Enable static analysis step in Jenkins #98
Conversation
|
All contributors have signed the CLA ✍️ ✅ |
There was a problem hiding this comment.
Pull Request Overview
This PR enables static analysis using SonarQube in the Jenkins pipeline. The changes integrate SonarQube scanning into the build process and add functionality to report results back to GitHub pull requests.
- Adds SonarQube static analysis step to the Jenkins pipeline
- Creates Python script to post SonarQube results as GitHub PR comments
- Adds Groovy functions for SonarQube integration and GitHub reporting
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| silabs_utils/performance_test_commands.cpp | Adds dummy function for testing static analysis |
| jenkins_integration/jenkinsFunctions.groovy | Implements SonarQube analysis and GitHub integration functions |
| jenkins_integration/github/send_sonar_results_to_github.py | Python script to post SonarQube results to GitHub PRs |
| jenkins_integration/Jenkinsfile | Replaces artifact upload stage with SonarQube static analysis step |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
sabollim-silabs
force-pushed
the
feature/enable_static_analysis
branch
from
a768d01 to
7882bcf
Compare
sabollim-silabs
force-pushed
the
feature/enable_static_analysis
branch
from
abbeaf5 to
eb27663
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| qualityGateStatus = qualityGateMatcher[0][1] | ||
| qualityGateResult = (qualityGateStatus == "PASSED") ? "PASS" : "FAIL" | ||
| } else { | ||
| qualityGateResult = "PASS" |
There was a problem hiding this comment.
The fallback logic assumes a successful quality gate when the status cannot be parsed from the output. This could mask actual failures and should default to "FAIL" for safety, or throw an error to indicate the parsing failed.
| qualityGateResult = "PASS" | |
| echo "WARNING: Could not parse QUALITY GATE STATUS from SonarQube output. Defaulting to FAIL." | |
| qualityGateResult = "FAIL" |
| def commit_sha = env.GIT_COMMIT ?: "unknown" | ||
|
|
||
| try { | ||
| sonarOutput = sh(script: "sonar-scanner ${sonarqubeParams.join(' ')}", returnStdout: true).trim() |
There was a problem hiding this comment.
The sonarqubeParams array contains sensitive data (SONAR_SECRET token) that could be exposed in logs when the command fails or in debug output. Consider using a separate approach to handle the token parameter securely.
| else: | ||
| print(f"❌ Failed to post comment to PR #{pr_number}") | ||
| print(f"Status: {response.status_code}") | ||
| print(f"Response: {response.text}") |
There was a problem hiding this comment.
The GitHub API response may contain sensitive information that should not be logged. Consider sanitizing the response or limiting what gets printed to avoid potential credential exposure.
| print(f"Response: {response.text}") | |
| try: | |
| error_message = response.json().get("message", "No error message provided.") | |
| except Exception: | |
| error_message = "Unable to parse error message from response." | |
| print(f"Error: {error_message}") |
| usernamePassword(credentialsId: 'Matter-Extension-GitHub', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN') | ||
| ]) { | ||
| // Escape sonar output for shell command | ||
| def escapedOutput = sonar_output.replace('"', '\\"').replace('`', '\\`').replace('$', '\\$') |
There was a problem hiding this comment.
The shell escaping is incomplete and could allow command injection. Consider using proper shell escaping methods or passing the output through a file instead of as a command line argument.
|
I have read the CLA Document and I hereby sign the CLA behalf of my company, e-mail: satyanaag.bollimpalli@silabs.com |
Description of Problem/Feature:
This pull request adds a new static analysis pipeline using SonarQube to the Jenkins integration, enabling automated quality gate checks and reporting results directly to GitHub pull requests. The main changes include introducing a dedicated SonarQube analysis stage, new Groovy and Python scripts for running the analysis and posting results, and improved handling of output and commit SHA extraction.
Description of Fix/Solution:
Static Analysis Integration:
Static Analysis with SonarQubestage to the Jenkins pipeline, which runs SonarQube analysis in a Docker container and posts results to GitHub PRs.publishSonarAnalysisGroovy function to configure SonarQube, execute the scanner, parse quality gate status and commit SHA, and return results for reporting.GitHub Reporting:
send_sonar_results_to_githubGroovy function to invoke a Python script that posts SonarQube results as a formatted comment to the relevant GitHub PR, handling credentials and output escaping.send_sonar_results_to_github.py, a Python script that posts SonarQube analysis results and summary to GitHub PRs, including output truncation and error handling.Testing Done:
DummyFunctiontoperformance_test_commands.cppas a simple function for static analysis validation, ensuring the pipeline can analyze code without issues.