The check name for decorating Github Pull Requests is currently based on the project name, which prevents setting a global policy for an action having completed on all projects based on a single name. To bring the plugin in-line with the commercial edition, a static name is being used during decoration unless the project is declared as a mono-repo, in which case the project name will be added to the check name.
JUnit 4 has been removed from the project and all tests updated to use
JUnit 5. Where possible calls to Mockito's `mock` has been altered to
use the `no-args` version, and ArgumentCaptor's `forClass` replaced with
`captor` to reduce verbosity.
The Bitbucket decorators submit a report to Bitbucket containing the
quality gate summary, but don't submit a report that influences the
build status. A second call is being made to submit abuild status that
is either successful is the Quality Gate has passed, or failed is the
Quality Gate did not pass.
Users currently submit a number of reports for Sonarqube reporting that
branch analysis is not available despite them having the plugin
installed, which are typically triggered by the user not having set up
the Java agent on one of the components correctly. This is compounded by
the Sonarqube plugin screen showing the plugin as being installed in
these scenarios even where the plugin's classes and configuration have
not been fully loaded into Sonarqube. To overcome this, the plugin
bootstrap class is now checking for the agent having made an alteration
to one of the bootstrap methods as an indication that the agent has run
successfully for both the Compute Engine and Web components, with the
plugin failing to start if either component doesn't detect the agent
modifications, and therefore preventing the Sonarqube server starting.
Whilst this won't fully resolve the problem of users not installing the
plugin properly, it prevents them believing the plugin is installed and
then only finding out things aren't right at the point they try and
submit an analysis with branch or pull request properties.
The plugin historically left old comments in place but resolved
conversations where comments had become outdated or the underlying issue
had been resolved. However, in Gitlab, the summary comments always
remained visible even when resolved as they were the first comment in
the thread so were not minimised by the Gitlab UI. For a merge request
being scanned multiple times as issues are being fixed, other review
comments responded to, and rebasing activities performed, this can lead
to a number of summary comments being added where the last comment is
typically only the one that developers are about.
As editing comments is not good practice since it's unclear what any
resulting comments in the thread are referring to and Gitlab does not
send emails to notify that comments have changed, the summary comment
is continuing to be posted as a new comment, but the old summary
comments are now being deleted. Where a thread has spawned from an old
summary comment, that comment will not be deleted, but a note added to
notify the users that the summary comment is outdated and the thread can
be resolved once the discussion reaches a conclusion.
Sonarqube has deprecated the previous Bug, Vulnerability, and Code Smell
rule types, instead replacing them with Software Quality attributes and
a potential rating against multiple attributes for a single rule. As the
rule types were only being used to report individual issues in the
Gitlab and Azure decorators, and for creating the overall summary
message to match what was previously shown on the Pull Request's
overview within Sonarqube, the types have been removed from all
decoration. Where summary messages are used in a decorator they now show
equivalent information as is shown on the Pull Request overview page in
Sonarqube - New issues, accepted issues, resolved issues, coverage,
duplications, and security hotspot metrics, plus any failed quality gate
conditions. Where the issue rating is reported in decoration, the
highest rating across all the Software Qualities assigned to a rule is
used in the new setup. The individual issues posted on Gitlab and Azure
decorations have been simplified to only contain the message from the
finding and the link to view the finding in Sonarqube, rather than
including attributes about resolution time and issue type which are
unlikely to have been useful to most users.
Not all the Sonarqube image variants contain a group named sonarqube, so
the `chown` command fails as it's unable to find the target group. To
overcome this the group is being set to `0` which should always exist
as the root user's group.
The library that had been used to integrate with GitHub's GraphQL APIs
is no longer maintained. As the rest of the project uses Rest APIs to
integrate with services, there's a fairly mature GitHub Java library,
and switching to any other GraphQL library is likely to require as much
effort as switching to a Rest implementation, this change is removing
the GraphQL implementation and moving to the github-api library bundled
within Sonarqube. As GitHub's Rest API does not support minimising
comments, old summary comments are being deleted rather than minimised
after a new summary comment is added. Additionally, the 'bridging'
features used in the github-api library cause issues when mockito
attempts to mock/spy a bridged class, so an unbridged version of the
library has been specified at the start of the test runtime classpath to
allow unit testing using the affected classes.
Includes an upgrade to the docker-compose file to use a newer Postgres
version and resolve some linting issues.
The service code uses DateUtils to convert a long into a String format,
which DateUtils converting the long to an instant, then an
OffsetDateTime before passing this through a formatter, using the local
timezone during the OffsetDateTime conversion.
As the test was using a pre-created String based on the UTC timezone,
the test does not correctly compare the values when being executed in a
different timezone. To overcome this, the test has been altered to use
the same DateUtils methods to convert from the long to a String, thereby
ensuring the same timezone handling is using in both test and live code.
The sonarqube images no longer create a sonarqube group for the
sonarqube user to be placed into, instead they put the sonarqube user in
the root group. To prevent the plugin builds failing when attempting to
set the plugin ownership to a group that doesn't exist, the `chown`
command is being altered to only set the user ownership, not the
associated group.
The Bitbucket decoration is currently using the project key to create
the analysis report key, but the Sonarqube documentation states this
should be a static value across all projects. To ensure that the
Bitbucket `Required report` configuration can be created as per the
guidance in Sonarqube documentation, the static key is being used where
the repository has not been set as a monorepo.
The resolution of Pull Request details currently uses the project
default branch when a pull request is analysed without specifying a
target branch. However, when a target branch is specified, the plugin
expects that branch to exist and throws an exception if the target
branch is not found. To overcome this, the target branch is being
resolved to the default branch where no target branch is specified or
the requested target branch does not exist. As the API used to gather
branch information does not return PULL_REQUEST details, the result of
this searching is that a pull request will either target a branch from
the main branch, or target the main branch, there is no further nesting
or pull requests and branches.
The Github Cloud API now returns an error about the input message being
malformed, seemingly due to a change in how new lines in messages are
being handled. As the use of blockquotes around multi-line messages
appears to continue to work, the analysis messages are being wrapped in
blockquotes rather than double-quotes where they contain newline
characters. This requires an interim measure of cloning the InputObject
class from the nodes library to alter the String comparison and wrapping
since the library is no longer maintained.
Sonarqube currently reports a fixed issues metric for pull requests, but
the plugin isn't providing the data to allow that value to be
calculated. To resolve this an additional IssueVisitor has been
introduced that compares the issues from the target branch with the
findings on the source branch and finds any target code blocks that no
longer exists - implying the issue line has been removed - or any code
that still exists but is now reporting the issue as fixed, and reports
them to the PullRequestFixedIssuesRepository which is used within
Sonarqube to gather the count of issues fixed in the current analysis.
The component ID was being used to create a map of analysis dates to
items, but the Pull Request's component ID did not map into this item,
so the Pull Request web service was always returning the analysis date
as empty. The service has been altered to use the root component ID as
was used in the search to ensure the IDs align.
Where Sonarqube does not have duplication information recorded on a
branch, such as there being no code to analyse, the duplication
information may be null. THe plugin is being altered to show this as a
`0` rather than throwing an exception when trying to format the missing
value.
MarkdownFormatterFactory uses System.lineSeparator() as the end-of-line
character for annotation comments.
GraphqlGithubClient.postSummaryComment(), however, uses hardcoded \r\n
as end-of-line character, so it isn't able to match legitimate comments
if SonarQube is not running on Windows.
This change updates GraphqlGithubClient to also use system end-of-line
char.
