ci: Integrate SonarCloud

This will give us details coverage and static and static code analysis for every push. To enable the integration, take the following steps: - Log in to https://sonarcloud.io/ using your GitHub account - Visit https://sonarcloud.io/projects/create, add Wakaama (fairly self-explanatory) - Create a PR in your repository to verify the integration PRs do not get checked because it is tricky to do it in a secure fashion: - https://jira.sonarsource.com/browse/MMF-1371 - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Signed-off-by: Reto Schneider <code@reto-schneider.ch>
husqvarnagroup · Apr 20, 2021 · 866e505 · 866e505
1 parent dc42ea4
commit 866e505
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 15 deletions.
diff --git a/.github/workflows/sonarqube.yaml b/.github/workflows/sonarqube.yaml
@@ -0,0 +1,58 @@
+name: SonarCloud
+
+on: [push]
+
+jobs:
+  sonarcloud:
+    runs-on: ubuntu-20.04
+
+    steps:
+    - name: Checkout code including full history and submodules
+      uses: actions/checkout@v2
+      with:
+        submodules: true
+        fetch-depth: 0
+
+    - name: Install dependencies from APT repository
+      run:  |
+        sudo apt-get update
+        sudo apt-get install gcovr libcunit1-dev wget unzip
+
+    - name: Install CMake
+      uses: lukka/get-cmake@latest
+
+    - name: Install Ninja
+      uses: seanmiddleditch/gha-setup-ninja@master
+
+    - name: Setup SonarScanner
+      uses: warchant/setup-sonar-scanner@v3
+      with:
+        version: 4.6.0.2311
+
+    - name: Install Build Wrapper
+      run: |
+        wget https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip -O /tmp/build-wrapper-linux-x86.zip
+        mkdir ~/opt/
+        unzip /tmp/build-wrapper-linux-x86.zip -d ~/opt/
+
+    - name: Collect test coverage data
+      run: |
+        tools/ci/run_ci.sh \
+        --all \
+        --sonarqube ~/opt/build-wrapper-linux-x86/build-wrapper-linux-x86-64
+
+    - name: Run SonarCloud Scan
+      run: |
+          sonar-scanner \
+          -Dsonar.branch.name="${GITHUB_REF_NAME}" \
+          -Dsonar.cfamily.build-wrapper-output=build-wakaama/sonar-cloud-build-wrapper-output \
+          -Dsonar.cfamily.cache.enabled=false \
+          -Dsonar.cfamily.gcov.reportsPath=build-wakaama \
+          -Dsonar.cfamily.threads=2 \
+          -Dsonar.exclusions="build-wakaama-*/**, .git/**" \
+          -Dsonar.host.url=https://sonarcloud.io \
+          -Dsonar.login=${{ secrets.SONAR_TOKEN }} \
+          -Dsonar.organization=${{ github.repository_owner }} \
+          -Dsonar.projectKey="$(echo ${{ github.repository }} | tr / _)" \
+          -Dsonar.sourceEncoding=UTF-8 \
+          -Dsonar.sources=.
diff --git a/.gitignore b/.gitignore
@@ -37,3 +37,6 @@ core/cmake_install.cmake
 lwm2mclient
 lwm2mserver
 tlvdecode
+
+# SonarQube default work directory
+.scannerwork
diff --git a/tools/ci/run_ci.sh b/tools/ci/run_ci.sh
@@ -27,8 +27,9 @@ OPT_C_EXTENSIONS=""
 OPT_C_STANDARD=""
 OPT_VERBOSE=0
 OPT_SANITIZER=""
-OPT_TEST_COVERAGE_FORMAT=""
+OPT_TEST_COVERAGE_REPORT=""
 OPT_SCAN_BUILD=""
+OPT_SONARQUBE=""
 OPT_WRAPPER_CMD=""
 
 HELP_MSG="usage: ${SCRIPT_NAME} <OPTIONS>...
@@ -44,13 +45,15 @@ Options:
  --scan-build BINARY       Enable Clang code analyzer using specified
                            executable
                            (BINARY: e.g. scan-build-10)
- --test-coverage FORMAT    Create coverage info in given FORMAT
-                           (FORMAT: xml html text)
+ --test-coverage REPORT    Enable code coverage measurement, output REPORT
+                           (REPORT: xml html text none)
  --c-standard VERSION      Explicitly specify C VERSION to be used
                            (VERSION: 99, 11)
  --c-extensions ENABLE     Whether to allow compiler extensions. Defaults to
                            ON.
                            (ENABLE: ON or OFF)
+ --sonarqube WRAPPER       Collect data for SonarQube
+                           (WRAPPER: path to build-wrapper)
 
