java结合sonar api
我们使用了sonar进行代码扫描后,有代码质量报告,代码扫描的数据,这些我们怎么拿到呢,这一篇文章来讲解一下,找到切入点,是的sonar和java程序结合起来,可以用作一些报表数据的展现。
如何找到sonar api
进入sonar首页看到一个小?问号,悬浮在上面就可以看到Web API的字眼,这就是api的入口,
实在找不到你就输入 你的ip:9000/web_api,一般都是9000端口,除非你改了
自己可以自行查看
我一般使用最多的是api/measures/component,这个接口可以获取很多指标结果,比如
bugs,new_bugs,vulnerabilities,new_vulnerabilities,sqale_index,code_smells,new_technical_debt,new_code_smells,coverage,tests,new_coverage,duplicated_lines_density,duplicated_blocks,new_duplicated_lines_density,line_coverage,branch_coverage
根据自己的需求好好找你需要的接口吧,原汁原味的还是你需要一些英语阅读能力,实在不行你就网页翻译吧
运行sonar后结果的回调
回调配置
这里可以进行回调地址配置,每次项目sonar运行完毕会回调结果给这个接口
回调的内容
回调的内容如下:
{
"serverUrl": "http://localhost:9000",
"taskId": "AYLnOQhccAPEdyamMkPR",
"status": "SUCCESS",
"analysedAt": "2022-08-29T01:30:44+0000",
"revision": "b59b62079cb976d6ff1ac01e4c73c578c5c370a4",
"changedAt": "2022-08-29T01:30:44+0000",
"project": {
"key": "hello-world",
"name": "helloword",
"url": "http://localhost:9000/dashboard?id=hello-world"
},
"branch": {
"name": "master",
"type": "BRANCH",
"isMain": true,
"url": "http://localhost:9000/dashboard?id=hello-world"
},
"qualityGate": {
"name": "Sonar way",
"status": "OK",
"conditions": [
{
"metric": "new_reliability_rating",
"operator": "GREATER_THAN",
"value": "1",
"status": "OK",
"errorThreshold": "1"
},
{
"metric": "new_security_rating",
"operator": "GREATER_THAN",
"value": "1",
"status": "OK",
"errorThreshold": "1"
},
{
"metric": "new_maintainability_rating",
"operator": "GREATER_THAN",
"value": "1",
"status": "OK",
"errorThreshold": "1"
},
{
"metric": "new_coverage",
"operator": "LESS_THAN",
"value": "0.0",
"status": "OK",
"errorThreshold": "80"
},
{
"metric": "new_duplicated_lines_density",
"operator": "GREATER_THAN",
"value": "0.0",
"status": "OK",
"errorThreshold": "3"
},
{
"metric": "new_security_hotspots_reviewed",
"operator": "LESS_THAN",
"status": "NO_VALUE",
"errorThreshold": "100"
}
]
},
"properties": {
"sonar.analysis.detectedscm": "git",
"sonar.analysis.detectedci": "Gitlab CI",
"sonar.analysis.projectId": "9a469d39208a4f8c8b341b2489fed024",
"sonar.analysis.gitlab.projectId": "16",
"sonar.analysis.gitlab.pipelineId": "1503",
"sonar.analysis.branch": "main",
"sonar.analysis.pipelineId": "239",
"sonar.analysis.envId": "da4cbfbb3cc743a2a56c4b25e05dfeb3",
"sonar.analysis.appId": "721f08db1d2a78c67efaced48821a4fc"
}
}
回调方式
调用方式:POST
负载: JSON
内容类型:application/json
内容编码:UTF-8
回调密钥配置
配置密钥(可选)
在创建时就可以配置
代码校验密钥
SonarQube 使用 HMAC 小写 SHA256 摘要来计算请求正文的签名
private static boolean isValidSignature(YourHttpRequest request) {
String receivedSignature = request.getHeader("X-Sonar-Webhook-HMAC-SHA256");
// See Apache commons-codec
String expectedSignature = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, "your_secret").hmacHex(request.getBody())
return Objects.equals(expectedSignature, receivedSignature);
}
自定义回调参数
sonar.analysis.*
如运行sonar命令
sonar-scanner -Dsonar.analysis.buildNumber=12345
回调的自定义参数在请求内容properties里
"properties": {
"sonar.analysis.buildNumber": "12345"
}
结合使用
- 通过sonar的回调,拿到相关sonar信息,进行存储到数据库之类的
- 根据回调信息调用sonar api拿到你所要的数据
总结
sonar结合java程序进行获取数据,能创建sonar的自定义报表,这个的话在我的工作中经常用到,我做的是devops,代码扫描时其中一个环境,我们需要收集sonar的数据,进行整合展示,也方便通知之类的动作,希望对你们有些许启蒙的帮助吧,知道sonar和程序直接的联动关系,大家一起加油。