js files would be loaded, but .cpp files would be ignored.
Integration into your CI pipeline
By integrating the SonarQube Server analysis into your CI pipeline, you can use the following analysis features for your projects: main branch analysis, and, starting in Developer Edition, pull request analysis and multiple branch analysis.
The relevant CI pipeline steps with SonarQube Server integration are:
- A developer pushes changes on a branch to the remote repository.
- A CI pipeline is triggered for the specific branch. For this purpose, webhooks may be used when events occur in the Source Control Management (SCM) system or the repository may be monitored by a CI/CD tool like Jenkins.
- The pipeline clones the remote repository and checks out the relevant branch to the local repository on the CI/CD host (The code and SCM metadata are copied.).
- In the case of a compiled programming language, the pipeline builds the code.
- The pipeline executes the appropriate Sonar Scanner to analyze the code.
- The scanner sends the analysis results to SonarQube Server, which computes them.
- The Server sends the Quality Gate computation result to the CI pipeline (This step is optional.).
- The pipeline continues (if the Quality Gate succeeds) or stops (otherwise).
Scanner engine and analyzers download at analysis time
A SonarScanner is a scanner bootstrapper that downloads the scanner engine and language analyzers from SonarQube Server at analysis time. This way:
- It ensures that the scanner engine and analyzer versions are compatible with SonarQube Server.
- Only the analyzers necessary to analyze the detected languages are downloaded.
The figure below shows a simplified view of the download process of the scanner engine and language analyzers. For each analysis run:
- The CI or build pipeline starts the SonarScanner.
- The SonarScanner connects to SonarQube Server to retrieve the scanner engine version to be used. It checks the scanner cache for the scanner engine version. If it doesn't find it, it downloads it from SonarQube Server and stores it in the cache.
- The scanner engine scans the code to identify the different languages used in the project to be analyzed.
- The scanner engine checks the scanner cache for the required language analyzers. If it doesn't find them, it downloads them from SonarQube Server and stores them in the cache.
Related pages
Was this page helpful?