 Available steps (executed by --all):
   --clean                  Remove all build artifacts
@@ -70,28 +73,29 @@ function run_clean() {
 }
 
 function run_build() {
-  mkdir build-wakaama
-  pushd build-wakaama
-  ${OPT_WRAPPER_CMD} cmake -GNinja -S .. ${CMAKE_ARGS}
-  ${OPT_WRAPPER_CMD} ninja
-  popd
+  # Existing directory needed by SonarQube build-wrapper
+  mkdir -p build-wakaama
+
+  ${OPT_WRAPPER_CMD} cmake -GNinja -S . -B build-wakaama ${CMAKE_ARGS}
+  ${OPT_WRAPPER_CMD} cmake --build build-wakaama
 }
 
 function run_tests() {
   build-wakaama/tests/lwm2munittests
 
   mkdir -p "${REPO_ROOT_DIR}/build-wakaama/coverage"
 
-  if [ -z "${OPT_TEST_COVERAGE_FORMAT}" ]; then
+  if [ -z "${OPT_TEST_COVERAGE_REPORT}" ]; then
     return 0
   fi
 
   #see https://github.com/koalaman/shellcheck/wiki/SC2089
   gcovr_opts=(-r "${REPO_ROOT_DIR}/build-wakaama" \
+    --keep `: # Needed for SonarQube` \
     --exclude "${REPO_ROOT_DIR}"/examples \
     --exclude "${REPO_ROOT_DIR}"/tests)
 
-  case "${OPT_TEST_COVERAGE_FORMAT}" in
+  case "${OPT_TEST_COVERAGE_REPORT}" in
     xml)
       gcovr_out="--xml"
       gcovr_file=("${REPO_ROOT_DIR}/build-wakaama/coverage/report.xml")
@@ -104,9 +108,14 @@ function run_tests() {
       gcovr_out=""
       gcovr_file=("${REPO_ROOT_DIR}/build-wakaama/coverage/report.txt")
       ;;
+    none)
+      gcovr "${gcovr_opts[@]}" >/dev/null
+      echo "Coverage measured, but no report generated"
+      return 0
+      ;;
     *)
       echo "Error: Unsupported coverage output format: " \
-           "${OPT_TEST_COVERAGE_FORMAT}"
+           "${OPT_TEST_COVERAGE_REPORT}"
       usage 1
       ;;
   esac
@@ -133,6 +142,7 @@ if ! PARSED_OPTS=$(getopt -o vah \
                           -l help \
                           -l sanitizer: \
                           -l scan-build: \
+                          -l sonarqube: \
                           -l run-tests \
                           -l test-coverage: \
                           -l verbose \
@@ -171,11 +181,18 @@ while true; do
       ;;
     --scan-build)
       OPT_SCAN_BUILD=$2
-      RUN_CLEAN=1 # Analyzing works only when code gets actually built
+      # Analyzing works only when code gets actually built
+      RUN_CLEAN=1
+      shift 2
+      ;;
+    --sonarqube)
+      OPT_SONARQUBE=$2
+      # Analyzing works only when code gets actually built
+      RUN_CLEAN=1
       shift 2
       ;;
     --test-coverage)
-      OPT_TEST_COVERAGE_FORMAT=$2
+      OPT_TEST_COVERAGE_REPORT=$2
       shift 2
       ;;
     --)
@@ -223,13 +240,24 @@ if [ -n "${OPT_SANITIZER}" ]; then
   CMAKE_ARGS="${CMAKE_ARGS} -DSANITIZER=${OPT_SANITIZER}"
 fi
 
-if [ -n "${OPT_TEST_COVERAGE_FORMAT}" ]; then
+if [ -n "${OPT_SCAN_BUILD}" ] && [ -n "${OPT_SONARQUBE}" ]; then
+  echo "--sonarqube and --scan-build can not be enabled at the same time"
+  exit 1
+fi
+
+if [ -n "${OPT_SONARQUBE}" ]; then
+  OPT_TEST_COVERAGE_REPORT="${OPT_TEST_COVERAGE_REPORT:-none}"
+  OPT_WRAPPER_CMD="${OPT_SONARQUBE} \
+    --out-dir build-wakaama/sonar-cloud-build-wrapper-output"
+fi
+
+if [ -n "${OPT_TEST_COVERAGE_REPORT}" ]; then
   CMAKE_ARGS="${CMAKE_ARGS} -DCOVERAGE=ON"
 fi
 
 if [ -n "${OPT_SCAN_BUILD}" ]; then
   OPT_WRAPPER_CMD="${OPT_SCAN_BUILD} \
-    -o clang-static-analyzer"
+    -o build-wakaama/clang-static-analyzer"
 fi
 
 # Run Steps