feat: sonarqube integration (#41)

* feat: adds sonarqube workflow

.github/workflows/deploy_docs.yml

@@ -31,8 +31,12 @@ jobs:
         run: yarn install --immutable
       - name: Lint
         run: yarn nx run @blockchain-lab-um/ssi-snap-docs:lint
+        env:
+          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - name: Test build website
         run: yarn nx run @blockchain-lab-um/ssi-snap-docs:build
+        env:
+          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
   deploy:
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest

.github/workflows/publish.yaml

@@ -16,6 +16,8 @@ jobs:
           cache-depndency-path: '**/yarn.lock'
       - run: yarn install --immutable
       - run: yarn build
+        env:
+          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
       - env:
           NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN}}
         run: |

.github/workflows/sonar.yaml

@@ -0,0 +1,44 @@
+name: Sonarqube Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - develop
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Disabling shallow clone is recommended for improving relevancy of reporting
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: nrwl/nx-set-shas@v3
+        with:
+          main-branch-name: 'develop'
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16.15.1
+          cache: yarn
+      - name: Install dependencies
+        run: yarn install --immutable
+      - name: Test
+        run: yarn run test:ci
+        env:
+          NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      - name: SonarQube Scan
+        run: ./scripts/sonar/run-sonar.sh
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        timeout-minutes: 5
+
+    services:
+      sonarqube:
+        image: sonarqube:8.9-community
+        ports:
+          - 9000:9000

nx.json

@@ -48,7 +48,7 @@
     "test:ci": {
       "inputs": ["test", "^production"],
       "dependsOn": ["^build"],
-      "outputs": []
+      "outputs": ["{projectRoot}/coverage/**"]
     }
   },
   "defaultBase": "dev"

packages/connector/sonar-project.properties

@@ -0,0 +1,7 @@
+sonar.projectKey=connector
+sonar.projectName=connector
+sonar.sourceEncoding=UTF-8
+sonar.sources=src
+sonar.exclusions=**/node_modules/**,**/*spec.ts,**/*.e2e-spec.ts
+sonar.test.inclusions=**/*spec.ts,**/*.e2e-spec.ts
+sonar.javascript.lcov.reportPaths=coverage/lcov.info

packages/docs/sonar-project.properties

@@ -0,0 +1,7 @@
+sonar.projectKey=docs
+sonar.projectName=docs
+sonar.sourceEncoding=UTF-8
+sonar.sources=src
+sonar.exclusions=**/node_modules/**,**/*spec.ts,**/*.e2e-spec.ts
+sonar.test.inclusions=**/*spec.ts,**/*.e2e-spec.ts
+sonar.javascript.lcov.reportPaths=coverage/lcov.info

packages/snap/sonar-project.properties

@@ -0,0 +1,7 @@
+sonar.projectKey=snap
+sonar.projectName=snap
+sonar.sourceEncoding=UTF-8
+sonar.sources=src
+sonar.exclusions=**/node_modules/**,**/*spec.ts,**/*.e2e-spec.ts
+sonar.test.inclusions=**/*spec.ts,**/*.e2e-spec.ts
+sonar.javascript.lcov.reportPaths=coverage/lcov.info

packages/vcmanager/sonar-project.properties

@@ -0,0 +1,7 @@
+sonar.projectKey=vcmanager
+sonar.projectName=vcmanager
+sonar.sourceEncoding=UTF-8
+sonar.sources=src
+sonar.exclusions=**/node_modules/**,**/*spec.ts,**/*.e2e-spec.ts
+sonar.test.inclusions=**/*spec.ts,**/*.e2e-spec.ts
+sonar.javascript.lcov.reportPaths=coverage/lcov.info

packages/website/sonar-project.properties

@@ -0,0 +1,7 @@
+sonar.projectKey=website
+sonar.projectName=website
+sonar.sourceEncoding=UTF-8
+sonar.sources=src
+sonar.exclusions=**/node_modules/**,**/*spec.ts,**/*.e2e-spec.ts
+sonar.test.inclusions=**/*spec.ts,**/*.e2e-spec.ts
+sonar.javascript.lcov.reportPaths=coverage/lcov.info

scripts/sonar/Dockerfile

@@ -0,0 +1,17 @@
+FROM sonarsource/sonar-scanner-cli:4.7
+
+LABEL version="1.1.0" \
+  repository="https://github.com/sonarsource/sonarqube-scan-action" \
+  homepage="https://github.com/sonarsource/sonarqube-scan-action" \
+  maintainer="SonarSource" \
+  com.github.actions.name="SonarQube Scan" \
+  com.github.actions.description="Scan your code with SonarQube to detect Bugs, Vulnerabilities and Code Smells in up to 27 programming languages!" \
+  com.github.actions.icon="check" \
+  com.github.actions.color="green"
+
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+COPY cleanup.sh /cleanup.sh
+RUN chmod +x /cleanup.sh
+ENTRYPOINT ["/entrypoint.sh"]

scripts/sonar/cleanup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+_tmp_file=$(ls "${INPUT_PROJECTBASEDIR}/" | head -1)
+PERM=$(stat -c "%u:%g" "${INPUT_PROJECTBASEDIR}/$_tmp_file")
+
+chown -R $PERM "${INPUT_PROJECTBASEDIR}/"

scripts/sonar/entrypoint.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+if [[ -z "${SONAR_TOKEN}" ]]; then
+  echo "============================ WARNING ============================"
+  echo "Running this GitHub Action without SONAR_TOKEN is not recommended"
+  echo "============================ WARNING ============================"
+fi
+
+if [[ -z "${SONAR_HOST_URL}" ]]; then
+  echo "This GitHub Action requires the SONAR_HOST_URL env variable."
+  exit 1
+fi
+
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding custom root certificate to java certificate store"
+  rm -f /tmp/tmpcert.pem
+  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
+  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+fi
+
+unset JAVA_HOME
+
+sonar-scanner -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} ${INPUT_ARGS}

scripts/sonar/run-sonar.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# Helper functions for coloring output.
+info() { echo -e "\\e[36m$*\\e[0m"; }
+error() { echo -e "\\e[31m✗ $*\\e[0m"; }
+success() { echo -e "\\e[32m✔ $*\\e[0m"; }
+
+# Helper function to check if SonarQube is up and running.
+check_sq_is_up() {
+  local statusCall="$(curl --silent --user admin:admin http://127.0.0.1:9000/api/system/status)"
+  local status="$(jq -r '.status' <<< "$statusCall")"
+  if [[ ! $? -eq 0 ]]; then
+    error "Failed to check if SonarQube is up and running."
+    exit 1
+  fi
+  echo $status;
+}
+
+
+info "Build scanner action..."
+
+docker build --no-cache -t sonarsource/sonarqube-scan-action ./scripts/sonar/
+if [[ ! $? -eq 0 ]]; then
+  error "Failed to build the scanner action."
+  exit 1
+fi
+success "Scanner action built."
+
+info "Find the network SonarQube is running on..."
+network=$(docker network ls -f 'name=github_network' --format "{{.Name}}")
+if [[ $network != "github_network_"* ]]; then
+  error "Failed to find the local Docker network."
+  exit 1
+fi
+success "Found the network ($network)."
+
+info "Wait until SonarQube is up..."
+sleep 10
+isUp=$(check_sq_is_up)
+until [[ "$isUp" == "UP" ]]; do
+  sleep 1
+  isUp=$(check_sq_is_up)
+done
+success "SonarQube is up and running."
+
+info "Generate a new token..."
+tokenCall=$(curl --silent --user admin:admin -d "name=token" http://127.0.0.1:9000/api/user_tokens/generate)
+token="$(jq -r '.token' <<< "$tokenCall")"
+if [[ -z "$token" ]]; then
+  error "Failed to generate a new token."
+  exit 1
+fi
+success "New token generated."
+
+info "Test fail-fast if SONAR_TOKEN is omitted..."
+docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network sonarsource/sonarqube-scan-action
+if [[ $? -eq 0 ]]; then
+  error "Should have failed fast."
+  exit 1
+fi
+success "Correctly failed fast."
+
+info "Test fail-fast if SONAR_HOST_URL is omitted..."
+docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env SONAR_TOKEN=$token sonarsource/sonarqube-scan-action
+if [[ $? -eq 0 ]]; then
+  error "Should have failed fast."
+  exit 1
+fi
+success "Correctly failed fast."
+
+info "Analyze projects..."
+# Loop over packages subdirectories.
+for package in packages/*; do
+  dir="/github/workspace/${package%*/}" # remove the trailing "/"
+  if [[ -f "$package/sonar-project.properties" ]]; then
+    echo "Analyzing $package..."
+    docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=$dir --env SONAR_TOKEN=$SONAR_TOKEN --env SONAR_HOST_URL=$SONAR_HOST_URL sonarsource/sonarqube-scan-action
+    docker run -v `pwd`:/github/workspace/ --workdir /github/workspace --network $network --env INPUT_PROJECTBASEDIR=$dir --entrypoint /cleanup.sh sonarsource/sonarqube-scan-action
+    if [[ ! $? -eq 0 ]]; then
+      error "Failed to analyze $package."
+      exit 1
+    elif [[ ! -f "$package/.scannerwork/report-task.txt" ]]; then
+      error "Couldn't find the report task file. Analysis failed."
+      exit 1
+    fi
+  else
+    echo "Skipping $package..."
+  fi
+  echo $dir
+done
+
+success "Analysis successful."
+
+echo "" # new line
+echo "============================"
+echo "" # new line
+success "QA successful!"

sonar-project.properties

@@ -0,0 +1,3 @@
+sonar.projectKey=ssi-snap
+sonar.projectName=ssi-snap
+sonar.sourceEncoding=UTF-8